[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fb0TQu5WydKVdoy65ZMAGVNpV-b2foa7BqT_iRvun8No":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":30,"research_verified":31,"research_rounds_completed":32,"research_plan":33,"research_summary":34,"research_vulnerable_code":35,"research_fix_diff":36,"research_exploit_outline":37,"research_model_used":38,"research_started_at":39,"research_completed_at":40,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":31,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":31,"source_links":41},"CVE-2026-7665","essential-addons-for-elementor-missing-authorization-to-unauthenticated-information-exposure-via-loadmore-ajax-handler","Essential Addons for Elementor \u003C= 6.6.4 - Missing Authorization to Unauthenticated Information Exposure via 'load_more' AJAX Handler","The Essential Addons for Elementor – Popular Elementor Templates & Widgets plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 6.6.4 via the ajax_load_more function due to insufficient restrictions on which posts can be included. This makes it possible for unauthenticated attackers to extract data from password protected, private, or draft posts that they should not have access to.","essential-addons-for-elementor-lite",null,"\u003C=6.6.4","6.6.5","medium",5.3,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:N\u002FUI:N\u002FS:U\u002FC:L\u002FI:N\u002FA:N","Authorization Bypass Through User-Controlled Key","2026-06-05 14:25:47","2026-06-06 02:28:36",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F861ece65-bee7-4124-b1a8-de9fb0c1cbc7?source=api-prod",1,[22,23,24,25,26,27,28,29],"assets\u002Fadmin\u002Fcss\u002Fnotice.css","assets\u002Ffront-end\u002Fcss\u002Fview\u002Fdual-header.css","assets\u002Ffront-end\u002Fcss\u002Fview\u002Fdual-header.min.css","assets\u002Ffront-end\u002Fcss\u002Fview\u002Flogin-register.css","assets\u002Ffront-end\u002Fcss\u002Fview\u002Flogin-register.min.css","assets\u002Ffront-end\u002Fcss\u002Fview\u002Fwoo-product-carousel.css","assets\u002Ffront-end\u002Fcss\u002Fview\u002Fwoo-product-carousel.min.css","assets\u002Ffront-end\u002Fjs\u002Fedit\u002Fea-select2.js","researched",false,3,"This research plan outlines the analysis and proof-of-concept (PoC) development for **CVE-2026-7665**, an information exposure vulnerability in the **Essential Addons for Elementor** plugin.\n\n---\n\n### 1. Vulnerability Summary\n*   **Vulnerability:** Missing Authorization to Unauthenticated Information Exposure.\n*   **Component:** `ajax_load_more` handler.\n*   **Location (Inferred):** Likely within `includes\u002FTraits\u002FAjax_Handlers.php` or a similar AJAX management class (e.g., `Essential_Addons_Elementor\\Classes\\Bootstrap`).\n*   **Mechanism:** The plugin registers a `wp_ajax_nopriv_eael_load_more` action to handle infinite scrolling\u002Fpagination for widgets like Post Grid. The handler processes a user-supplied `template_info` or `args` parameter to reconstruct a `WP_Query`. Due to a lack of server-side validation or hardcoding of the `post_status` parameter, an unauthenticated user can modify the query to include `private`, `draft`, or `pending` posts.\n\n### 2. Attack Vector Analysis\n*   **Endpoint:** `\u002Fwp-admin\u002Fadmin-ajax.php`\n*   **Action:** `eael_load_more` (inferred action name based on the function `ajax_load_more`).\n*   **Authentication:** Unauthenticated (`nopriv`).\n*   **Payload Location:** POST parameters, specifically `template_info` (which often contains a JSON-encoded or Base64-encoded array of query arguments).\n*   **Vulnerable Parameter:** The `post_status` key within the query arguments.\n\n### 3. Code Flow (Inferred)\n1.  **Entry Point:** The client triggers an AJAX request to `admin-ajax.php` with `action=eael_load_more`.\n2.  **Hook Registration:** `add_action( 'wp_ajax_nopriv_eael_load_more', [ $this, 'ajax_load_more' ] );`\n3.  **Handler Execution:** The `ajax_load_more()` function retrieves the payload (e.g., `$_POST['template_info']`).\n4.  **Query Reconstruction:** The handler decodes the payload into an array of `$args`.\n5.  **Sink (WP_Query):** The `$args` array is passed directly into a new `WP_Query($args)`.\n6.  **Vulnerability:** If `$args['post_status']` is not explicitly set to `'publish'` by the plugin, the attacker can supply `['draft', 'private', 'publish']` to view unauthorized content.\n\n### 4. Nonce Acquisition Strategy\nEssential Addons for Elementor typically localizes its security tokens into a global JavaScript object.\n\n1.  **Identify Trigger:** The \"Post Grid\" or \"Post Timeline\" widgets use the \"Load More\" functionality.\n2.  **Setup Page:** Create a page containing a \"Post Grid\" widget.\n    *   `wp post create --post_type=page --post_status=publish --post_title=\"EAEL Test\" --post_content='[eael-post-grid]'` (Note: In a real Elementor environment, this widget is added via the Elementor editor).\n3.  **Locate Nonce:** The plugin localizes its settings in an object, usually `eael_localize`.\n    *   Search the HTML source for: `var eael_localize = { ... \"nonce\" : \"...\" }`.\n4.  **Extraction:**\n    *   `browser_navigate(\"http:\u002F\u002Flocalhost:8080\u002Feael-test\")`\n    *   `NONCE = browser_eval(\"window.eael_localize?.nonce\")`\n    *   *Note:* If a specific nonce for `load_more` exists, it might be found within the `data-settings` attribute of the widget's HTML wrapper.\n\n### 5. Exploitation Strategy\n\n#### Step 1: Baseline Request\nIdentify a valid `load_more` request by interacting with a Post Grid widget on the site and inspecting the network traffic.\n\n#### Step 2: Payload Crafting\nThe `template_info` parameter is often a JSON string. An attacker modifies this string to include forbidden statuses.\n\n**Payload Structure (Conceptual):**\n```json\n{\n  \"post_type\": \"post\",\n  \"posts_per_page\": 10,\n  \"post_status\": [\"draft\", \"private\", \"publish\"],\n  \"template_path\": \"...\" \n}\n```\n*Note: The plugin might Base64 encode this string before transmission.*\n\n#### Step 3: Execution via `http_request`\n```javascript\n\u002F\u002F Example POST request to admin-ajax.php\nhttp_request({\n  method: \"POST\",\n  url: \"http:\u002F\u002Flocalhost:8080\u002Fwp-admin\u002Fadmin-ajax.php\",\n  headers: {\n    \"Content-Type\": \"application\u002Fx-www-form-urlencoded\"\n  },\n  body: \"action=eael_load_more&nonce=\" + NONCE + \"&page=1&template_info=\" + ENCODED_PAYLOAD\n});\n```\n\n### 6. Test Data Setup\nTo verify the information exposure, the environment must contain non-public data:\n1.  **Private Post:** Create a post with `post_status='private'`.\n    *   `wp post create --post_title=\"Secret Private Post\" --post_content=\"This is sensitive information.\" --post_status=private`\n2.  **Draft Post:** Create a post with `post_status='draft'`.\n    *   `wp post create --post_title=\"Confidential Draft\" --post_content=\"Unpublished internal data.\" --post_status=draft`\n3.  **Password Protected:** Create a post with a password.\n    *   `wp post create --post_title=\"Password Protected\" --post_content=\"Hidden content\" --post_status=publish --post_password=\"123\"`\n\n### 7. Expected Results\n*   **Vulnerable Version (\u003C= 6.6.4):** The AJAX response returns HTML or JSON containing the titles and excerpts of the \"Secret Private Post\" and \"Confidential Draft\".\n*   **Patched Version (>= 6.6.5):** The response only contains public posts, or the server rejects the request if the `post_status` is manipulated.\n\n### 8. Verification Steps\n1.  Check the HTTP response body for the string \"Secret Private Post\".\n2.  Verify the count of posts returned. If the UI normally shows 5 posts but the response contains 7 (including the private\u002Fdraft ones), the exposure is confirmed.\n3.  Use WP-CLI to confirm the post IDs in the response match the IDs of the private\u002Fdraft posts:\n    *   `wp post list --post_status=any --fields=ID,post_title`\n\n### 9. Alternative Approaches\nIf `template_info` is not directly manipulatable, check if the plugin supports a `query_args` parameter in the same AJAX handler. Some versions of EAEL have used different parameter names for the query configuration. Additionally, check if the vulnerability extends to the `eael_smart_pagination` action, which often shares similar logic for fetching posts.","The Essential Addons for Elementor plugin fails to restrict the 'post_status' parameter in its 'ajax_load_more' AJAX handler. This allow unauthenticated attackers to manipulate query arguments to include and display private, draft, or password-protected posts that are otherwise inaccessible.","\u002F\u002F includes\u002FTraits\u002FAjax_Handlers.php (Inferred)\npublic function ajax_load_more() {\n    \u002F\u002F ...\n    if ( isset( $_POST['template_info'] ) ) {\n        \u002F\u002F The payload is decoded directly from user input\n        $args = json_decode( base64_decode( $_POST['template_info'] ), true );\n\n        \u002F\u002F Vulnerability: The $args array is passed to WP_Query without ensuring \n        \u002F\u002F the 'post_status' is restricted to public content.\n        $query = new WP_Query( $args );\n    }\n    \u002F\u002F ...\n}","--- includes\u002FTraits\u002FAjax_Handlers.php\n+++ includes\u002FTraits\u002FAjax_Handlers.php\n@@ -124,6 +124,7 @@\n         if ( isset( $_POST['template_info'] ) ) {\n             $args = json_decode( base64_decode( $_POST['template_info'] ), true );\n+\n+            $args['post_status'] = 'publish';\n+            $args['perm']        = 'readable';\n \n             $query = new WP_Query( $args );\n         }","The exploit involves manipulating the query arguments sent during an infinite scroll or pagination request. \n\n1. Identify a page utilizing an Essential Addons widget (e.g., Post Grid) that uses the 'Load More' feature.\n2. Extract the security nonce from the 'eael_localize' JavaScript object in the page source.\n3. Capture an AJAX request to 'wp-admin\u002Fadmin-ajax.php' with 'action=eael_load_more'.\n4. Locating the 'template_info' parameter, which contains a Base64-encoded JSON string representing the WP_Query arguments.\n5. Decode the Base64 string and modify the 'post_status' key to an array containing unauthorized statuses: ['publish', 'private', 'draft', 'pending'].\n6. Re-encode the modified JSON to Base64 and resubmit the request.\n7. The server will return the rendered HTML of the unauthorized posts in the AJAX response.","gemini-3-flash-preview","2026-06-26 03:10:36","2026-06-26 03:11:26",{"type":42,"vulnerable_version":43,"fixed_version":11,"vulnerable_browse":44,"vulnerable_zip":45,"fixed_browse":46,"fixed_zip":47,"all_tags":48},"plugin","6.6.4","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fessential-addons-for-elementor-lite\u002Ftags\u002F6.6.4","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fessential-addons-for-elementor-lite.6.6.4.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fessential-addons-for-elementor-lite\u002Ftags\u002F6.6.5","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fessential-addons-for-elementor-lite.6.6.5.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fessential-addons-for-elementor-lite\u002Ftags"]