[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$f81TL_CgRt5TXgz3lf27Wi2ygKvKK0krWVz75kba4moQ":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":9,"severity":11,"cvss_score":12,"cvss_vector":13,"vuln_type":14,"published_date":15,"updated_date":16,"references":17,"days_to_patch":9,"patch_diff_files":19,"patch_trac_url":9,"research_status":20,"research_verified":21,"research_rounds_completed":22,"research_plan":23,"research_summary":24,"research_vulnerable_code":9,"research_fix_diff":25,"research_exploit_outline":26,"research_model_used":27,"research_started_at":28,"research_completed_at":29,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":21,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":21,"source_links":30},"CVE-2026-6396","fast-fancy-filter-3f-cross-site-request-forgery-to-settings-modification-via-fffsavesettins-ajax-action","Fast & Fancy Filter – 3F \u003C= 1.2.2 - Cross-Site Request Forgery to Settings Modification via fff_save_settins AJAX Action","The Fast & Fancy Filter – 3F plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to and including 1.2.2. This is due to missing nonce verification in the saveFields() function, which handles the fff_save_settins AJAX action. This makes it possible for unauthenticated attackers to modify plugin filter settings, update arbitrary options, or create new filter posts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.","fast-fancy-filter-3f",null,"\u003C=1.2.2","medium",4.3,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:N\u002FUI:R\u002FS:U\u002FC:N\u002FI:L\u002FA:N","Cross-Site Request Forgery (CSRF)","2026-04-21 19:03:01","2026-04-22 07:45:34",[18],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F4b5fbf2c-1231-482f-b5a5-819f31da3524?source=api-prod",[],"researched",false,3,"This research plan targets **CVE-2026-6396**, a Cross-Site Request Forgery (CSRF) vulnerability in the **Fast & Fancy Filter – 3F** plugin (versions \u003C= 1.2.2). The vulnerability allows an attacker to modify plugin settings or potentially update arbitrary WordPress options due to missing nonce verification in the AJAX handler for `fff_save_settins`.\n\n---\n\n### 1. Vulnerability Summary\n*   **Vulnerability:** Cross-Site Request Forgery (CSRF)\n*   **Vulnerable Action:** `fff_save_settins` (Note the spelling: \"settins\")\n*   **Vulnerable Function:** `saveFields()`\n*   **Nature of Flaw:** The `saveFields` function handles AJAX requests to update plugin configurations but fails to implement `check_ajax_referer()` or `wp_verify_nonce()`.\n*   **Impact:** An unauthenticated attacker can trick a logged-in administrator into visiting a malicious site that triggers a background request to the vulnerable WordPress site, leading to unauthorized configuration changes or creation of filter posts.\n\n### 2. Attack Vector Analysis\n*   **Endpoint:** `\u002Fwp-admin\u002Fadmin-ajax.php`\n*   **Action:** `fff_save_settins`\n*   **HTTP Method:** `POST`\n*   **Authentication:** Requires an active administrator session (leveraged via CSRF).\n*   **Preconditions:** The attacker must trick an administrator into clicking a link or visiting a page they control.\n*   **Vulnerable Parameter:** Likely a serialized array or multiple POST fields representing settings\u002Ffields to be updated.\n\n### 3. Code Flow (Inferred from Description)\n1.  **Registration:** The plugin registers the AJAX action using:\n    `add_action('wp_ajax_fff_save_settins', 'saveFields');`\n2.  **Trigger:** An administrator's browser sends a POST request to `admin-ajax.php` with `action=fff_save_settins`.\n3.  **Execution:** The `saveFields()` function is invoked.\n4.  **Processing:**\n    *   The function likely extracts data from `$_POST`.\n    *   It may use `update_option()` to save settings or `wp_insert_post()` to create\u002Fupdate filter objects.\n    *   **Crucially:** It skips any call to `check_ajax_referer()` or `wp_verify_nonce()`, allowing the request to proceed as long as the user is authenticated (which `wp_ajax_` handles automatically).\n\n### 4. Nonce Acquisition Strategy\nAccording to the vulnerability report, **no nonce verification is present**. Therefore, no nonce is required to exploit this vulnerability. The attack succeeds purely based on the administrator's session cookies.\n\n### 5. Exploitation Strategy\nTo demonstrate the CSRF, the agent will simulate an administrator performing a request that was forged by a third party.\n\n**Step 1: Locate the AJAX Handler and Parameters**\nBefore the exploit, identify the exact parameters expected by `saveFields`.\n*   Search for the string `fff_save_settins` in the plugin directory.\n*   Analyze the `saveFields` function to see which `$_POST` keys are used (e.g., `fff_data`, `fields`, `id`, etc.).\n\n**Step 2: Construct the CSRF Payload**\nAssuming the plugin saves settings via a parameter named `settings_data` (inferred):\n\n*   **URL:** `http:\u002F\u002Flocalhost:8080\u002Fwp-admin\u002Fadmin-ajax.php`\n*   **Method:** `POST`\n*   **Content-Type:** `application\u002Fx-www-form-urlencoded`\n*   **Body:** `action=fff_save_settins&[IDENTIFIED_PARAMETER]=[MALICIOUS_VALUE]`\n\n**Step 3: Execution via Agent**\nThe agent will use `http_request` with the administrator's cookies to simulate the victim admin being CSRF'd.\n\n### 6. Test Data Setup\n1.  **Install Plugin:** Ensure `fast-fancy-filter-3f` version \u003C= 1.2.2 is active.\n2.  **Create Admin User:** Ensure a user with `administrator` role exists (default `admin`).\n3.  **Identify Target Option:** Determine which option the plugin updates (e.g., `fff_settings` or `fff_filter_config`). Note its current value using WP-CLI.\n\n### 7. Expected Results\n*   The `admin-ajax.php` request should return a `200 OK` status and potentially a success message (e.g., `{\"success\":true}` or `1`).\n*   The database state for the plugin's settings should change to reflect the attacker's payload.\n\n### 8. Verification Steps\nAfter performing the HTTP request, use WP-CLI to verify the change:\n```bash\n# Check if a specific plugin option was changed\nwp option get [OPTION_NAME_FOUND_IN_STEP_1]\n\n# If the vulnerability allows arbitrary option updates (as suggested):\nwp option get blogname # Check if it was changed to 'Hacked'\n```\n\n### 9. Alternative Approaches\nIf the plugin uses `wp_insert_post` instead of `update_option`:\n*   **Payload:** `action=fff_save_settins&post_title=Malicious+Filter&post_status=publish&post_type=fff_filter` (inferred type).\n*   **Verification:** `wp post list --post_type=fff_filter` to see if a new post was created.\n\nIf the AJAX action is `wp_ajax_nopriv_fff_save_settins` (unlikely for settings, but possible), the attack would not even require CSRF and could be performed directly.\n\n---\n\n### Step-by-Step Execution Plan for Agent:\n\n1.  **Scan Source:** \n    `grep -rn \"fff_save_settins\" \u002Fvar\u002Fwww\u002Fhtml\u002Fwp-content\u002Fplugins\u002Ffast-fancy-filter-3f\u002F`\n2.  **Identify Handler:** Locate the `saveFields` function in the file identified in step 1.\n3.  **Extract Parameters:** Read the code of `saveFields` to find exactly how it saves data. Look for `update_option` or `wp_insert_post`.\n4.  **Baseline Check:** \n    `wp option get [OPTION_NAME]`\n5.  **Simulate CSRF:**\n    Use `http_request` to POST to `admin-ajax.php` with the administrator's cookies and the `fff_save_settins` action.\n6.  **Final Verification:** \n    `wp option get [OPTION_NAME]` and confirm the value matches the payload.","The Fast & Fancy Filter – 3F plugin for WordPress (versions \u003C= 1.2.2) is vulnerable to Cross-Site Request Forgery (CSRF) because the saveFields function, which handles the fff_save_settins AJAX action, lacks nonce verification. This allows unauthenticated attackers to modify plugin settings, create filter posts, or potentially update arbitrary WordPress options by tricking an authenticated administrator into visiting a malicious link.","--- a\u002Ffast-fancy-filter-3f.php\n+++ b\u002Ffast-fancy-filter-3f.php\n@@ -...@@\n function saveFields() {\n+\tcheck_ajax_referer('fff_save_settings_nonce', 'nonce');\n+\tif ( ! current_user_can( 'manage_options' ) ) {\n+\t\twp_die();\n+\t}","The exploit targets the \u002Fwp-admin\u002Fadmin-ajax.php endpoint with a POST request where the action is set to fff_save_settins. Since the saveFields function does not implement check_ajax_referer() or wp_verify_nonce(), an attacker can host a malicious webpage that auto-submits a hidden form or background fetch request to this endpoint. When an authenticated administrator visits the page, the browser sends the request along with their session cookies, allowing the attacker to provide malicious values for plugin parameters (such as fff_data) that the function subsequently processes to update database options or create filter posts.","gemini-3-flash-preview","2026-04-27 14:06:09","2026-04-27 14:06:27",{"type":31,"vulnerable_version":9,"fixed_version":9,"vulnerable_browse":9,"vulnerable_zip":9,"fixed_browse":9,"fixed_zip":9,"all_tags":32},"plugin","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Ffast-fancy-filter-3f\u002Ftags"]