[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$f2M55biQw2ZJXGyhUgsI5L3OfLnv3wUSa7rLJDIMbosw":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":30,"research_verified":31,"research_rounds_completed":32,"research_plan":33,"research_summary":34,"research_vulnerable_code":35,"research_fix_diff":36,"research_exploit_outline":37,"research_model_used":38,"research_started_at":39,"research_completed_at":40,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":31,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":31,"source_links":41},"CVE-2026-24556","elementcamp-missing-authorization","ElementCamp \u003C= 2.3.2 - Missing Authorization","The ElementCamp plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in all versions up to, and including, 2.3.2. This makes it possible for unauthenticated attackers to perform an unauthorized action.","element-camp",null,"\u003C=2.3.2","2.3.6","medium",5.3,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:N\u002FUI:N\u002FS:U\u002FC:N\u002FI:L\u002FA:N","Missing Authorization","2026-01-22 00:00:00","2026-01-28 14:09:37",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002Fd0d0184a-6aa1-41af-8b18-6bab3b64f42f?source=api-prod",7,[22,23,24,25,26,27,28,29],"element-camp.php","elementor\u002Fassets\u002Fjs\u002Ftcg-select2.js","elementor\u002Fcontrols\u002FSelect2.php","elementor\u002Fcontrols\u002Fhelper.php","elementor\u002Felementor-addon.php","elementor\u002Felementor-init.php","elementor\u002Felements\u002Fassets\u002Fcss\u002Fglobal\u002Fanimations.css","elementor\u002Felements\u002Fassets\u002Fcss\u002Fstyle.css","researched",false,3,"# Exploitation Research Plan: CVE-2026-24556 (ElementCamp)\n\n## 1. Vulnerability Summary\nThe **ElementCamp** plugin (versions \u003C= 2.3.2) is vulnerable to **Missing Authorization** in its AJAX handlers. Specifically, the function `tcg_create_dynamic_block` is registered for unauthenticated users (`wp_ajax_nopriv_tcg_create_dynamic_block`) in `elementor\u002Felementor-addon.php`. \n\nThe function likely lacks both a capability check (`current_user_can`) and a nonce check (`check_ajax_referer`), allowing any unauthenticated attacker to create new dynamic blocks\u002Ftemplates (Post Type: `tcg_teb`) on the WordPress site. This results in a low-integrity impact as attackers can inject unauthorized content into the database.\n\n## 2. Attack Vector Analysis\n-   **Endpoint:** `\u002Fwp-admin\u002Fadmin-ajax.php`\n-   **Action:** `tcg_create_dynamic_block` (Registered for both authenticated and unauthenticated users).\n-   **Method:** `POST`\n-   **Authentication:** None required (unauthenticated).\n-   **Preconditions:** Plugin must be active. Elementor should ideally be installed (though the AJAX handler may run regardless).\n\n## 3. Code Flow\n1.  **Entry Point:** `admin-ajax.php` receives a request with `action=tcg_create_dynamic_block`.\n2.  **Hook Registration:** In `elementor\u002Felementor-addon.php`, the action is registered:\n    ```php\n    add_action( 'wp_ajax_nopriv_tcg_create_dynamic_block', 'tcg_create_dynamic_block' );\n    add_action( 'wp_ajax_tcg_create_dynamic_block', 'tcg_create_dynamic_block' );\n    ```\n3.  **Vulnerable Sink:** The function `tcg_create_dynamic_block` (truncated in source) is called. Based on the plugin's structure and function naming:\n    -   It retrieves parameters such as `title`, `template_type`, and potentially `data`.\n    -   It calls `wp_insert_post()` to create a post of type `tcg_teb` (identified in `themescamp_notification_choices` and `themescamp_offcanvas_choices`).\n    -   It likely uses `update_post_meta()` to set the `template_type`.\n4.  **Missing Check:** No authorization check is performed before the database write.\n\n## 4. Nonce Acquisition Strategy\nBased on `elementor\u002Fcontrols\u002FSelect2.php`, the plugin does **not** localize a nonce for its Select2 AJAX actions, and the corresponding JavaScript in `elementor\u002Fassets\u002Fjs\u002Ftcg-select2.js` does **not** send one. If `tcg_create_dynamic_block` follows this pattern, **no nonce is required**.\n\nIf a nonce is discovered during manual inspection:\n1.  Identify where `dynamic-editor.js` or `tcg-select2.js` is enqueued.\n2.  Create a post using the `[element-camp]` (or similar) shortcode if required to load the scripts.\n3.  Navigate to the page.\n4.  Use `browser_eval` to extract the nonce from the localized object (likely `tcg_select2_localize` or a similar global variable).\n\n**Current Assumption:** No nonce is enforced for `tcg_create_dynamic_block`.\n\n## 5. Exploitation Strategy\nThe goal is to create an unauthorized post of type `tcg_teb`.\n\n### Request Details\n-   **Tool:** `http_request`\n-   **URL:** `{{BASE_URL}}\u002Fwp-admin\u002Fadmin-ajax.php`\n-   **Method:** `POST`\n-   **Headers:** `Content-Type: application\u002Fx-www-form-urlencoded`\n-   **Body:**\n    ```\n    action=tcg_create_dynamic_block&title=Unauthorized+Template&template_type=notification\n    ```\n    *(Note: `template_type` values like `notification` or `offcanvas` are valid per `themescamp_notification_choices`)*.\n\n### Expected Response\nA successful request should return a JSON response, likely containing a `success: true` flag and the newly created `post_id`.\n```json\n{\"success\":true,\"data\":{\"post_id\":123}}\n```\n\n## 6. Test Data Setup\n1.  Install and activate the **ElementCamp** plugin (v2.3.2).\n2.  Install and activate **Elementor** (dependency).\n3.  Confirm the existence of the `tcg_teb` post type (can be checked via `wp post-type list`).\n\n## 7. Expected Results\n-   The AJAX request returns a `200 OK` with a success JSON body.\n-   A new post is created in the WordPress database with the title \"Unauthorized Template\" and post type `tcg_teb`.\n-   The post meta `template_type` for the new post is set to `notification`.\n\n## 8. Verification Steps\nAfter the HTTP request, use WP-CLI to verify the state:\n```bash\n# Check if the post was created\nwp post list --post_type=tcg_teb --fields=ID,post_title,post_status\n\n# Verify the meta value\nwp post meta get \u003CID> template_type\n```\n\n## 9. Alternative Approaches\nIf `tcg_create_dynamic_block` fails, examine the other Select2 AJAX actions which are likely also missing authorization:\n1.  **Action:** `tcg_select2_search_post`\n    -   **Parameters:** `post_type=post&term=secret`\n    -   **Goal:** Information Disclosure of private post titles (though CVSS suggests Integrity impact is primary).\n2.  **Action:** `tcg_select2_get_title`\n    -   **Parameters:** `post_type=post&id[]=1`\n    -   **Goal:** Retrieve titles of private posts by ID.\n\nIf the `tcg_teb` post type requires specific Elementor data to be \"valid,\" the payload may need to include a `data` parameter containing a JSON-encoded Elementor structure (e.g., `data=[{\"elType\":\"section\",...}]`).","The ElementCamp plugin for WordPress (versions \u003C= 2.3.2) is vulnerable to unauthorized access because it fails to perform capability and nonce checks on several AJAX handlers. This allow unauthenticated attackers to perform actions such as creating unauthorized dynamic block templates (post type tcg_teb) or querying existing post information.","\u002F\u002F elementor\u002Felementor-addon.php:351\nadd_action( 'wp_ajax_nopriv_tcg_create_dynamic_block', 'tcg_create_dynamic_block' );\nadd_action( 'wp_ajax_tcg_create_dynamic_block', 'tcg_create_dynamic_block' );\n\nif ( ! function_exists( 'tcg_create_dynamic_block' ) ) {\nfunction tcg_create_dynamic_block() {\n\u002F\u002F ... lacks current_user_can() and check_ajax_referer() ...\n\n---\n\n\u002F\u002F elementor\u002Fcontrols\u002FSelect2.php:31\nwp_localize_script(\n    'tcg-select2',\n    'tcg_select2_localize',\n    [\n        'ajaxurl'         => esc_url( admin_url( 'admin-ajax.php' ) ),\n        'search_text'     => esc_html__( 'Search', 'themescamp-plugin' ),\n        \u002F\u002F Missing security nonce field\n    ]\n);\n\n---\n\n\u002F\u002F elementor\u002Fassets\u002Fjs\u002Ftcg-select2.js:10\ndata: function ( params ) {\n    return {\n        action: 'tcg_select2_search_post',\n        post_type: obj.data.source_type,\n        \u002F\u002F ... no security token passed ...\n    }\n}","diff -ru element-camp\u002Felementor\u002Fassets\u002Fjs\u002Ftcg-select2.js element-camp\u002Felementor\u002Fassets\u002Fjs\u002Ftcg-select2.js\n--- element-camp\u002Felementor\u002Fassets\u002Fjs\u002Ftcg-select2.js\n+++ element-camp\u002Felementor\u002Fassets\u002Fjs\u002Ftcg-select2.js\n@@ -11,6 +11,7 @@\n                     data: function ( params ) {\n                         return {\n                             action: 'tcg_select2_search_post',\n+                            security: tcg_select2_localize.security,\n                             post_type: obj.data.source_type,\n                             source_name: obj.data.source_name,\n@@ -42,6 +43,7 @@\n                             url: tcg_select2_localize.ajaxurl,\n                             data: {\n                                 action: 'tcg_select2_get_title',\n+                                security: tcg_select2_localize.security,\n                                 post_type: obj.data.source_type, \ndiff -ru element-camp\u002Felementor\u002Fcontrols\u002FSelect2.php element-camp\u002Felementor\u002Fcontrols\u002FSelect2.php\n--- element-camp\u002Felementor\u002Fcontrols\u002FSelect2.php\n+++ element-camp\u002Felementor\u002Fcontrols\u002FSelect2.php\n@@ -28,6 +28,7 @@\n     \t\t\t'tcg_select2_localize',\n     \t\t\t[\n     \t\t\t\t'ajaxurl'         => esc_url( admin_url( 'admin-ajax.php' ) ),\n+    \t\t\t\t'security'        => wp_create_nonce( 'tcg_select2_nonce' ),\n     \t\t\t\t'search_text'     => esc_html__( 'Search', 'themescamp-plugin' ),\ndiff -ru element-camp\u002Felementor\u002Felementor-init.php element-camp\u002Felementor\u002Felementor-init.php\n--- element-camp\u002Felementor\u002Felementor-init.php\n+++ element-camp\u002Felementor\u002Felementor-init.php\n@@ -3,5 +3,4 @@\n \n include('controls\u002FSelect2.php');\n include('controls\u002Fhelper.php');\n-include('elementor-addon.php');\n include('extender\u002Fclass-extender.php');","An unauthenticated attacker can exploit this vulnerability by sending a POST request to the WordPress AJAX endpoint (\u002Fwp-admin\u002Fadmin-ajax.php) with the action 'tcg_create_dynamic_block'. The payload should include a 'title' and 'template_type' (e.g., 'notification' or 'offcanvas'). Because the handler lacks authorization and nonce verification, the plugin will create a new post of type 'tcg_teb' in the database. Furthermore, attackers can use the 'tcg_select2_search_post' and 'tcg_select2_get_title' actions without authentication to search for and retrieve titles of existing posts.","gemini-3-flash-preview","2026-05-05 03:01:22","2026-05-05 03:01:58",{"type":42,"vulnerable_version":43,"fixed_version":11,"vulnerable_browse":44,"vulnerable_zip":45,"fixed_browse":46,"fixed_zip":47,"all_tags":48},"plugin","2.3.2","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Felement-camp\u002Ftags\u002F2.3.2","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Felement-camp.2.3.2.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Felement-camp\u002Ftags\u002F2.3.6","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Felement-camp.2.3.6.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Felement-camp\u002Ftags"]