CVE-2026-3279

Enable jQuery Migrate Helper <= 1.4.1 - Missing Authorization to Authenticated (Subscriber+) jQuery Version Downgrade

mediumMissing Authorization
6.5
CVSS Score
6.5
CVSS Score
medium
Severity
Unpatched
Patched in
N/A
Time to patch

Description

The Enable jQuery Migrate Helper plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the `downgrade_jquery_version()` function in all versions up to, and including, 1.4.1. This is due to the function only verifying a nonce without checking user capabilities. This makes it possible for authenticated attackers, with Subscriber-level access and above, to downgrade the site-wide jQuery version from 3.7.1 to the legacy 1.12.4-wp release, which has knowns security vulnerabilities.

CVSS Vector Breakdown

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
None
Confidentiality
High
Integrity
None
Availability

Technical Details

Affected versions<=1.4.1
PublishedMay 26, 2026
Last updatedMay 27, 2026
Research Plan
Unverified

# Exploitation Research Plan: CVE-2026-3279 - Enable jQuery Migrate Helper Downgrade ## 1. Vulnerability Summary The **Enable jQuery Migrate Helper** plugin (<= 1.4.1) contains a missing authorization vulnerability in its `downgrade_jquery_version()` function. While the function implements a nonce …

Show full research plan

Exploitation Research Plan: CVE-2026-3279 - Enable jQuery Migrate Helper Downgrade

1. Vulnerability Summary

The Enable jQuery Migrate Helper plugin (<= 1.4.1) contains a missing authorization vulnerability in its downgrade_jquery_version() function. While the function implements a nonce check to prevent Cross-Site Request Forgery (CSRF), it fails to verify if the requesting user has administrative capabilities (e.g., manage_options). Consequently, any authenticated user with Subscriber-level permissions or higher can trigger a site-wide downgrade of the jQuery library to a legacy version (1.12.4-wp), which contains known security vulnerabilities.

2. Attack Vector Analysis

  • Endpoint: /wp-admin/admin-ajax.php
  • Action: downgrade_jquery_version (inferred from function name) or jquery-migrate-downgrade-version (common pattern for this plugin).
  • Parameters:
    • action: The AJAX action string.
    • _ajax_nonce: A valid WordPress nonce generated for the downgrade action.
  • Authentication: Subscriber-level account (PR:L).
  • Preconditions: The plugin must be active. The site should ideally be running a modern jQuery version (default in recent WP) to observe the change.

3. Code Flow

  1. Hook Registration: The plugin likely registers the AJAX handler in its main class or an admin initialization file:
    add_action( 'wp_ajax_downgrade_jquery_version', array( $this, 'downgrade_jquery_version' ) );
    
  2. Function Execution: When a Subscriber sends a POST request to admin-ajax.php with action=downgrade_jquery_version:
    • The downgrade_jquery_version() function is invoked.
    • It calls check_ajax_referer( 'jquery-migrate-downgrade', 'nonce' ) (or similar action/key).
    • Vulnerability: It proceeds to update_option( 'jquery_migrate_helper_version', 'legacy' ) (inferred) without calling current_user_can( 'manage_options' ).
  3. Sink: The update_option call modifies the site configuration, affecting which scripts are enqueued for all users.

4. Nonce Acquisition Strategy

Since this is an authenticated vulnerability affecting the admin-ajax interface, the nonce is likely localized for the WordPress admin dashboard.

  1. Identify Script Localization: Search the codebase for wp_localize_script.
  2. Create Subscriber: Use WP-CLI to create a Subscriber user.
  3. Capture Nonce:
    • Log into the WordPress admin as the Subscriber.
    • Navigate to the main Dashboard (/wp-admin/index.php).
    • Use browser_eval to search for the localized object.
    • JS Variables to check:
      • window.jquery_migrate_helper?.nonce
      • window.jqmh_data?.downgrade_nonce
      • window.wp_jquery_migrate_helper?.nonce (inferred)

Example Extraction:

// Run via browser_eval after navigating to /wp-admin/
return window.jquery_migrate_helper || window.jqmh_data || "Variable not found";

5. Exploitation Strategy

  1. Setup: Create a Subscriber user and log in.
  2. Discovery: Navigate to /wp-admin/ and extract the nonce using the browser_eval tool.
  3. Execution: Send a POST request to admin-ajax.php.
    • URL: http://[TARGET]/wp-admin/admin-ajax.php
    • Method: POST
    • Headers: Content-Type: application/x-www-form-urlencoded
    • Body: action=downgrade_jquery_version&_ajax_nonce=[EXTRACTED_NONCE] (Note: _ajax_nonce is the default key used by check_ajax_referer).

6. Test Data Setup

  1. Install Plugin: Ensure Enable jQuery Migrate Helper <= 1.4.1 is installed.
  2. Configure Baseline: Ensure the site is currently using the default (modern) jQuery.
    • wp option get jquery_migrate_helper_version (Should return nothing or 'default').
  3. User Creation:
    wp user create attacker attacker@example.com --role=subscriber --user_pass=password123
    

7. Expected Results

  • HTTP Response: 200 OK, likely returning a JSON success message or 1.
  • System Change: The WordPress option responsible for the jQuery version is updated.
  • Frontend Change: Script tags in the site source will now point to /wp-includes/js/jquery/jquery-migrate.min.js?ver=1.4.1 (legacy) instead of modern versions.

8. Verification Steps

  1. Check Option Value:
    wp option get jquery_migrate_helper_version
    
    A successful exploit will return legacy (or the specific internal value used by the plugin to represent the old version).
  2. Check Enqueued Scripts:
    Fetch the homepage and check the jQuery version:
    # Using the http_request tool on the homepage
    # Look for jquery.js?ver=1.12.4-wp
    

9. Alternative Approaches

If the direct action downgrade_jquery_version fails:

  • Search for settings saves: The plugin might use a general settings saving AJAX action that lacks capability checks. Look for wp_ajax_save_jquery_migrate_settings.
  • Action Guessing: If the nonce action name is different, grep the plugin source for wp_create_nonce to find the correct action string required for check_ajax_referer.
  • Parameter Variation: The function might expect version=legacy as an explicit POST parameter.
    • Payload: action=downgrade_jquery_version&_ajax_nonce=...&version=legacy (inferred).
Research Findings
Static analysis — not yet PoC-verified

Summary

The Enable jQuery Migrate Helper plugin for WordPress is vulnerable to unauthorized data modification due to a missing capability check in its AJAX handler for downgrading jQuery. This allows authenticated users with Subscriber-level access to downgrade the site-wide jQuery library to a legacy version (1.12.4-wp) which contains known security vulnerabilities.

Vulnerable Code

// class-enable-jquery-migrate-helper.php (inferred from research plan)

add_action( 'wp_ajax_downgrade_jquery_version', array( $this, 'downgrade_jquery_version' ) );

---

public function downgrade_jquery_version() {
    // Only verifies the nonce, not user capabilities
    check_ajax_referer( 'jquery-migrate-downgrade', 'nonce' );

    update_option( 'jquery_migrate_helper_version', 'legacy' );
    wp_send_json_success();
}

Security Fix

--- a/class-enable-jquery-migrate-helper.php
+++ b/class-enable-jquery-migrate-helper.php
@@ -XX,6 +XX,10 @@
 	public function downgrade_jquery_version() {
 		check_ajax_referer( 'jquery-migrate-downgrade', 'nonce' );
 
+		if ( ! current_user_can( 'manage_options' ) ) {
+			wp_die( __( 'You do not have permission to perform this action.', 'enable-jquery-migrate-helper' ) );
+		}
+
 		update_option( 'jquery_migrate_helper_version', 'legacy' );
 		wp_send_json_success();
 	}

Exploit Outline

The exploit leverages a missing capability check in the 'downgrade_jquery_version' AJAX action. An authenticated Subscriber first retrieves a valid nonce (likely 'jquery-migrate-downgrade') by inspecting localized JavaScript variables in the admin dashboard (e.g., window.jquery_migrate_helper). The attacker then sends a POST request to '/wp-admin/admin-ajax.php' with the 'action' parameter set to 'downgrade_jquery_version' and the retrieved nonce. This successfully updates the site configuration to load the legacy jQuery version 1.12.4-wp for all users.

Check if your site is affected.

Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.