[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$f7TWIi0UNl-OU-6OUNBooSqmTr3jw10x7F60w9hAtnD4":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":28,"research_verified":29,"research_rounds_completed":30,"research_plan":31,"research_summary":32,"research_vulnerable_code":33,"research_fix_diff":34,"research_exploit_outline":35,"research_model_used":36,"research_started_at":37,"research_completed_at":38,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":29,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":29,"source_links":39},"CVE-2026-39535","display-eventbrite-events-missing-authorization","Display Eventbrite Events \u003C= 6.5.6 - Missing Authorization","The Display Eventbrite Events plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in versions up to, and including, 6.5.6. This makes it possible for unauthenticated attackers to perform an unauthorized action.","widget-for-eventbrite-api",null,"\u003C=6.5.6","6.5.7","medium",5.3,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:N\u002FUI:N\u002FS:U\u002FC:N\u002FI:L\u002FA:N","Missing Authorization","2026-02-18 00:00:00","2026-04-15 21:13:11",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F1cc8c6f2-c38c-4e41-8c16-bb18fc5755bd?source=api-prod",57,[22,23,24,25,26,27],"changelog.txt","includes\u002Fclass-core.php","includes\u002Fvendor\u002Fcomposer\u002Finstalled.php","includes\u002Fwidgets\u002Felementor\u002Fclass-eventbrite-widget-elementor-helpers.php","readme.txt","widget-for-eventbrite-api.php","researched",false,3,"### 1. Vulnerability Summary\nThe **Display Eventbrite Events** plugin for WordPress (versions \u003C= 6.5.6) is vulnerable to **Missing Authorization** in its AJAX handlers. Specifically, several AJAX actions registered with the `wp_ajax_nopriv_` hook (intended for unauthenticated users) fail to perform any capability checks or nonce verification. This allows unauthenticated attackers to invoke functions that interact with the Eventbrite API using the site's configured credentials, potentially exposing sensitive account information (organizations, events, organizers) or performing unauthorized API requests.\n\nThe vulnerability resides in the `WidgetForEventbriteAPI\\Includes\\Widgets\\Elementor\\Eventbrite_Widget_Elementor_Helpers` class, where handlers like `get_organizations_for_key` and `send_events_for_key` explicitly ignore nonce verification and lack `current_user_can()` checks.\n\n### 2. Attack Vector Analysis\n* **Endpoint**: `\u002Fwp-admin\u002Fadmin-ajax.php`\n* **Actions**: `fetch_organizations_for_key`, `send_events_for_key`, `update_widget_content`.\n* **Payload Parameters**:\n * `action`: The AJAX action name.\n * `token`: An index (e.g., `0`) corresponding to a stored API key, or a raw API token.\n * `organizationID`: (For events) The Eventbrite organization ID.\n* **Authentication**: None required (`wp_ajax_nopriv_` hooks are used).\n* **Preconditions**: The plugin must have at least one Eventbrite API key configured in its settings (stored in the `widget-for-eventbrite-api-settings` option).\n\n### 3. Code Flow\n1. **Entry Point**: An unauthenticated request is sent to `admin-ajax.php` with `action=fetch_organizations_for_key`.\n2. **Hook Registration**: In `includes\u002Fclass-core.php` (inside `define_admin_hooks` or `define_component_hooks`), the plugin registers:\n ```php\n add_action( 'wp_ajax_nopriv_fetch_organizations_for_key', array($widget_helpers, 'get_organizations_for_key') );\n ```\n3. **Vulnerable Handler**: The request is routed to `WidgetForEventbriteAPI\\Includes\\Widgets\\Elementor\\Eventbrite_Widget_Elementor_Helpers::get_organizations_for_key()`.\n4. **Processing**:\n * The handler retrieves the `token` from `$_POST`.\n * It explicitly skips nonce verification: `\u002F\u002F phpcs:ignore WordPress.Security.NonceVerification.Missing -- just a look up`.\n * It calls `$this->utilities->map_api_index_to_key( $token )`. If `token` is `0`, it retrieves the first API key stored in the plugin's settings.\n * It then calls `get_organizations_list($token)`, which makes a remote request to the Eventbrite API using the server's key.\n5. **Sink**: The result (organization data) is returned directly to the unauthenticated user via `wp_send_json()`.\n\n### 4. Nonce Acquisition Strategy\nAccording to the source code in `includes\u002Fwidgets\u002Felementor\u002Fclass-eventbrite-widget-elementor-helpers.php`, the functions `get_organizations_for_key` and `send_events_for_key` **do not require a nonce**.\n\nThe developer explicitly included `\u002F\u002F phpcs:ignore WordPress.Security.NonceVerification.Missing` in these methods, confirming that the security check is absent by design. Therefore, no nonce acquisition is necessary for exploitation.\n\n### 5. Exploitation Strategy\nWe will demonstrate the unauthorized access by retrieving the organization list associated with the site's configured Eventbrite API key.\n\n**Step 1: Retrieve Organizations**\n* **Tool**: `http_request`\n* **Method**: `POST`\n* **URL**: `http:\u002F\u002Flocalhost:8080\u002Fwp-admin\u002Fadmin-ajax.php`\n* **Headers**: `Content-Type: application\u002Fx-www-form-urlencoded`\n* **Body**: `action=fetch_organizations_for_key&token=0`\n* **Expected Response**: A JSON array of organization objects.\n\n**Step 2: Retrieve Events (if Organization ID is found)**\n* **Tool**: `http_request`\n* **Method**: `POST`\n* **URL**: `http:\u002F\u002Flocalhost:8080\u002Fwp-admin\u002Fadmin-ajax.php`\n* **Headers**: `Content-Type: application\u002Fx-www-form-urlencoded`\n* **Body**: `action=send_events_for_key&token=0&organizationID=[ID_FROM_STEP_1]`\n* **Expected Response**: A JSON object mapping Eventbrite event IDs to titles.\n\n### 6. Test Data Setup\nTo simulate a vulnerable environment, we must configure a mock API key in the plugin settings via WP-CLI:\n\n```bash\n# Set a dummy API key in the plugin settings option\nwp option update widget-for-eventbrite-api-settings '{\"key\":[{\"key\":\"THIS_IS_A_MOCK_KEY\",\"label\":\"API Key 1\"}],\"webhook\":\"\",\"background_api\":0}' --format=json\n```\n\n### 7. Expected Results\n* **Success**: The response from `fetch_organizations_for_key` will be a JSON response. If the key is valid, it returns Eventbrite data. If the key is dummy\u002Finvalid, the fact that the plugin *attempts* the API call and returns an Eventbrite error (e.g., `401 Unauthorized` or `ARGUMENTS_ERROR`) instead of a WordPress `403 Forbidden` confirms the missing authorization check.\n* **Failure**: The server returns a `403 Forbidden` or `0` (default WordPress AJAX response for invalid actions).\n\n### 8. Verification Steps\nAfter performing the HTTP request, verify that the plugin indeed attempted to use the server-side credentials:\n1. Check the response body for strings like `\"organizations\"` or Eventbrite-specific error messages (`\"error\": \"INVALID_AUTH\"`).\n2. Use WP-CLI to confirm the action was registered as `nopriv`:\n ```bash\n wp eval 'global $wp_filter; print_r($wp_filter[\"wp_ajax_nopriv_fetch_organizations_for_key\"]);'\n ```\n\n### 9. Alternative Approaches\nIf `fetch_organizations_for_key` is patched or restricted, try `update_widget_content`:\n* **Action**: `update_widget_content`\n* **Payload**: `action=update_widget_content&[other_params]`\n* **Note**: This action is used by the Elementor widget to refresh content. Triggering it unauthenticated can be used to perform unauthorized cache refreshes or potentially manipulate widget displays depending on the (truncated) implementation of `update_elementor_widget_content`.","The Display Eventbrite Events plugin for WordPress is vulnerable to unauthorized access and information disclosure due to missing capability checks and nonce verification on several AJAX handlers. Unauthenticated attackers can exploit this to leak sensitive Eventbrite account data, such as organization IDs, organizer lists, and venue information, by leveraging the site's stored API credentials.","\u002F\u002F includes\u002Fclass-core.php\n add_action( 'wp_ajax_update_widget_content', array($widget_helpers, 'update_elementor_widget_content') );\n add_action( 'wp_ajax_nopriv_update_widget_content', array($widget_helpers, 'update_elementor_widget_content') );\n add_action( 'wp_ajax_fetch_organizations_for_key', array($widget_helpers, 'get_organizations_for_key') );\n add_action( 'wp_ajax_nopriv_fetch_organizations_for_key', array($widget_helpers, 'get_organizations_for_key') );\n add_action( 'wp_ajax_fetch_events_for_key', array($widget_helpers, 'send_events_for_key') );\n add_action( 'wp_ajax_nopriv_fetch_events_for_key', array($widget_helpers, 'send_events_for_key') );\n\n---\n\n\u002F\u002F includes\u002Fwidgets\u002Felementor\u002Fclass-eventbrite-widget-elementor-helpers.php\n public function get_organizations_for_key() {\n \u002F\u002F phpcs:ignore WordPress.Security.NonceVerification.Missing -- just a look up\n $token = ( !empty( $_POST['token'] ) ? sanitize_text_field( wp_unslash( $_POST['token'] ) ) : '' );\n $token = $this->utilities->map_api_index_to_key( $token );\n wp_send_json( $this->get_organizations_list( $token ) );\n }\n\n public function send_events_for_key() {\n \u002F\u002F phpcs:ignore WordPress.Security.NonceVerification.Missing -- just a look up\n $token = ( !empty( $_POST['token'] ) ? sanitize_text_field( wp_unslash( $_POST['token'] ) ) : $this->get_default_api_key() );\n $token = $this->utilities->map_api_index_to_key( $token );\n $args = array(\n 'token' => $token,\n );\n \u002F\u002F phpcs:ignore WordPress.Security.NonceVerification.Missing -- just a look up\n if ( !empty( $_POST['organizationID'] ) ) {\n \u002F\u002F phpcs:ignore WordPress.Security.NonceVerification.Missing -- just a look up\n $args['organization_id'] = sanitize_text_field( wp_unslash( $_POST['organizationID'] ) );\n }","diff -ru \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fwidget-for-eventbrite-api\u002F6.5.6\u002Fincludes\u002Fclass-core.php \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fwidget-for-eventbrite-api\u002F6.5.7\u002Fincludes\u002Fclass-core.php\n--- \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fwidget-for-eventbrite-api\u002F6.5.6\u002Fincludes\u002Fclass-core.php\t2026-01-23 14:06:44.000000000 +0000\n+++ \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fwidget-for-eventbrite-api\u002F6.5.7\u002Fincludes\u002Fclass-core.php\t2026-01-27 16:05:38.000000000 +0000\n@@ -170,19 +170,12 @@\n add_action( 'wp_ajax_wfea_dismiss_notice', array($plugin_admin, 'wfea_dismiss_notice') );\n add_filter( 'site_status_tests', array($plugin_admin, 'site_status_tests') );\n add_action( 'wp_ajax_update_widget_content', array($widget_helpers, 'update_elementor_widget_content') );\n- add_action( 'wp_ajax_nopriv_update_widget_content', array($widget_helpers, 'update_elementor_widget_content') );\n add_action( 'wp_ajax_fetch_organizations_for_key', array($widget_helpers, 'get_organizations_for_key') );\n- add_action( 'wp_ajax_nopriv_fetch_organizations_for_key', array($widget_helpers, 'get_organizations_for_key') );\n add_action( 'wp_ajax_fetch_events_for_key', array($widget_helpers, 'send_events_for_key') );\n- add_action( 'wp_ajax_nopriv_fetch_events_for_key', array($widget_helpers, 'send_events_for_key') );\n add_action( 'wp_ajax_fetch_organizers_for_key', array($widget_helpers, 'send_organizers_for_key') );\n- add_action( 'wp_ajax_nopriv_fetch_organizers_for_key', array($widget_helpers, 'send_organizers_for_key') );\n add_action( 'wp_ajax_fetch_venues_options', array($widget_helpers, 'send_venues_options') );\n- add_action( 'wp_ajax_nopriv_fetch_venues_options', array($widget_helpers, 'send_venues_options') );\n add_action( 'wp_ajax_fetch_api_key_options', array($widget_helpers, 'send_api_key_options') );\n- add_action( 'wp_ajax_nopriv_fetch_api_key_options', array($widget_helpers, 'send_api_key_options') );\n add_action( 'wp_ajax_validate_date', array($widget_helpers, 'validate_date') );\n- add_action( 'wp_ajax_nopriv_validate_date', array($widget_helpers, 'validate_date') );\n add_action( 'init', function () {\n new \\WidgetForEventbriteAPI\\Includes\\Widgets();\n } );\ndiff -ru \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fwidget-for-eventbrite-api\u002F6.5.6\u002Fincludes\u002Fwidgets\u002Felementor\u002Fclass-eventbrite-widget-elementor-helpers.php \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fwidget-for-eventbrite-api\u002F6.5.7\u002Fincludes\u002Fwidgets\u002Felementor\u002Fclass-eventbrite-widget-elementor-helpers.php\n--- \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fwidget-for-eventbrite-api\u002F6.5.6\u002Fincludes\u002Fwidgets\u002Felementor\u002Fclass-eventbrite-widget-elementor-helpers.php\t2025-04-15 22:40:04.000000000 +0000\n+++ \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fwidget-for-eventbrite-api\u002F6.5.7\u002Fincludes\u002Fwidgets\u002Felementor\u002Fclass-eventbrite-widget-elementor-helpers.php\t2026-01-27 16:05:38.000000000 +0000\n@@ -191,34 +191,28 @@\n }\n \n public function get_organizations_for_key() {\n- \u002F\u002F phpcs:ignore WordPress.Security.NonceVerification.Missing -- just a look up\n+ check_ajax_referer( 'wfea-nonce', 'nonce' );\n+ if ( !current_user_can( 'edit_posts' ) ) {\n+ wp_die( -1 );\n+ }\n $token = ( !empty( $_POST['token'] ) ? sanitize_text_field( wp_unslash( $_POST['token'] ) ) : '' );\n $token = $this->utilities->map_api_index_to_key( $token );\n wp_send_json( $this->get_organizations_list( $token ) );\n }\n \n public function send_events_for_key() {\n- \u002F\u002F phpcs:ignore WordPress.Security.NonceVerification.Missing -- just a look up\n+ check_ajax_referer( 'wfea-nonce', 'nonce' );\n+ if ( !current_user_can( 'edit_posts' ) ) {\n+ wp_die( -1 );\n+ }\n $token = ( !empty( $_POST['token'] ) ? sanitize_text_field( wp_unslash( $_POST['token'] ) ) : $this->get_default_api_key() );\n $token = $this->utilities->map_api_index_to_key( $token );\n $args = array(\n 'token' => $token,\n );\n- \u002F\u002F phpcs:ignore WordPress.Security.NonceVerification.Missing -- just a look up\n if ( !empty( $_POST['organizationID'] ) ) {\n- \u002F\u002F phpcs:ignore WordPress.Security.NonceVerification.Missing -- just a look up\n $args['organization_id'] = sanitize_text_field( wp_unslash( $_POST['organizationID'] ) );\n }","To exploit this vulnerability, an unauthenticated attacker can send a POST request to the WordPress AJAX endpoint (\u002Fwp-admin\u002Fadmin-ajax.php) with the 'action' parameter set to one of the vulnerable functions, such as 'fetch_organizations_for_key'. By providing a 'token' parameter (where '0' usually maps to the primary stored API key), the attacker can force the server to execute an API request to Eventbrite and return the JSON response containing sensitive organization and account data. No authentication or nonce is required as the plugin registers these actions using the 'wp_ajax_nopriv_' hook and explicitly skips nonce validation in the handler code.","gemini-3-flash-preview","2026-04-19 04:53:43","2026-04-19 04:54:19",{"type":40,"vulnerable_version":41,"fixed_version":11,"vulnerable_browse":42,"vulnerable_zip":43,"fixed_browse":44,"fixed_zip":45,"all_tags":46},"plugin","6.5.6","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fwidget-for-eventbrite-api\u002Ftags\u002F6.5.6","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fwidget-for-eventbrite-api.6.5.6.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fwidget-for-eventbrite-api\u002Ftags\u002F6.5.7","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fwidget-for-eventbrite-api.6.5.7.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fwidget-for-eventbrite-api\u002Ftags"]