[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fpCMJRa4VWXol7MUgyHhYDHx0Bp2rWXLI7lTVKSHj87Y":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":9,"severity":11,"cvss_score":12,"cvss_vector":13,"vuln_type":14,"published_date":15,"updated_date":16,"references":17,"days_to_patch":9,"patch_diff_files":19,"patch_trac_url":9,"research_status":20,"research_verified":21,"research_rounds_completed":22,"research_plan":23,"research_summary":24,"research_vulnerable_code":25,"research_fix_diff":26,"research_exploit_outline":27,"research_model_used":28,"research_started_at":29,"research_completed_at":30,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":21,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":21,"source_links":31},"CVE-2026-3279","enable-jquery-migrate-helper-missing-authorization-to-authenticated-subscriber-jquery-version-downgrade","Enable jQuery Migrate Helper \u003C= 1.4.1 - Missing Authorization to Authenticated (Subscriber+) jQuery Version Downgrade","The Enable jQuery Migrate Helper plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the `downgrade_jquery_version()` function in all versions up to, and including, 1.4.1. This is due to the function only verifying a nonce without checking user capabilities. This makes it possible for authenticated attackers, with Subscriber-level access and above, to downgrade the site-wide jQuery version from 3.7.1 to the legacy 1.12.4-wp release, which has knowns security vulnerabilities.","enable-jquery-migrate-helper",null,"\u003C=1.4.1","medium",6.5,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:L\u002FUI:N\u002FS:U\u002FC:N\u002FI:H\u002FA:N","Missing Authorization","2026-05-26 17:35:02","2026-05-27 06:46:16",[18],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F1a74d5f4-1dd8-4d49-b4ce-8ba7ac9cbcc7?source=api-prod",[],"researched",false,3,"# Exploitation Research Plan: CVE-2026-3279 - Enable jQuery Migrate Helper Downgrade\n\n## 1. Vulnerability Summary\nThe **Enable jQuery Migrate Helper** plugin (\u003C= 1.4.1) contains a missing authorization vulnerability in its `downgrade_jquery_version()` function. While the function implements a nonce check to prevent Cross-Site Request Forgery (CSRF), it fails to verify if the requesting user has administrative capabilities (e.g., `manage_options`). Consequently, any authenticated user with Subscriber-level permissions or higher can trigger a site-wide downgrade of the jQuery library to a legacy version (1.12.4-wp), which contains known security vulnerabilities.\n\n## 2. Attack Vector Analysis\n- **Endpoint**: `\u002Fwp-admin\u002Fadmin-ajax.php`\n- **Action**: `downgrade_jquery_version` (inferred from function name) or `jquery-migrate-downgrade-version` (common pattern for this plugin).\n- **Parameters**: \n    - `action`: The AJAX action string.\n    - `_ajax_nonce`: A valid WordPress nonce generated for the downgrade action.\n- **Authentication**: Subscriber-level account (`PR:L`).\n- **Preconditions**: The plugin must be active. The site should ideally be running a modern jQuery version (default in recent WP) to observe the change.\n\n## 3. Code Flow\n1. **Hook Registration**: The plugin likely registers the AJAX handler in its main class or an admin initialization file:\n   ```php\n   add_action( 'wp_ajax_downgrade_jquery_version', array( $this, 'downgrade_jquery_version' ) );\n   ```\n2. **Function Execution**: When a Subscriber sends a POST request to `admin-ajax.php` with `action=downgrade_jquery_version`:\n   - The `downgrade_jquery_version()` function is invoked.\n   - It calls `check_ajax_referer( 'jquery-migrate-downgrade', 'nonce' )` (or similar action\u002Fkey).\n   - **Vulnerability**: It proceeds to `update_option( 'jquery_migrate_helper_version', 'legacy' )` (inferred) without calling `current_user_can( 'manage_options' )`.\n3. **Sink**: The `update_option` call modifies the site configuration, affecting which scripts are enqueued for all users.\n\n## 4. Nonce Acquisition Strategy\nSince this is an authenticated vulnerability affecting the admin-ajax interface, the nonce is likely localized for the WordPress admin dashboard.\n\n1. **Identify Script Localization**: Search the codebase for `wp_localize_script`.\n2. **Create Subscriber**: Use WP-CLI to create a Subscriber user.\n3. **Capture Nonce**:\n   - Log into the WordPress admin as the Subscriber.\n   - Navigate to the main Dashboard (`\u002Fwp-admin\u002Findex.php`).\n   - Use `browser_eval` to search for the localized object.\n   - **JS Variables to check**:\n     - `window.jquery_migrate_helper?.nonce`\n     - `window.jqmh_data?.downgrade_nonce`\n     - `window.wp_jquery_migrate_helper?.nonce` (inferred)\n\n**Example Extraction**:\n```javascript\n\u002F\u002F Run via browser_eval after navigating to \u002Fwp-admin\u002F\nreturn window.jquery_migrate_helper || window.jqmh_data || \"Variable not found\";\n```\n\n## 5. Exploitation Strategy\n1. **Setup**: Create a Subscriber user and log in.\n2. **Discovery**: Navigate to `\u002Fwp-admin\u002F` and extract the nonce using the `browser_eval` tool.\n3. **Execution**: Send a POST request to `admin-ajax.php`.\n   - **URL**: `http:\u002F\u002F[TARGET]\u002Fwp-admin\u002Fadmin-ajax.php`\n   - **Method**: `POST`\n   - **Headers**: `Content-Type: application\u002Fx-www-form-urlencoded`\n   - **Body**: `action=downgrade_jquery_version&_ajax_nonce=[EXTRACTED_NONCE]` (Note: `_ajax_nonce` is the default key used by `check_ajax_referer`).\n\n## 6. Test Data Setup\n1. **Install Plugin**: Ensure Enable jQuery Migrate Helper \u003C= 1.4.1 is installed.\n2. **Configure Baseline**: Ensure the site is currently using the default (modern) jQuery.\n   - `wp option get jquery_migrate_helper_version` (Should return nothing or 'default').\n3. **User Creation**:\n   ```bash\n   wp user create attacker attacker@example.com --role=subscriber --user_pass=password123\n   ```\n\n## 7. Expected Results\n- **HTTP Response**: 200 OK, likely returning a JSON success message or `1`.\n- **System Change**: The WordPress option responsible for the jQuery version is updated.\n- **Frontend Change**: Script tags in the site source will now point to `\u002Fwp-includes\u002Fjs\u002Fjquery\u002Fjquery-migrate.min.js?ver=1.4.1` (legacy) instead of modern versions.\n\n## 8. Verification Steps\n1. **Check Option Value**:\n   ```bash\n   wp option get jquery_migrate_helper_version\n   ```\n   A successful exploit will return `legacy` (or the specific internal value used by the plugin to represent the old version).\n2. **Check Enqueued Scripts**:\n   Fetch the homepage and check the jQuery version:\n   ```bash\n   # Using the http_request tool on the homepage\n   # Look for jquery.js?ver=1.12.4-wp\n   ```\n\n## 9. Alternative Approaches\nIf the direct action `downgrade_jquery_version` fails:\n- **Search for settings saves**: The plugin might use a general settings saving AJAX action that lacks capability checks. Look for `wp_ajax_save_jquery_migrate_settings`.\n- **Action Guessing**: If the nonce action name is different, grep the plugin source for `wp_create_nonce` to find the correct action string required for `check_ajax_referer`.\n- **Parameter Variation**: The function might expect `version=legacy` as an explicit POST parameter.\n  - Payload: `action=downgrade_jquery_version&_ajax_nonce=...&version=legacy` (inferred).","The Enable jQuery Migrate Helper plugin for WordPress is vulnerable to unauthorized data modification due to a missing capability check in its AJAX handler for downgrading jQuery. This allows authenticated users with Subscriber-level access to downgrade the site-wide jQuery library to a legacy version (1.12.4-wp) which contains known security vulnerabilities.","\u002F\u002F class-enable-jquery-migrate-helper.php (inferred from research plan)\n\nadd_action( 'wp_ajax_downgrade_jquery_version', array( $this, 'downgrade_jquery_version' ) );\n\n---\n\npublic function downgrade_jquery_version() {\n    \u002F\u002F Only verifies the nonce, not user capabilities\n    check_ajax_referer( 'jquery-migrate-downgrade', 'nonce' );\n\n    update_option( 'jquery_migrate_helper_version', 'legacy' );\n    wp_send_json_success();\n}","--- a\u002Fclass-enable-jquery-migrate-helper.php\n+++ b\u002Fclass-enable-jquery-migrate-helper.php\n@@ -XX,6 +XX,10 @@\n \tpublic function downgrade_jquery_version() {\n \t\tcheck_ajax_referer( 'jquery-migrate-downgrade', 'nonce' );\n \n+\t\tif ( ! current_user_can( 'manage_options' ) ) {\n+\t\t\twp_die( __( 'You do not have permission to perform this action.', 'enable-jquery-migrate-helper' ) );\n+\t\t}\n+\n \t\tupdate_option( 'jquery_migrate_helper_version', 'legacy' );\n \t\twp_send_json_success();\n \t}","The exploit leverages a missing capability check in the 'downgrade_jquery_version' AJAX action. An authenticated Subscriber first retrieves a valid nonce (likely 'jquery-migrate-downgrade') by inspecting localized JavaScript variables in the admin dashboard (e.g., window.jquery_migrate_helper). The attacker then sends a POST request to '\u002Fwp-admin\u002Fadmin-ajax.php' with the 'action' parameter set to 'downgrade_jquery_version' and the retrieved nonce. This successfully updates the site configuration to load the legacy jQuery version 1.12.4-wp for all users.","gemini-3-flash-preview","2026-06-04 18:32:56","2026-06-04 18:33:14",{"type":32,"vulnerable_version":9,"fixed_version":9,"vulnerable_browse":9,"vulnerable_zip":9,"fixed_browse":9,"fixed_zip":9,"all_tags":33},"plugin","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fenable-jquery-migrate-helper\u002Ftags"]