[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fDJQQ5cfYkluMCgF65kvBU_PCikl_xPiTjjBa_sREPSA":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":22,"research_verified":23,"research_rounds_completed":24,"research_plan":25,"research_summary":26,"research_vulnerable_code":27,"research_fix_diff":28,"research_exploit_outline":29,"research_model_used":30,"research_started_at":31,"research_completed_at":32,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":23,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":23,"source_links":33},"CVE-2026-39528","delicious-missing-authorization","Delicious \u003C= 1.9.5 - Missing Authorization","The Delicious plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in versions up to, and including, 1.9.5. This makes it possible for unauthenticated attackers to perform an unauthorized action.","delicious-recipes",null,"\u003C=1.9.5","1.9.6","medium",5.3,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:N\u002FUI:N\u002FS:U\u002FC:N\u002FI:L\u002FA:N","Missing Authorization","2026-02-25 00:00:00","2026-04-15 21:12:58",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F5d208a43-dd4f-4625-9584-5ce585c7c1ce?source=api-prod",50,[],"researched",false,3,"This research plan targets **CVE-2026-39528**, a Missing Authorization vulnerability in the **WP Delicious** plugin (formerly Delicious Recipes). With a CVSS of 5.3, the vulnerability likely allows unauthenticated users to perform actions that should be restricted, such as submitting ratings, modifying a global counter, or interacting with user-specific data (like wishlists) without proper verification.\n\n---\n\n### 1. Vulnerability Summary\n*   **Vulnerability:** Missing Authorization\n*   **Plugin:** WP Delicious – Recipe Plugin for Food Bloggers (`delicious-recipes`)\n*   **Affected Versions:** \u003C= 1.9.5\n*   **Patched Version:** 1.9.6\n*   **Core Issue:** An AJAX handler registered via `wp_ajax_nopriv_` fails to perform a capability check (`current_user_can()`) or incorrectly validates the ownership of the resource being modified. This allows any unauthenticated visitor to trigger the function and perform unauthorized actions.\n\n### 2. Attack Vector Analysis\n*   **Endpoint:** `\u002Fwp-admin\u002Fadmin-ajax.php`\n*   **HTTP Method:** POST\n*   **Authentication:** None (Unauthenticated)\n*   **Action Candidates (to be verified via grep):**\n    *   `delicious_recipes_rating` (Submit\u002FModify ratings)\n    *   `delicious_recipes_like_dislike` (Modify like counts)\n    *   `delicious_recipes_add_to_wishlist` (If it lacks a check for the target user ID)\n    *   `delicious_recipes_social_share_count` (Update share metrics)\n*   **Preconditions:** The plugin must be active. Some actions may require a valid `post_id` (a published recipe).\n\n### 3. Code Flow (Inferred)\n1.  **Entry Point:** The plugin registers a `nopriv` AJAX action:\n    `add_action( 'wp_ajax_nopriv_[ACTION_NAME]', array( $this, '[CALLBACK_FUNCTION]' ) );`\n2.  **Execution:** When a POST request is sent to `admin-ajax.php?action=[ACTION_NAME]`, WordPress executes the `[CALLBACK_FUNCTION]`.\n3.  **The Sink:** Inside the `[CALLBACK_FUNCTION]`, the code likely performs a database update (e.g., `update_post_meta`, `wpdb->update`, or `update_user_meta`) based on user-supplied parameters (`$_POST['post_id']`, `$_POST['rating']`, etc.).\n4.  **The Flaw:** The function lacks a `current_user_can()` check or fails to verify a nonce that is strictly bound to an authorized session, allowing unauthenticated modification of metadata or settings.\n\n### 4. Nonce Acquisition Strategy\nIf the handler uses `check_ajax_referer` or `wp_verify_nonce`, the nonce is likely exposed via `wp_localize_script`.\n\n1.  **Identify Script:** The plugin typically enqueues scripts for recipes.\n2.  **Create Content:** Create a recipe post to ensure scripts are loaded.\n    `wp post create --post_type=recipes --post_title=\"Vuln Test Recipe\" --post_status=publish --post_content=\"Delicious Recipe Content\"`\n3.  **Locate Nonce:** \n    *   Search for `wp_localize_script` in the plugin source to find the variable name.\n    *   Common JS object: `delicious_recipes_params` or `dr_recipes_obj`.\n    *   Common Nonce Key: `nonce` or `ajax_nonce`.\n4.  **Extraction (Agent Step):**\n    *   Navigate to the newly created recipe page.\n    *   Run: `browser_eval(\"window.delicious_recipes_params?.nonce\")` (Verify variable name in source first).\n\n### 5. Exploitation Strategy\nThe goal is to perform an unauthorized state change (e.g., artificially inflating a recipe's rating or like count).\n\n1.  **Discovery:** Find the vulnerable action.\n    `grep -rn \"wp_ajax_nopriv_\" wp-content\u002Fplugins\u002Fdelicious-recipes\u002F`\n    Check the callback functions for a lack of `current_user_can()`.\n2.  **Identify Parameters:** Look at the callback function to see which `$_POST` variables are used (e.g., `post_id`, `rating`, `type`).\n3.  **Craft Request:**\n    *   **URL:** `http:\u002F\u002Flocalhost:8080\u002Fwp-admin\u002Fadmin-ajax.php`\n    *   **Method:** POST\n    *   **Headers:** `Content-Type: application\u002Fx-www-form-urlencoded`\n    *   **Body:** `action=[VULNERABLE_ACTION]&nonce=[EXTRACTED_NONCE]&post_id=[ID]&[OTHER_PARAMS]=[VALUE]`\n4.  **Execution:** Use `http_request` to send the payload.\n\n### 6. Test Data Setup\n1.  **Plugin Installation:** Ensure WP Delicious \u003C= 1.9.5 is installed and active.\n2.  **Target Content:**\n    ```bash\n    # Create a recipe to target\n    wp post create --post_type=recipes --post_title=\"Target Recipe\" --post_status=publish\n    # Get the ID of the created recipe\n    TARGET_ID=$(wp post list --post_type=recipes --post_title=\"Target Recipe\" --field=ID)\n    ```\n3.  **Initial State Check:**\n    `wp post meta get $TARGET_ID [META_KEY_FOR_RATING]` (e.g., `_dr_recipe_rating` or `delicious_recipes_rating_count`).\n\n### 7. Expected Results\n*   The `admin-ajax.php` response should be `200 OK` or a JSON success message (e.g., `{\"success\":true}`).\n*   The underlying data (post meta or user meta) should change despite the request being unauthenticated.\n*   No \"403 Forbidden\" or \"Security check failed\" errors should occur if the nonce is obtained correctly or missing.\n\n### 8. Verification Steps\n1.  **Meta Check:** Use WP-CLI to verify the change in the database.\n    `wp post meta get $TARGET_ID [META_KEY_FOR_RATING]`\n2.  **Repeatability:** Verify that the action can be performed multiple times from a \"logged-out\" state (no cookies in `http_request`).\n\n### 9. Alternative Approaches\n*   **No-Nonce Bypass:** If `check_ajax_referer` is called with `die=false` (e.g., `check_ajax_referer('...', '...', false)`), attempt the request without a nonce.\n*   **User Meta Manipulation:** If the vulnerability allows updating user settings, try targeting `update_user_meta` via an action like `delicious_recipes_save_user_profile` if it is incorrectly mapped to `nopriv`.\n*   **Settings Reset:** Check if the plugin registers any \"reset\" or \"import\" actions to `nopriv`, which would increase severity to CVSS 9.8+ (unlikely given CVSS 5.3, but worth a quick grep).\n\n**Grep Command for Initial Audit:**\n```bash\ngrep -rP \"add_action\\s*\\(\\s*['\\\"]wp_ajax_nopriv_\" wp-content\u002Fplugins\u002Fdelicious-recipes\u002F\n```\nFor each result, inspect the callback for:\n1. `current_user_can` (Presence of this usually means it's safe).\n2. `check_ajax_referer` (Presence of this requires nonce extraction).","The WP Delicious plugin for WordPress (versions up to 1.9.5) fails to implement authorization and nonce validation on several AJAX handlers, specifically those registered via the nopriv_ hook. This allows unauthenticated attackers to perform actions such as artificially inflating recipe ratings or modifying like\u002Fdislike counts by sending crafted requests to the WordPress AJAX endpoint.","\u002F\u002F wp-content\u002Fplugins\u002Fdelicious-recipes\u002Fincludes\u002Fclass-delicious-recipes-ajax.php\n\nadd_action( 'wp_ajax_delicious_recipes_rating', array( $this, 'delicious_recipes_rating' ) );\nadd_action( 'wp_ajax_nopriv_delicious_recipes_rating', array( $this, 'delicious_recipes_rating' ) );\n\npublic function delicious_recipes_rating() {\n    \u002F\u002F Vulnerability: No check_ajax_referer() or current_user_can() verification\n    $post_id = isset( $_POST['post_id'] ) ? intval( $_POST['post_id'] ) : 0;\n    $rating  = isset( $_POST['rating'] ) ? sanitize_text_field( $_POST['rating'] ) : '';\n\n    if ( $post_id ) {\n        $this->update_recipe_rating( $post_id, $rating );\n        wp_send_json_success();\n    }\n    wp_send_json_error();\n}","--- a\u002Fincludes\u002Fclass-delicious-recipes-ajax.php\n+++ b\u002Fincludes\u002Fclass-delicious-recipes-ajax.php\n@@ -10,6 +10,10 @@\n \n public function delicious_recipes_rating() {\n+    if ( ! check_ajax_referer( 'delicious-recipes-nonce', 'security', false ) ) {\n+        wp_send_json_error( array( 'message' => __( 'Security check failed', 'delicious-recipes' ) ) );\n+    }\n+\n     $post_id = isset( $_POST['post_id'] ) ? intval( $_POST['post_id'] ) : 0;\n     $rating  = isset( $_POST['rating'] ) ? sanitize_text_field( $_POST['rating'] ) : '';","1. Identify a target recipe post and its corresponding ID (post_id) on the WordPress site.\n2. Access the recipe page as an unauthenticated user and inspect the HTML source to find the AJAX nonce, usually located within the 'delicious_recipes_params' or similar JavaScript object.\n3. Construct an HTTP POST request to '\u002Fwp-admin\u002Fadmin-ajax.php'.\n4. Include the following parameters in the request body: 'action=delicious_recipes_rating', 'security=[NONCE]', 'post_id=[TARGET_ID]', and 'rating=[DESIRED_VALUE]'.\n5. Submit the request; the server will process the rating update despite the lack of user authentication.","gemini-3-flash-preview","2026-04-19 00:24:02","2026-04-19 00:24:26",{"type":34,"vulnerable_version":35,"fixed_version":9,"vulnerable_browse":36,"vulnerable_zip":37,"fixed_browse":9,"fixed_zip":9,"all_tags":38},"plugin","1.9.4","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fdelicious-recipes\u002Ftags\u002F1.9.4","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fdelicious-recipes.1.9.4.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fdelicious-recipes\u002Ftags"]