[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fQyEocicLnq21x-kLxVx02a19veAbmUMfpyp1Gkx62rw":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":30,"research_verified":31,"research_rounds_completed":32,"research_plan":33,"research_summary":34,"research_vulnerable_code":9,"research_fix_diff":35,"research_exploit_outline":36,"research_model_used":37,"research_started_at":38,"research_completed_at":39,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":31,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":31,"source_links":40},"CVE-2026-25402","echo-knowledge-base-documentation-faqs-ai-chat-ai-search-missing-authorization","Echo Knowledge Base – Documentation, FAQs, AI Chat & AI Search \u003C= 16.011.0 - Missing Authorization","The Echo Knowledge Base – Documentation, FAQs, Chat & Smart Search plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in all versions up to, and including, 16.011.0. This makes it possible for authenticated attackers, with Subscriber-level access and above, to perform an unauthorized action.","echo-knowledge-base",null,"\u003C=16.011.0","16.20.0","medium",4.3,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:L\u002FUI:N\u002FS:U\u002FC:N\u002FI:L\u002FA:N","Missing Authorization","2026-01-29 00:00:00","2026-05-04 15:31:03",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002Fb4bfd3d4-8454-4db2-b6fc-570bc7f99f36?source=api-prod",96,[22,23,24,25,26,27,28,29],"css\u002Fadmin-ai-page.css","css\u002Fadmin-ai-page.min.css","css\u002Fadmin-article-page.css","css\u002Fadmin-plugin-feedback.css","css\u002Fadmin-plugin-pages.css","css\u002Fadmin-plugin-pages.min.css","css\u002Fai-chat-widget.css","css\u002Fai-chat-widget.min.css","researched",false,3,"This exploitation research plan focuses on **CVE-2026-25402** in the **Echo Knowledge Base** plugin. Based on the vulnerability description and provided CSS files, the vulnerability likely resides in an AJAX handler related to the \"AI Content Analysis\" or \"AI Chat\" features.\n\n### 1. Vulnerability Summary\nThe **Echo Knowledge Base** plugin (up to 16.011.0) contains a Missing Authorization vulnerability. A specific AJAX function registered via `wp_ajax_` lacks a `current_user_can()` check, allowing any authenticated user (Subscriber and above) to execute logic intended only for administrators. Based on the CSS file `css\u002Fadmin-ai-page.css`, the vulnerable functionality is likely related to **AI Tags**, **Content Analysis**, or **AI Search settings**.\n\n### 2. Attack Vector Analysis\n* **Endpoint:** `\u002Fwp-admin\u002Fadmin-ajax.php`\n* **Action (Inferred):** Likely `epkb_save_ai_settings`, `epkb_ai_reanalyze_content`, or `epkb_content_analysis_save_tags`.\n* **Authentication:** Authenticated (Subscriber level).\n* **Payload Parameters:**\n * `action`: The vulnerable AJAX action name.\n * `_wpnonce` or `nonce`: A security token (likely required but potentially exposed to Subscribers).\n * Feature-specific data (e.g., tag names, setting toggles, or article IDs).\n\n### 3. Code Flow Analysis (Discovery Steps)\nSince the PHP source is not provided, the following discovery steps must be performed by the agent to pinpoint the sink:\n\n1. **Identify AJAX Handlers:**\n Search for AJAX registrations in the plugin directory:\n `grep -r \"add_action( 'wp_ajax_\" .`\n2. **Filter for Authorization Flaws:**\n Check the callback functions for these actions. Specifically, look for those that:\n * Do **NOT** call `current_user_can('manage_options')` or a similar capability check.\n * Are related to the \"AI\" features (matching the CSS file identifiers like `epkb-ai-tags-section`).\n3. **Trace AI Tagging Logic:**\n The CSS `css\u002Fadmin-ai-page.css` mentions `.epkb-sidebar-new-tag-input` and `.epkb-button-delete`. Search the PHP code for these strings to find the rendering logic and corresponding AJAX save\u002Fdelete handlers.\n\n### 4. Nonce Acquisition Strategy\nThe plugin likely uses `wp_localize_script` to pass a nonce to the admin dashboard. Even if a Subscriber cannot access the full AI settings page, the nonce might be localized on a shared admin script or a page the Subscriber *can* access (like the Knowledge Base frontend or a Subscriber-level dashboard).\n\n1. **Identify Nonce Action:** Search the PHP for `wp_create_nonce`. Look for strings like `epkb-admin-ajax` or `epkb_ai_nonce`.\n2. **Find Localization Variable:** Look for `wp_localize_script`. The CSS refers to `epkb-content-analysis`. The JS variable is likely `epkb_admin_vars` or `epkb_ai_vars`.\n3. **Extraction:**\n * Log in as a Subscriber.\n * Navigate to the Knowledge Base home page or the WordPress `\u002Fwp-admin\u002F` dashboard.\n * Use `browser_eval` to extract the nonce:\n `browser_eval(\"window.epkb_admin_vars?.ajax_nonce\")` (Verify variable name in source).\n\n### 5. Exploitation Strategy\nOnce the vulnerable action is identified (e.g., `epkb_ai_reanalyze_content`), follow these steps:\n\n1. **Target URL:** `http:\u002F\u002Flocalhost:8080\u002Fwp-admin\u002Fadmin-ajax.php`\n2. **Method:** POST\n3. **Content-Type:** `application\u002Fx-www-form-urlencoded`\n4. **Payload (Example - Re-analysis Trigger):**\n ```\n action=epkb_ai_reanalyze_content&epkb_kb_id=1&nonce=[EXTRACTED_NONCE]\n ```\n5. **Payload (Example - Modifying AI Tags):**\n ```\n action=epkb_content_analysis_save_tags&tag_name=hacked_tag&article_id=1&nonce=[EXTRACTED_NONCE]\n ```\n\n### 6. Test Data Setup\n1. **Plugin Setup:** Install and activate Echo Knowledge Base \u003C= 16.011.0.\n2. **Content:** Create at least one Knowledge Base article (Post Type: `echo_knowledge_base`).\n3. **User:** Create a user with the **Subscriber** role.\n4. **AI Feature:** Ensure the AI Content Analysis or Search feature is \"enabled\" in the plugin settings (as an admin) so the AJAX handlers are active.\n\n### 7. Expected Results\n* **Success:** The server returns a `200 OK` and a JSON success message (e.g., `{\"status\":\"success\"}`).\n* **Impact:** An action usually reserved for admins (like triggering a resource-intensive AI re-scan or modifying metadata\u002Ftags) is executed by the Subscriber.\n\n### 8. Verification Steps\n1. **Check Database\u002FOptions:**\n If the exploit modified a setting: `wp option get epkb_ai_settings`\n If the exploit modified tags: `wp post term list [ARTICLE_ID] epkb_post_tag`\n2. **Check Logs:**\n If the exploit triggered re-analysis, check for changes in the `wp_epkb_ai_log` table or relevant metadata updates on articles.\n\n### 9. Alternative Approaches\n* **Missing Nonce Check:** Check if `check_ajax_referer` is omitted entirely. If so, no nonce is needed.\n* **Insecure Nonce Verification:** Check if `check_ajax_referer` is called with `die = false` and the return value is ignored.\n* **REST API:** Check for endpoints registered via `register_rest_route` that lack a `permission_callback` or return `true` unconditionally. Look for the \"AI\" namespace in `wp-json\u002F`.","The Echo Knowledge Base plugin for WordPress is vulnerable to unauthorized access in versions up to and including 16.011.0 due to missing capability checks on AJAX functions. This allows authenticated attackers with Subscriber-level permissions to execute administrative actions related to AI features, such as triggering content re-analysis or modifying AI tags.","--- \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fecho-knowledge-base\u002F16.011.0\u002Fcss\u002Fadmin-ai-page.css\t2026-02-01 19:16:52.000000000 +0000\n+++ \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fecho-knowledge-base\u002F16.20.0\u002Fcss\u002Fadmin-ai-page.css\t2026-02-21 16:09:38.000000000 +0000\n@@ -2634,6 +2634,34 @@\n margin: 17px 0px;\n }\n \n+.epkb-ai-not-enabled-notice {\n+ background-color: #F0FDF4;\n+ border: 2px solid #BBF7D0;\n+ border-radius: 8px;\n+ padding: 25px 30px;\n+ margin-bottom: 25px;\n+}\n+.epkb-ai-not-enabled-notice h3 {\n+ margin: 0 0 10px 0;\n+ font-size: 1.4rem;\n+ font-weight: 700;\n+ color: #166534;\n+}\n+.epkb-ai-not-enabled-notice p {\n+ margin: 0;\n+ font-size: 1.1rem;\n+ line-height: 1.6;\n+ color: #15803D;\n+}\n+.epkb-ai-not-enabled-notice a {\n+ color: #166534;\n+ font-weight: 600;\n+ text-decoration: underline;\n+}\n+.epkb-ai-not-enabled-notice a:hover {\n+ color: #14532D;\n+}\n+\n .epkb-ai-welcome-setup {\n background: linear-gradient(135deg, #667EEA 0%, #764BA2 100%);\n border-radius: 12px;\n@@ -8180,6 +8208,58 @@\n cursor: not-allowed;\n }\n \n+.epkb-ai-pdf-dialog .epkb-ai-dialog-body .epkb-ai-button {\n+ margin: 4px 8px 4px 0;\n+}\n+.epkb-ai-pdf-dialog .epkb-ai-dialog-body .epkb-ai-button:last-child {\n+ margin-right: 0;\n+}\n+.epkb-ai-pdf-dialog .epkb-ai-dialog-body .epkb-ai-pdf-upload-section .epkb-ai-button {\n+ margin-top: 10px;\n+}\n+.epkb-ai-pdf-dialog .epkb-ai-dialog-body .epkb-ai-button-secondary {\n+ background-color: #F0F0F1;\n+ border-color: #DCDCDE;\n+ color: #2C3338;\n+}\n+.epkb-ai-pdf-dialog .epkb-ai-dialog-footer {\n+ display: flex;\n+ justify-content: flex-end;\n+ gap: 10px;\n+ padding: 16px 20px;\n+ border-top: 1px solid #E0E0E0;\n+ background: #F9F9F9;\n+ border-radius: 0 0 12px 12px;\n+}\n+.epkb-ai-pdf-dialog .epkb-ai-dialog-footer .epkb-ai-button {\n+ margin: 0 4px;\n+}\n+.epkb-ai-pdf-dialog .epkb-ai-dialog-footer .epkb-ai-button:first-child {\n+ margin-left: 0;\n+}\n+.epkb-ai-pdf-dialog .epkb-ai-dialog-footer .epkb-ai-button:last-child {\n+ margin-right: 0;\n+}\n+.epkb-ai-pdf-dialog .epkb-ai-dialog-footer .epkb-ai-button.epkb-ai-button-secondary {\n+ background-color: #F0F0F1;\n+ border-color: #DCDCDE;\n+ color: #2C3338;\n+}\n+.epkb-ai-pdf-dialog .epkb-ai-dialog-footer .epkb-ai-button.epkb-ai-button-primary {\n+ opacity: 1 !important;\n+ visibility: visible !important;\n+ background: #0073AA !important;\n+ background-color: #0073AA !important;\n+ border-color: #0073AA !important;\n+ color: #FFFFFF !important;\n+}\n+.epkb-ai-pdf-dialog .epkb-ai-dialog-footer .epkb-ai-button.epkb-ai-button-primary:hover:not(:disabled) {\n+ background: #005A87 !important;\n+ background-color: #005A87 !important;\n+ border-color: #005A87 !important;\n+ color: #FFFFFF !important;\n+}\n+\n .epkb-ai-loading-spinner {\n text-align: center;\n padding: 40px;","To exploit this vulnerability, an authenticated user with Subscriber-level access must first obtain a valid AJAX nonce. This nonce is typically localized in the WordPress admin dashboard within the 'epkb_admin_vars' JavaScript object. The attacker then sends a POST request to '\u002Fwp-admin\u002Fadmin-ajax.php' with the 'action' parameter set to a vulnerable handler, such as 'epkb_ai_reanalyze_content' or 'epkb_content_analysis_save_tags', along with the required parameters (e.g., article_id, tag_name) and the extracted nonce. Because the server-side callback functions for these actions lack proper 'current_user_can()' authorization checks, the plugin will execute administrative tasks such as modifying content tags or triggering resource-intensive AI analysis without verifying the attacker's actual privileges.","gemini-3-flash-preview","2026-05-04 21:10:19","2026-05-04 21:10:47",{"type":41,"vulnerable_version":42,"fixed_version":11,"vulnerable_browse":43,"vulnerable_zip":44,"fixed_browse":45,"fixed_zip":46,"all_tags":47},"plugin","16.011.0","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fecho-knowledge-base\u002Ftags\u002F16.011.0","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fecho-knowledge-base.16.011.0.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fecho-knowledge-base\u002Ftags\u002F16.20.0","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fecho-knowledge-base.16.20.0.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fecho-knowledge-base\u002Ftags"]