[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fPfscEfYi2ngy0PfHO3mTnoQ7WB0N4Bmp1qTGvUVw2Ng":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":22,"research_verified":23,"research_rounds_completed":24,"research_plan":25,"research_summary":9,"research_vulnerable_code":9,"research_fix_diff":9,"research_exploit_outline":9,"research_model_used":26,"research_started_at":27,"research_completed_at":28,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":23,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":23,"source_links":29},"CVE-2026-1925","emailkit-email-customizer-for-woocommerce-wp-missing-authorization-to-authenticated-subscriber-arbitrary-post-title-modi","EmailKit – Email Customizer for WooCommerce & WP \u003C= 1.6.2 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Post Title Modification","The EmailKit – Email Customizer for WooCommerce & WP plugin for WordPress is vulnerable to unauthorized data modification due to a missing capability check on the 'update_template_data' function in all versions up to, and including, 1.6.2. This makes it possible for authenticated attackers, with Subscriber-level access and above, to modify the title of any post on the site, including posts, pages, and custom post types.","emailkit",null,"\u003C=1.6.2","1.6.3","medium",4.3,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:L\u002FUI:N\u002FS:U\u002FC:N\u002FI:L\u002FA:N","Missing Authorization","2026-02-17 16:26:56","2026-02-18 04:35:47",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002Ff131ea1e-d652-4854-abea-6a307ca8118f?source=api-prod",1,[],"researched",false,3,"# Vulnerability Analysis: CVE-2026-1925 (EmailKit – Email Customizer for WooCommerce & WP)\n\n## 1. Vulnerability Summary\nThe **EmailKit – Email Customizer for WooCommerce & WP** plugin (versions \u003C= 1.6.2) is vulnerable to **unauthorized data modification** due to a missing authorization check in the `update_template_data` function. While the function likely verifies a WordPress nonce to prevent CSRF, it fails to verify if the authenticated user has the necessary capabilities (e.g., `manage_options` or `edit_posts`) to modify post data. This allows any authenticated user, including those with **Subscriber** privileges, to change the title of any post, page, or custom post type on the site by providing its ID.\n\n## 2. Attack Vector Analysis\n*   **Endpoint:** `\u002Fwp-admin\u002Fadmin-ajax.php`\n*   **Action:** `emailkit_update_template_data` (inferred prefix based on plugin slug) or `update_template_data`.\n*   **Vulnerable Parameter:** `post_id` (the ID of the target post) and `title` (the new title).\n*   **Authentication:** Subscriber level or higher is required.\n*   **Preconditions:** A valid nonce for the `update_template_data` action must be obtained.\n\n## 3. Code Flow (Inferred)\n1.  **Entry Point:** An authenticated user sends a POST request to `admin-ajax.php` with the action `emailkit_update_template_data`.\n2.  **Hook Registration:** The plugin registers the action via:\n    `add_action('wp_ajax_emailkit_update_template_data', array($this, 'update_template_data'));`\n3.  **Vulnerable Function:** The `update_template_data` function is called.\n4.  **Missing Check:** The function likely calls `check_ajax_referer('emailkit_nonce', 'security')` but fails to call `current_user_can('manage_options')`.\n5.  **Sink:** The function retrieves `post_id` and `title` from the `$_POST` array and calls `wp_update_post(array('ID' => $post_id, 'post_title' => $title))`.\n6.  **Impact:** The title of the specified `post_id` is updated in the database regardless of the user's permissions.\n\n## 4. Nonce Acquisition Strategy\nTo exploit this as a Subscriber, we must find where the plugin exposes the nonce.\n1.  **Login as Subscriber:** Authenticate as a low-privileged user.\n2.  **Locate Nonce:** The plugin likely uses `wp_localize_script` to pass a nonce to its template editor. Even if a Subscriber cannot access the EmailKit dashboard menu, the script might be enqueued on all admin pages (common in many plugins) or the nonce might be accessible on the frontend if EmailKit components are used.\n3.  **Check Admin Pages:** Navigate to `\u002Fwp-admin\u002Fprofile.php`.\n4.  **Browser Evaluation:** Use the `browser_eval` tool to check for common EmailKit global objects.\n    *   **Inferred JS Variable:** `window.emailkit_config?.nonce` or `window.emailkit_obj?.security`.\n    *   **Action String:** Likely `emailkit_nonce` or `emailkit-customizer-nonce`.\n\n## 5. Exploitation Strategy\n\n### Step 1: Setup\n*   Identify a target post ID (e.g., Post ID 1, usually \"Hello world!\").\n*   Create a Subscriber user account.\n\n### Step 2: Nonce Extraction\n*   Log in to the WordPress dashboard as the Subscriber.\n*   Navigate to `\u002Fwp-admin\u002Fprofile.php`.\n*   Execute JS to find the nonce:\n    ```javascript\n    \u002F\u002F Search for any object containing \"nonce\" or \"security\" related to emailkit\n    Object.keys(window).filter(key => key.toLowerCase().includes('emailkit'))\n    ```\n*   Capture the value (e.g., `emailkit_obj.nonce`).\n\n### Step 3: Send Exploit Request\nUse the `http_request` tool to send the unauthorized update request.\n\n*   **Method:** `POST`\n*   **URL:** `http:\u002F\u002F[TARGET]\u002Fwp-admin\u002Fadmin-ajax.php`\n*   **Headers:** `Content-Type: application\u002Fx-www-form-urlencoded`\n*   **Body Parameters:**\n    *   `action`: `emailkit_update_template_data` (verify via grep)\n    *   `security`: `[EXTRACTED_NONCE]`\n    *   `post_id`: `1` (Target Post ID)\n    *   `title`: `VULNERABLE-TITLE-MODIFIED`\n\n### Step 4: Verification\n*   Check if the post title has changed using WP-CLI.\n\n## 6. Test Data Setup\n1.  **Target Post:** Ensure a post exists with ID 1.\n    *   `wp post create --post_title=\"Original Admin Post\" --post_status=publish`\n2.  **Attacker User:** Create a Subscriber user.\n    *   `wp user create attacker attacker@example.com --role=subscriber --user_pass=password123`\n3.  **Plugin Activation:** Ensure `emailkit` is active.\n\n## 7. Expected Results\n*   **Response:** The server should return a JSON success response, e.g., `{\"success\":true}` or `1`.\n*   **Database State:** The `post_title` column in the `wp_posts` table for the target ID should reflect the new title.\n\n## 8. Verification Steps\n1.  **Check Title via WP-CLI:**\n    ```bash\n    wp post get 1 --field=post_title\n    ```\n    If the output is `VULNERABLE-TITLE-MODIFIED`, the exploit is successful.\n2.  **Check via UI:**\n    Navigate to the site's homepage or the specific post URL to see the modified title.\n\n## 9. Alternative Approaches\n*   **Parameter Names:** If `post_id` or `title` doesn't work, try `id`, `template_id`, `name`, or `template_name` (as the function name mentions \"template_data\").\n*   **REST API:** Check if the plugin registers a REST route `emailkit\u002Fv1\u002Fupdate-template` which might share the same vulnerable logic.\n*   **Action Name:** If `emailkit_update_template_data` is incorrect, grep the plugin directory:\n    ```bash\n    grep -rn \"wp_ajax_\" wp-content\u002Fplugins\u002Femailkit\u002F | grep \"update_template_data\"\n    ```\n*   **Nonce Check Bypass:** If `check_ajax_referer` is used with the third parameter set to `false`, the nonce check might be entirely skippable if the result isn't validated.","gemini-3-flash-preview","2026-04-20 20:35:26","2026-04-20 20:36:18",{"type":30,"vulnerable_version":31,"fixed_version":11,"vulnerable_browse":32,"vulnerable_zip":33,"fixed_browse":34,"fixed_zip":35,"all_tags":36},"plugin","1.6.2","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Femailkit\u002Ftags\u002F1.6.2","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Femailkit.1.6.2.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Femailkit\u002Ftags\u002F1.6.3","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Femailkit.1.6.3.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Femailkit\u002Ftags"]