[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$faRE3O2i0YNKXfW6rNQMB4FQKox7-4tA609MbVazJSMY":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":29,"research_verified":30,"research_rounds_completed":31,"research_plan":32,"research_summary":33,"research_vulnerable_code":34,"research_fix_diff":35,"research_exploit_outline":36,"research_model_used":37,"research_started_at":38,"research_completed_at":39,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":30,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":30,"source_links":40},"CVE-2026-42749","disable-comments-delete-all-comments-missing-authorization","Disable Comments & Delete All Comments \u003C= 1.3.0 - Missing Authorization","The Disable Comments & Delete All Comments plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in all versions up to, and including, 1.3.0. This makes it possible for authenticated attackers, with Subscriber-level access and above, to perform an unauthorized action.","comments-plus",null,"\u003C=1.3.0","1.3.1","low",3.1,"CVSS:3.1\u002FAV:N\u002FAC:H\u002FPR:L\u002FUI:N\u002FS:U\u002FC:N\u002FI:L\u002FA:N","Missing Authorization","2026-05-29 00:00:00","2026-06-02 11:35:19",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002Fd1213431-a2a7-434a-b479-ac65fbc84820?source=api-prod",4,[22,23,24,25,26,27,28],"CHANGELOG.md","admin\u002Fpages\u002Fclass-page-delete-comments.php","comments-plus.php","libs\u002Ffactory\u002Fpages\u002Fincludes\u002Fadmin-page.class.php","readme.txt","vendor\u002Fautoload.php","vendor\u002Fcodeinwp\u002Fthemeisle-sdk\u002FCHANGELOG.md","researched",false,3,"This plan outlines the steps for a security researcher to demonstrate the Missing Authorization vulnerability in the **Disable Comments & Delete All Comments** plugin (version \u003C= 1.3.0).\n\n### 1. Vulnerability Summary\nThe plugin features a \"Delete Comments\" tool that allows for bulk deletion of comments by post type or status. The logic for processing this deletion is implemented within the `WbcrCmp_DeleteCommentsPage` class (in `admin\u002Fpages\u002Fclass-page-delete-comments.php`). Although the admin page itself is intended for administrators, the underlying request processing logic lacks an explicit capability check (e.g., `current_user_can( 'manage_options' )`). \n\nConsequently, an authenticated user with Subscriber-level permissions can trigger the deletion logic by sending a specifically crafted POST request to the admin area, leading to unauthorized modification of the site's database (loss of comments).\n\n### 2. Attack Vector Analysis\n*   **Endpoint:** `wp-admin\u002Fadmin.php?page=delete_comments-comments-plus`\n*   **Action\u002FTrigger:** A `POST` request containing deletion parameters.\n*   **Required Role:** Subscriber or higher (Authenticated).\n*   **Vulnerable Parameter:** `wbcr_cmp_post_types[]` and a trigger parameter (likely `wbcr_cmp_delete_comments` or `wbcr_cmp_clear_comments`).\n*   **Authentication:** Required (Subscriber credentials).\n*   **Preconditions:** The plugin must be active, and there must be comments present on the site to observe the impact.\n\n### 3. Code Flow\n1.  The plugin registers an admin page via the \"Webcraftic Factory\" framework.\n2.  The class `WbcrCmp_DeleteCommentsPage` (extending `Wbcr_FactoryPages480_AdminPage`) handles the \"Delete Comments\" interface.\n3.  When a request is made to `wp-admin\u002Fadmin.php?page=delete_comments-comments-plus`, the `admin_init` hook (or a framework-specific equivalent) triggers the page's processing logic.\n4.  In version 1.3.0, the logic that processes the `POST` request to delete comments (likely in an `execute()` or `save()` method not fully visible in the snippet but standard for the framework) verifies the CSRF nonce but fails to verify that the user has the necessary administrative capabilities.\n5.  Because `admin_init` runs for all authenticated users (including Subscribers visiting `admin-ajax.php` or the dashboard), the deletion logic executes before WordPress core's page-level capability check blocks access to the UI.\n\n### 4. Nonce Acquisition Strategy\nThe CVSS \"Access Complexity: High\" indicates that a valid WordPress nonce is likely required. Since a Subscriber cannot access the \"Delete Comments\" page directly, they must obtain a nonce from another source.\n\n1.  **Dashboard Widget \u002F Ads:** The plugin registers a dashboard widget and advertisements (`'subscribe_widget' => true`, `'render_adverts' => true`). These components are often rendered for all logged-in users, including Subscribers.\n2.  **JS Localization:** Check for variables registered via `wp_localize_script`.\n3.  **Strategy:** \n    *   Login as a Subscriber.\n    *   Navigate to `wp-admin\u002Findex.php`.\n    *   Use `browser_eval` to search for nonces in the global `window` object or within script tags. \n    *   Target Variable: Look for `wbcr_comments_plus_` or `wbcr_factory` prefixes.\n    *   If no specific nonce is found, attempt the exploit without one or use a nonce from a different Webcraftic plugin component (the framework often uses a generic nonce for admin actions).\n\n### 5. Exploitation Strategy\nPerform the following steps using the `http_request` tool:\n\n1.  **Login:** Authenticate as a Subscriber user.\n2.  **Parameter Identification:** Based on the source code:\n    *   Checkbox names: `wbcr_cmp_post_types[]`\n    *   Post type values: `post`, `page`, `attachment`, etc.\n    *   Success condition: `wbcr_cmp_clear_comments=1` (from `getActionNotices`)\n3.  **Craft Request:**\n    *   **Method:** `POST`\n    *   **URL:** `http:\u002F\u002F[target]\u002Fwp-admin\u002Fadmin.php?page=delete_comments-comments-plus`\n    *   **Headers:** `Content-Type: application\u002Fx-www-form-urlencoded`\n    *   **Body:**\n        ```\n        wbcr_cmp_post_types[]=post&wbcr_cmp_delete_comments=1&wbcr_cmp_clear_comments=1&_wpnonce=[NONCE]\n        ```\n4.  **Execute:** Send the request and observe the response. A successful trigger may redirect or return a success notice (look for `wbcr_cmp_clear_comments=1` in the redirect URL).\n\n### 6. Test Data Setup\n1.  **Create Comments:** Use WP-CLI to create several comments on various posts.\n    *   `wp comment create --comment_post_ID=1 --comment_content=\"Test Comment 1\"`\n    *   `wp comment create --comment_post_ID=1 --comment_content=\"Test Comment 2\"`\n2.  **Create Attacker:** Create a user with the Subscriber role.\n    *   `wp user create attacker attacker@example.com --role=subscriber --user_pass=password123`\n3.  **Verify Setup:** Confirm comments exist using `wp comment list`.\n\n### 7. Expected Results\n*   The `http_request` should return a `302` redirect or a `200 OK` response.\n*   The redirect URL should contain `wbcr_cmp_clear_comments=1`, which the plugin uses to display the success message: `\"All comments have been deleted.\"`\n*   The actual comments in the database for the specified post types should be permanently removed.\n\n### 8. Verification Steps\n1.  **Database Check:** Run `wp comment list` via WP-CLI. If the exploit worked, the list will be empty or missing comments for the targeted post types.\n2.  **UI Check:** Log in as Admin and navigate to **Comments**. Verify that the count is zero or significantly reduced.\n3.  **Log Check:** If possible, check the database query log for `DELETE FROM wp_comments` calls triggered during the Subscriber's session.\n\n### 9. Alternative Approaches\n*   **Action Parameter:** If `wbcr_cmp_delete_comments=1` fails, try variations based on the framework's standard \"save\" triggers, such as `wbcr_factory_480_save_settings=1` or `action=wbcr_comments_plus_delete`.\n*   **Direct Post Types:** Try omitting the `wbcr_cmp_post_types[]` array to see if the plugin defaults to deleting *all* comments when the parameter is missing but the trigger is present.\n*   **Generic Nonce:** If a specific deletion nonce isn't found, try using any nonce generated by the \"Factory\" framework found on the dashboard.","The Disable Comments & Delete All Comments plugin for WordPress is vulnerable to unauthorized comment deletion due to missing capability checks in the WbcrCmp_DeleteCommentsPage class and its underlying admin framework. This allows authenticated attackers with Subscriber-level access to trigger bulk deletion of comments, spam, or trashed items by sending crafted POST requests to the plugin's administrative processing logic.","\u002F\u002F admin\u002Fpages\u002Fclass-page-delete-comments.php around line 386\n\t\u002F**\n\t * This action deletes all comments from the database without restoring.\n\t *\u002F\n\tpublic function deleteAllCommentsAction() {\n\t\tcheck_admin_referer( $this->getResultId() . '_delete_all_comments' );\n\n\t\tif ( isset( $_POST['wbcr_cmp_delete_all'] ) ) {\n\n---\n\n\u002F\u002F admin\u002Fpages\u002Fclass-page-delete-comments.php around line 481\n\t\u002F**\n\t * This action deletes spam comments\n\t *\u002F\n\tpublic function deleteSpamCommentsAction() {\n\t\tcheck_admin_referer( $this->getResultId() . '_delete_spam_comments' );\n\n\t\t$this->deleteComments( 'spam' );\n\t}\n\n---\n\n\u002F\u002F libs\u002Ffactory\u002Fpages\u002Fincludes\u002Fadmin-page.class.php around line 338 in version 1.3.0\n\t\t\t\u002F\u002F makes redirect to the page\n\t\t\t$controller = $this->request->get('fy_page', null, true);\n\n\t\t\tif( !empty($controller) ) {\n\t\t\t\t$this->executeController($controller);\n\t\t\t}\n\n\t\t\t$action = $this->request->get('fy_action', null, true);\n\n\t\t\tif( !empty($action) ) {\n\t\t\t\t$result_id = $this->getResultId();\n\t\t\t\t$this->executeAction($action);\n\t\t\t}","diff -ru \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fcomments-plus\u002F1.3.0\u002Fadmin\u002Fpages\u002Fclass-page-delete-comments.php \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fcomments-plus\u002F1.3.1\u002Fadmin\u002Fpages\u002Fclass-page-delete-comments.php\n--- \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fcomments-plus\u002F1.3.0\u002Fadmin\u002Fpages\u002Fclass-page-delete-comments.php\t2026-01-12 14:53:50.000000000 +0000\n+++ \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fcomments-plus\u002F1.3.1\u002Fadmin\u002Fpages\u002Fclass-page-delete-comments.php\t2026-04-30 11:19:20.000000000 +0000\n@@ -386,6 +386,9 @@\n \t * This action deletes all comments from the database without restoring.\n \t *\u002F\n \tpublic function deleteAllCommentsAction() {\n+\t\tif ( ! current_user_can( $this->capabilitiy ) ) {\n+\t\t\treturn;\n+\t\t}\n \t\tcheck_admin_referer( $this->getResultId() . '_delete_all_comments' );\n \n \t\tif ( isset( $_POST['wbcr_cmp_delete_all'] ) ) {\n@@ -481,6 +484,9 @@\n \t * This action deletes spam comments\n \t *\u002F\n \tpublic function deleteSpamCommentsAction() {\n+\t\tif ( ! current_user_can( $this->capabilitiy ) ) {\n+\t\t\treturn;\n+\t\t}\n \t\tcheck_admin_referer( $this->getResultId() . '_delete_spam_comments' );\n \n \t\t$this->deleteComments( 'spam' );\n@@ -490,6 +496,9 @@\n \t * This action deletes unaproved comments\n \t *\u002F\n \tpublic function deleteUnaprovedCommentsAction() {\n+\t\tif ( ! current_user_can( $this->capabilitiy ) ) {\n+\t\t\treturn;\n+\t\t}\n \t\tcheck_admin_referer( $this->getResultId() . '_delete_unaproved_comments' );\n \n \t\t$this->deleteComments();\n@@ -499,6 +508,9 @@\n \t * This action deletes trash comments\n \t *\u002F\n \tpublic function deleteTrashCommentsAction() {\n+\t\tif ( ! current_user_can( $this->capabilitiy ) ) {\n+\t\t\treturn;\n+\t\t}\n \t\tcheck_admin_referer( $this->getResultId() . '_delete_trash_comments' );\n \n \t\t$this->deleteComments( 'trash' );\ndiff -ru \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fcomments-plus\u002F1.3.0\u002Flibs\u002Ffactory\u002Fpages\u002Fincludes\u002Fadmin-page.class.php \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fcomments-plus\u002F1.3.1\u002Flibs\u002Ffactory\u002Fpages\u002Fincludes\u002Fadmin-page.class.php\n--- \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fcomments-plus\u002F1.3.0\u002Flibs\u002Ffactory\u002Fpages\u002Fincludes\u002Fadmin-page.class.php\t2024-12-10 00:10:16.000000000 +0000\n+++ \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fcomments-plus\u002F1.3.1\u002Flibs\u002Ffactory\u002Fpages\u002Fincludes\u002Fadmin-page.class.php\t2026-04-30 11:19:20.000000000 +0000\n@@ -338,6 +338,27 @@\n \t\t\t\t$this->menu_post_type = null;\n \t\t\t}\n \n+\t\t\t\u002F\u002F if this page for a custom menu page\n+\t\t\tif( $this->menu_post_type ) {\n+\t\t\t\t$this->menu_target = 'edit.php?post_type=' . $this->menu_post_type;\n+\n+\t\t\t\tif( empty($this->capabilitiy) ) {\n+\t\t\t\t\t$post_type_object = get_post_type_object($this->menu_post_type);\n+\n+ \t\t\t\t\tif( $post_type_object && isset( $post_type_object->cap ) && ! empty( $post_type_object->cap->edit_posts ) ) {\n+ \t\t\t\t\t\t$this->capabilitiy = $post_type_object->cap->edit_posts;\n+ \t\t\t\t\t}\n+\t\t\t\t}\n+\t\t\t}\n+\n+\t\t\t\u002F\u002F sets default capabilities\n+\t\t\tif( empty($this->capabilitiy) ) {\n+\t\t\t\t$this->capabilitiy = 'manage_options';\n+\t\t\t}\n+\n+\t\t\tif ( ! current_user_can( $this->capabilitiy ) ) {\n+\t\t\t\treturn;\n+\t\t\t}\n \t\t\t\u002F\u002F makes redirect to the page\n \t\t\t$controller = $this->request->get('fy_page', null, true);","The exploit methodology involves bypassing intended administrative restrictions by exploiting missing capability checks in the plugin's action processing logic. \n\n1. Authentication: An attacker must be authenticated with at least Subscriber-level privileges.\n2. Nonce Acquisition: The attacker must obtain a valid WordPress nonce for the deletion actions (e.g., `delete_comments-comments-plus_delete_all_comments`). These nonces are frequently leaked in the WordPress dashboard source code due to the plugin's dashboard widgets and script localizations.\n3. Payload Construction: The attacker crafts a POST request to `wp-admin\u002Fadmin.php?page=delete_comments-comments-plus` containing the trigger parameters for deletion (such as `wbcr_cmp_delete_all=1` or `wbcr_cmp_post_types[]=post`) and the retrieved nonce.\n4. Execution: Because the plugin's backend logic in `WbcrCmp_DeleteCommentsPage` executes before capability checks and does not perform its own `current_user_can()` validation, the server processes the deletion request regardless of the user's role, resulting in unauthorized data loss.","gemini-3-flash-preview","2026-06-04 15:21:04","2026-06-04 15:22:09",{"type":41,"vulnerable_version":42,"fixed_version":11,"vulnerable_browse":43,"vulnerable_zip":44,"fixed_browse":45,"fixed_zip":46,"all_tags":47},"plugin","1.3.0","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fcomments-plus\u002Ftags\u002F1.3.0","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fcomments-plus.1.3.0.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fcomments-plus\u002Ftags\u002F1.3.1","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fcomments-plus.1.3.1.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fcomments-plus\u002Ftags"]