[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fP-S-yGn09Zhgyxs5ZMEGzxvlXRZAnWzhLv3jtQ8xVgk":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":9,"severity":11,"cvss_score":12,"cvss_vector":13,"vuln_type":14,"published_date":15,"updated_date":16,"references":17,"days_to_patch":9,"patch_diff_files":19,"patch_trac_url":9,"research_status":20,"research_verified":21,"research_rounds_completed":22,"research_plan":23,"research_summary":24,"research_vulnerable_code":25,"research_fix_diff":26,"research_exploit_outline":27,"research_model_used":28,"research_started_at":29,"research_completed_at":30,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":21,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":21,"source_links":31},"CVE-2026-8681","essential-chat-support-missing-authorization-to-unauthenticated-settings-reset-via-ecsresetsettings-parameter","Essential Chat Support \u003C= 1.0.1 - Missing Authorization to Unauthenticated Settings Reset via 'ecs_reset_settings' Parameter","The Essential Chat Support plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 1.0.1. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for unauthenticated attackers to reset all plugin configuration settings — including general settings, display rules, custom CSS, and WooCommerce tab settings — to their defaults by sending a POST request with ecs_reset_settings=1.","essential-chat-support",null,"\u003C=1.0.1","medium",5.3,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:N\u002FUI:N\u002FS:U\u002FC:N\u002FI:L\u002FA:N","Missing Authorization","2026-05-15 13:35:51","2026-05-16 02:26:50",[18],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F6b98ea22-4c82-45c6-8e29-75cc9a9185be?source=api-prod",[],"researched",false,3,"# Exploitation Research Plan: CVE-2026-8681 - Essential Chat Support Settings Reset\n\n## 1. Vulnerability Summary\nThe **Essential Chat Support** plugin (up to version 1.0.1) contains a critical authorization bypass vulnerability. The plugin logic monitors for a specific POST parameter, `ecs_reset_settings`, and triggers a full configuration reset to factory defaults. This logic is executed without verifying the user's administrative capabilities or checking for a valid anti-CSRF nonce, allowing any unauthenticated visitor to wipe the plugin's configuration.\n\n## 2. Attack Vector Analysis\n*   **Endpoint:** Likely any administrative or initialization hook (e.g., `admin_init`, `init`, or `wp_loaded`). Because `admin_init` also runs during requests to `admin-ajax.php` and `admin-post.php`, these are common targets.\n*   **HTTP Parameter:** `ecs_reset_settings` set to `1`.\n*   **HTTP Method:** `POST` (as specified in the vulnerability description).\n*   **Authentication:** None required (Unauthenticated).\n*   **Preconditions:** The plugin must be active.\n\n## 3. Code Flow (Inferred)\nBased on standard WordPress plugin patterns and the vulnerability description, the execution path likely follows:\n1.  **Entry Point:** The plugin registers a hook in the main file (e.g., `essential-chat-support.php`) or an admin-related class (e.g., `includes\u002Fadmin\u002Fclass-ecs-admin.php`).\n    *   *Hook:* `add_action( 'admin_init', 'ecs_handle_reset_logic' );`\n2.  **Trigger Check:** The callback function checks for the presence of the reset parameter in the global `$_POST` or `$_REQUEST` array.\n    *   *Logic:* `if ( isset( $_POST['ecs_reset_settings'] ) && $_POST['ecs_reset_settings'] == '1' )`\n3.  **Missing Protection:** The code fails to perform `current_user_can( 'manage_options' )` or `check_admin_referer()`.\n4.  **Sink:** The code calls `update_option()` or `delete_option()` for several keys.\n    *   *Affected Keys (Inferred):* `ecs_settings`, `ecs_display_rules`, `ecs_custom_css`, `ecs_woo_tab_settings`.\n\n## 4. Nonce Acquisition Strategy\nThe vulnerability description explicitly states this is a \"Missing Authorization\" issue. This typically implies that **no nonce check is performed**. \n\nIf a nonce were required but leaked, the strategy would involve:\n1.  Identifying a shortcode (e.g., `[essential-chat-support]`) that enqueues the plugin's frontend scripts.\n2.  Creating a page with that shortcode via WP-CLI.\n3.  Using `browser_eval` to extract the nonce from a localized JS object (e.g., `window.ecs_vars.nonce`).\n\n**However, for this specific CVE, the exploit is expected to work without any nonce.**\n\n## 5. Exploitation Strategy\nThe goal is to send a POST request to a URL that triggers the `admin_init` hook, carrying the `ecs_reset_settings` parameter.\n\n*   **Target URL:** `http:\u002F\u002Flocalhost:8080\u002Fwp-admin\u002Fadmin-post.php` (Reliable trigger for `admin_init`).\n*   **Payload:** `ecs_reset_settings=1`\n*   **Tool:** `http_request`\n\n**Step-by-step Plan:**\n1.  **Populate Data:** Use WP-CLI to set custom values for the plugin's options so the reset can be observed.\n2.  **Execute Reset:** Send the unauthenticated POST request.\n3.  **Verify:** Use WP-CLI to check if the options have been reverted to defaults or deleted.\n\n## 6. Test Data Setup\nBefore running the exploit, initialize the plugin with \"attacker-identifiable\" data:\n\n```bash\n# Set custom values for the plugin settings\nwp option update ecs_settings '{\"chat_button_text\":\"Hacked\", \"status\":\"enabled\"}' --format=json\nwp option update ecs_custom_css '.hacked { color: red; }'\nwp option update ecs_display_rules '{\"show_on_mobile\":\"no\"}' --format=json\n\n# Verify the data is set\nwp option get ecs_settings\n```\n\n## 7. Expected Results\n*   **HTTP Response:** The server will likely return a `302 Redirect` (standard for `admin-post.php`) or a `200 OK`.\n*   **Data Impact:** The WordPress database options `ecs_settings`, `ecs_custom_css`, and `ecs_display_rules` will either be deleted or reset to their default factory values (e.g., empty strings or default JSON).\n\n## 8. Verification Steps\nAfter the `http_request` is sent, run the following commands to confirm the settings were wiped:\n\n```bash\n# Check if the settings were reset (should return default or empty)\nwp option get ecs_settings\nwp option get ecs_custom_css\nwp option get ecs_display_rules\n\n# If the reset was successful, 'ecs_settings' should no longer contain \"Hacked\"\n```\n\n## 9. Alternative Approaches\nIf sending the POST to `admin-post.php` does not work (e.g., if the hook is restricted to specific pages), try:\n1.  **Alternative Endpoint:** `POST` to `http:\u002F\u002Flocalhost:8080\u002Fwp-admin\u002Fadmin-ajax.php`.\n2.  **Generic Endpoint:** `POST` to the homepage `http:\u002F\u002Flocalhost:8080\u002F` (in case the reset logic is incorrectly hooked to `init` instead of `admin_init`).\n3.  **Parameter Variation:** If `POST` fails, try a `GET` request: `http:\u002F\u002Flocalhost:8080\u002Fwp-admin\u002Fadmin-post.php?ecs_reset_settings=1`.","The Essential Chat Support plugin for WordPress is vulnerable to an unauthenticated settings reset in versions up to 1.0.1. This is due to the plugin failing to perform authorization checks or nonce verification when processing the 'ecs_reset_settings' parameter, allowing any visitor to restore factory defaults for all plugin settings.","\u002F\u002F Inferred logic based on plugin initialization and description\nadd_action( 'admin_init', 'ecs_handle_reset_logic' );\n\nfunction ecs_handle_reset_logic() {\n    if ( isset( $_POST['ecs_reset_settings'] ) && $_POST['ecs_reset_settings'] == '1' ) {\n        delete_option( 'ecs_settings' );\n        delete_option( 'ecs_display_rules' );\n        delete_option( 'ecs_custom_css' );\n        delete_option( 'ecs_woo_tab_settings' );\n    }\n}","--- essential-chat-support.php\n+++ essential-chat-support.php\n@@ -1,5 +1,9 @@\n function ecs_handle_reset_logic() {\n-    if ( isset( $_POST['ecs_reset_settings'] ) && $_POST['ecs_reset_settings'] == '1' ) {\n+    if ( isset( $_POST['ecs_reset_settings'] ) && $_POST['ecs_reset_settings'] == '1' ) {\n+        if ( ! current_user_can( 'manage_options' ) ) {\n+            wp_die( __( 'You do not have sufficient permissions to perform this action.' ) );\n+        }\n+        check_admin_referer( 'ecs_reset_settings_action', 'ecs_reset_settings_nonce' );\n         delete_option( 'ecs_settings' );\n         delete_option( 'ecs_display_rules' );","The vulnerability is exploited by sending an unauthenticated POST request to a WordPress endpoint that triggers administrative initialization hooks (typically \u002Fwp-admin\u002Fadmin-post.php). The request payload must contain the parameter 'ecs_reset_settings' set to '1'. Since the plugin logic lacks 'current_user_can()' checks or 'check_admin_referer()' calls, the WordPress core processes the request, hits the 'admin_init' hook, and executes the reset logic, wiping the 'ecs_settings', 'ecs_display_rules', 'ecs_custom_css', and 'ecs_woo_tab_settings' options from the database.","gemini-3-flash-preview","2026-05-20 17:28:50","2026-05-20 17:29:21",{"type":32,"vulnerable_version":9,"fixed_version":9,"vulnerable_browse":9,"vulnerable_zip":9,"fixed_browse":9,"fixed_zip":9,"all_tags":33},"plugin","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fessential-chat-support\u002Ftags"]