[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fFKhEGlo5LEeoJDV93ZhGnuucAYAURzkzDFZX7XB5XAA":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":9,"severity":11,"cvss_score":12,"cvss_vector":13,"vuln_type":14,"published_date":15,"updated_date":16,"references":17,"days_to_patch":9,"patch_diff_files":19,"patch_trac_url":9,"research_status":20,"research_verified":21,"research_rounds_completed":22,"research_plan":23,"research_summary":24,"research_vulnerable_code":9,"research_fix_diff":9,"research_exploit_outline":25,"research_model_used":26,"research_started_at":27,"research_completed_at":28,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":21,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":21,"source_links":29},"CVE-2026-39680","diet-calorie-calculator-missing-authorization","Diet Calorie Calculator \u003C= 1.1.1 - Missing Authorization","The Diet Calorie Calculator plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in versions up to, and including, 1.1.1. This makes it possible for unauthenticated attackers to perform an unauthorized action.","diet-calorie-calculator",null,"\u003C=1.1.1","medium",5.3,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:N\u002FUI:N\u002FS:U\u002FC:N\u002FI:L\u002FA:N","Missing Authorization","2026-02-21 00:00:00","2026-04-15 21:28:48",[18],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F3bd5652e-1c26-4952-9119-1d7f7eff7d55?source=api-prod",[],"researched",false,3,"This research plan outlines the steps required to identify and exploit the Missing Authorization vulnerability in the **Diet Calorie Calculator** plugin (\u003C= 1.1.1).\n\n---\n\n### 1. Vulnerability Summary\nThe **Diet Calorie Calculator** plugin for WordPress is vulnerable to unauthorized access due to a missing capability check in an action handler. In versions up to and including 1.1.1, certain functions—likely those associated with saving calculator data, updating user diet profiles, or modifying plugin settings—are registered via hooks (such as `wp_ajax_nopriv_` or `admin_init`) without verifying if the requesting user has the necessary permissions (`current_user_can()`). This allows unauthenticated attackers to perform actions that should be restricted to administrators or specific users.\n\n### 2. Attack Vector Analysis\n*   **Endpoint:** `wp-admin\u002Fadmin-ajax.php` (most likely) or a general `init`\u002F`admin_init` hook listener.\n*   **Action Name (Inferred):** Likely patterns include `dcc_save_data`, `save_diet_calculator_settings`, or `diet_calorie_calculator_save`.\n*   **Payload Parameter:** `$_POST` parameters corresponding to plugin settings or user data.\n*   **Authentication:** None required (Unauthenticated).\n*   **Preconditions:** The plugin must be active. If the vulnerability is in an AJAX handler, a nonce might be required, though many plugins with missing authorization also lack proper nonce verification.\n\n### 3. Code Flow (Inferred)\n1.  **Entry Point:** The plugin registers a handler for an AJAX action:\n    `add_action('wp_ajax_nopriv_VULNERABLE_ACTION', 'vulnerable_function_name');`\n    `add_action('wp_ajax_VULNERABLE_ACTION', 'vulnerable_function_name');`\n2.  **Trigger:** An HTTP POST request is sent to `admin-ajax.php` with `action=VULNERABLE_ACTION`.\n3.  **Missing Check:** Inside `vulnerable_function_name()`, the code fails to call `current_user_can('manage_options')` or a similar authorization check.\n4.  **Sink:** The function proceeds to execute a privileged operation, such as:\n    *   `update_option('dcc_settings', ...)`\n    *   `$wpdb->insert(...)` into a custom plugin table.\n    *   `wp_insert_post(...)` to create diet plans.\n\n### 4. Nonce Acquisition Strategy\nIf the handler performs a `check_ajax_referer` or `wp_verify_nonce` check, we must extract the nonce from the frontend.\n\n1.  **Identify Shortcode:** Search the plugin code for `add_shortcode`.\n    *   *Likely Shortcode:* `[diet-calorie-calculator]` (inferred).\n2.  **Create Trigger Page:** Create a public page containing this shortcode to force the plugin to load its scripts and nonces.\n    *   `wp post create --post_type=page --post_status=publish --post_title=\"Calculator\" --post_content='[diet-calorie-calculator]'`\n3.  **Extract Nonce via Browser:**\n    *   Navigate to the newly created page.\n    *   Search the source code for `wp_localize_script` data.\n    *   *Common JS Variable (Inferred):* `window.dcc_ajax_obj` or `window.diet_calc_vars`.\n    *   *Command:* `browser_eval(\"window.diet_calc_vars?.nonce\")` (Replace with actual variable found during discovery).\n\n### 5. Exploitation Strategy\nOnce the vulnerable action and necessary parameters are identified:\n\n1.  **Discovery Phase:**\n    *   Grep the plugin directory for `wp_ajax_nopriv` to find potential unauthenticated actions.\n    *   Check for `current_user_can` calls within those functions.\n    *   Identify parameters used in `update_option` or database queries.\n2.  **Execution Phase:**\n    *   Use the `http_request` tool to send a POST request to the AJAX endpoint.\n    *   **Payload Example (Inferred):**\n        ```http\n        POST \u002Fwp-admin\u002Fadmin-ajax.php HTTP\u002F1.1\n        Content-Type: application\u002Fx-www-form-urlencoded\n\n        action=VULNERABLE_ACTION&nonce=EXTRACTED_NONCE&option_name=default_role&option_value=administrator\n        ```\n    *   *Note:* If the vulnerability allows updating arbitrary options, targeting `users_can_register` and `default_role` is a common path to privilege escalation. If it only affects plugin-specific settings, target a setting that could lead to XSS (e.g., a \"footer text\" or \"calculator label\" setting).\n\n### 6. Test Data Setup\n1.  **Plugin Installation:** Ensure `diet-calorie-calculator` version 1.1.1 is installed.\n2.  **Page Creation:**\n    ```bash\n    wp post create --post_type=page --post_status=publish --post_content='[diet-calorie-calculator]'\n    ```\n3.  **Baseline Check:** Verify current plugin settings or system settings:\n    ```bash\n    wp option get users_can_register\n    ```\n\n### 7. Expected Results\n*   **Success:** The server returns a `200 OK` or a JSON success message (e.g., `{\"success\":true}`).\n*   **Impact:** The targeted setting or data is modified in the database without the attacker ever providing administrator credentials.\n\n### 8. Verification Steps\n1.  **Database Check:** Use WP-CLI to confirm the change.\n    *   If settings were targeted: `wp option get \u003Cplugin_setting_name>`\n    *   If user data was targeted: `wp db query \"SELECT * FROM wp_diet_data_table\"` (using the actual table name).\n2.  **UI Check:** Navigate to the plugin settings page in the WordPress admin dashboard to see if the values have changed.\n\n### 9. Alternative Approaches\n*   **Admin Init Bypass:** If no AJAX actions are found, check for functions hooked to `admin_init`. If they process `$_POST` without a capability check, they can be triggered by any user (even unauthenticated) by visiting `\u002Fwp-admin\u002Fadmin-ajax.php` (as `admin_init` fires on that endpoint).\n*   **Parameter Fuzzing:** If the logic for saving settings is found but the parameters are unclear, fuzz the `$_POST` keys based on the names found in the plugin's settings form HTML. Look for `name=\"settings[some_val]\"` in the source code.","The Diet Calorie Calculator plugin for WordPress is vulnerable to unauthorized access in versions up to 1.1.1 due to missing capability checks on functions registered via AJAX or administrative hooks. This allows unauthenticated attackers to perform privileged actions, such as modifying plugin settings or diet-related data, by sending requests to the admin-ajax.php endpoint.","The exploit methodology involves identifying an unauthenticated AJAX action registered by the plugin (likely using the 'wp_ajax_nopriv_' hook) that performs sensitive operations without a call to current_user_can(). \n\n1. Search the plugin code for hooks like 'wp_ajax_nopriv_' associated with data saving (e.g., dcc_save_data).\n2. Locate a public page where the [diet-calorie-calculator] shortcode is present and extract any necessary nonces from the localized JavaScript variables (e.g., in window.diet_calc_vars).\n3. Send a POST request to \u002Fwp-admin\u002Fadmin-ajax.php with the 'action' parameter and the target payload containing modified settings or data.\n4. If the plugin uses an admin_init hook without authorization checks, the same result can be achieved by an unauthenticated user hitting the AJAX endpoint, as admin_init fires on that route.","gemini-3-flash-preview","2026-04-19 01:49:53","2026-04-19 01:50:09",{"type":30,"vulnerable_version":9,"fixed_version":9,"vulnerable_browse":9,"vulnerable_zip":9,"fixed_browse":9,"fixed_zip":9,"all_tags":31},"plugin","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fdiet-calorie-calculator\u002Ftags"]