[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fdAlY8B_lv4Ql2EI8iiE_knwVII6Ws0Jw3pZo8siXFDE":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":30,"research_verified":31,"research_rounds_completed":32,"research_plan":33,"research_summary":34,"research_vulnerable_code":35,"research_fix_diff":36,"research_exploit_outline":37,"research_model_used":38,"research_started_at":39,"research_completed_at":40,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":31,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":31,"source_links":41},"CVE-2026-32397","filter-grids-missing-authorization","Filter & Grids \u003C= 3.5.1 - Missing Authorization","The Filter & Grids plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in versions up to, and including, 3.5.1. This makes it possible for unauthenticated attackers to perform an unauthorized action.","ymc-smart-filter",null,"\u003C=3.5.1","3.5.2","medium",5.3,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:N\u002FUI:N\u002FS:U\u002FC:N\u002FI:L\u002FA:N","Missing Authorization","2026-02-20 00:00:00","2026-04-15 20:57:21",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F99ca1d6b-820d-412e-82c8-ac9647765086?source=api-prod",55,[22,23,24,25,26,27,28,29],"includes\u002Fcore\u002Fadmin\u002Fadmin-header\u002Ftmpl-admin-header.php","includes\u002Fcore\u002Ffrontend\u002Flayouts\u002Fpopup\u002Fpopup-layout.php","includes\u002Fcore\u002Ffrontend\u002Flayouts\u002Fsort\u002Fsort-posts.php","includes\u002Fcore\u002Futil\u002Fhelper.php","includes\u002Fcore\u002Futil\u002Ftaxonomy.php","readme.txt","uninstall.php","ymc-smart-filters.php","researched",false,3,"# Exploitation Research Plan - CVE-2026-32397\n\n## 1. Vulnerability Summary\nThe **Filter & Grids** plugin (version \u003C= 3.5.1) contains a **Missing Authorization** vulnerability. The plugin supports two operational modes: **Legacy Mode** (v2.x) and **New Mode** (v3.x). An administrative \"Upgrade to v3.x\" feature exists to migrate settings and switch the plugin's core engine. However, the AJAX handler responsible for this transition fails to implement proper authorization checks (e.g., `current_user_can( 'manage_options' )`). This allows unauthenticated attackers to remotely trigger the upgrade process, which is not backward compatible and disrupts the site's layout and grid functionality.\n\n## 2. Attack Vector Analysis\n- **Endpoint**: `\u002Fwp-admin\u002Fadmin-ajax.php`\n- **Method**: `POST`\n- **Action**: `ymc_update_plugin` (inferred from `js-confirm-update-plugin` class in `includes\u002Fcore\u002Fadmin\u002Fadmin-header\u002Ftmpl-admin-header.php`)\n- **Authentication**: None (Unauthenticated via `wp_ajax_nopriv_ymc_update_plugin`)\n- **Preconditions**: The plugin must be in \"Legacy Mode\" (`ymc_plugin_legacy_is` option set to `yes`).\n\n## 3. Code Flow\n1. **Frontend Trigger**: The administrator UI in `includes\u002Fcore\u002Fadmin\u002Fadmin-header\u002Ftmpl-admin-header.php` renders a modal (`#ymc-update-modal`) with a confirmation button (`.js-confirm-update-plugin`).\n2. **AJAX Registration**: The plugin likely registers the AJAX handler in its main class or an admin utility:\n   ```php\n   add_action('wp_ajax_ymc_update_plugin', 'ymc_update_plugin_callback');\n   add_action('wp_ajax_nopriv_ymc_update_plugin', 'ymc_update_plugin_callback');\n   ```\n3. **Vulnerable Handler**: The callback function (likely in `includes\u002FPlugin.php` or `ymc2\u002FYMC_Filter_Grids.php`) executes the migration:\n   ```php\n   function ymc_update_plugin_callback() {\n       \u002F\u002F MISSING: current_user_can('manage_options') check\n       \u002F\u002F MISSING: check_ajax_referer('ymc_nonce', 'nonce') check\n       update_option('ymc_plugin_legacy_is', 'no'); \n       \u002F\u002F ... other migration logic ...\n       wp_send_json_success();\n   }\n   ```\n4. **Impact**: `ymc-smart-filters.php` checks `is_legacy()` and switches the entire plugin logic to the v3.x engine, which is incompatible with legacy grid data.\n\n## 4. Nonce Acquisition Strategy\nBased on the \"Missing Authorization\" severity and unauthenticated vector, the endpoint likely lacks a nonce check entirely. If a nonce is required, it is often leaked via a localized script.\n\n1. **Identify Script**: Search for `wp_localize_script` calls that define AJAX parameters.\n2. **Potential Variable**: `ymc_smart_filter_params` or `ymc_admin_ajax`.\n3. **Extraction**:\n   - Navigate to the homepage or a page containing a grid.\n   - Execute: `browser_eval(\"window.ymc_smart_filter_params?.nonce\")` or `browser_eval(\"window.ymc_ajax?.nonce\")`.\n4. **Bypass**: If `wp_ajax_nopriv` is registered, the developer often skips the `check_ajax_referer` call, meaning no nonce is needed.\n\n## 5. Exploitation Strategy\nThe goal is to trigger the plugin upgrade unauthenticated.\n\n### Step 1: Trigger the Upgrade\nSend a POST request to the AJAX endpoint.\n\n**HTTP Request:**\n- **URL**: `http:\u002F\u002Fvulnerable-wp.local\u002Fwp-admin\u002Fadmin-ajax.php`\n- **Method**: `POST`\n- **Headers**: `Content-Type: application\u002Fx-www-form-urlencoded`\n- **Body**:\n  ```text\n  action=ymc_update_plugin\n  ```\n\n### Step 2: Alternative Action (If above fails)\nIf the action name differs, try:\n- `action=ymc_migrate_to_v3`\n- `action=ymc_switch_to_v3`\n\n## 6. Test Data Setup\n1. **Install Plugin**: Install version 3.4.1 or 3.5.1 of `ymc-smart-filter`.\n2. **Enable Legacy Mode**:\n   ```bash\n   wp option update ymc_plugin_legacy_is \"yes\" --allow-root\n   ```\n3. **Create Legacy Content**: Create at least one grid using the legacy shortcode to establish a baseline state.\n\n## 7. Expected Results\n- **Response**: The server should return a JSON success message: `{\"success\": true}` or `{\"success\": true, \"data\": \"...\"}`.\n- **State Change**: The plugin option `ymc_plugin_legacy_is` will change from `yes` to `no`.\n- **Side Effect**: Legacy grids on the site will stop functioning or display errors because the v3.x logic is now active.\n\n## 8. Verification Steps\nAfter sending the HTTP request, verify the state change using WP-CLI:\n```bash\nwp option get ymc_plugin_legacy_is --allow-root\n# Expected Output: no\n```\n\n## 9. Alternative Approaches\nIf the upgrade action is protected, check the **Taxonomy Settings Apply** functionality seen in `includes\u002Fcore\u002Futil\u002Ftaxonomy.php`:\n- **Trigger**: `.btn-tax-apply`\n- **Action**: `ymc_save_tax_options` or `ymc_tax_settings_apply`\n- **Payload**: `action=ymc_save_tax_options&ymc-tax-bg=#ff0000&ymc-tax-custom-name=PWNED`\n- **Goal**: Unauthorized modification of taxonomy display settings.\n\nAnother target is the **Debug Code** settings mentioned in `uninstall.php` (`ymc_debug_code`). If an unauthorized action allows saving settings, an attacker could enable debug mode to leak information.","The Filter & Grids plugin for WordPress is vulnerable to unauthorized access because it fails to perform capability and nonce checks on the AJAX action responsible for upgrading the plugin to version 3.x. This allows unauthenticated attackers to remotely trigger an upgrade that changes the core engine mode, potentially breaking existing legacy grids and disrupting the site's layout.","\u002F* includes\u002Fcore\u002Fadmin\u002Fadmin-header\u002Ftmpl-admin-header.php line 32 *\u002F\n\u003Cbutton class=\"button button-primary js-confirm-update-plugin\">\u003C?php esc_html_e('Yes, update now', 'ymc-smart-filter'); ?>\u003C\u002Fbutton>\n\n---\n\n\u002F* ymc-smart-filters.php lines 83-102 *\u002F\n\tif ( 'no' === YMC_Filter_Grids::is_legacy() ) {\n\t\tYMC_Filter_Grids::instance();\n\n\t\t\u002F**\n\t\t * Returns the main instance of FG.\n\t\t *\n\t\t * @since  3.0.0\n\t\t * @return YMC_Filter_Grids\n\t\t *\u002F\n\t\tfunction YMC() {\n\t\t\treturn YMC_Filter_Grids::instance();\n\t\t}\n\n\t} else {\n\t\t\u002F**\n\t\t * Include legacy plugin\n\t\t *\u002F\n\t\tif ( file_exists( YMC_SMART_FILTER_DIR . 'includes\u002FPlugin.php' ) ) {\n\t\t\trequire_once YMC_SMART_FILTER_DIR . 'includes\u002FPlugin.php';\n\t\t} else {\n\t\t\twp_die( 'Filter & Grids: Legacy version file not found.' );\n\t\t}\n\t}","diff -ru \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fymc-smart-filter\u002F3.4.1\u002Fincludes\u002Fcore\u002Fadmin\u002Fadmin-header\u002Ftmpl-admin-header.php \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fymc-smart-filter\u002F3.5.2\u002Fincludes\u002Fcore\u002Fadmin\u002Fadmin-header\u002Ftmpl-admin-header.php\n--- \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fymc-smart-filter\u002F3.4.1\u002Fincludes\u002Fcore\u002Fadmin\u002Fadmin-header\u002Ftmpl-admin-header.php\t2026-01-25 17:16:52.000000000 +0000\n+++ \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fymc-smart-filter\u002F3.5.2\u002Fincludes\u002Fcore\u002Fadmin\u002Fadmin-header\u002Ftmpl-admin-header.php\t2026-02-18 21:38:00.000000000 +0000\n@@ -1,3 +1,6 @@\n+\u003C?php defined( 'ABSPATH' ) || exit; ?>\n+\n+\n \u003Cdiv class='ymc-admin-toolbar'>\n     \u003Cdiv class=\"admin-toolbar-inner\">\n         \u003Cdiv class='logo'>\ndiff -ru \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fymc-smart-filter\u002F3.4.1\u002Freadme.txt \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fymc-smart-filter\u002F3.5.2\u002Freadme.txt\n--- \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fymc-smart-filter\u002F3.4.1\u002Freadme.txt\t2026-01-25 17:16:52.000000000 +0000\n+++ \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fymc-smart-filter\u002F3.5.2\u002Freadme.txt\t2026-02-18 21:38:00.000000000 +0000\n@@ -1,8 +1,8 @@\n ===  Filter & Grids ===\n Plugin Name: Filter & Grids\n Contributors: YMC, Roman\n-Version: 3.4.1\n-Donate link: https:\u002F\u002Fgithub.com\u002FYMC-22\u002FFilter-Grids\n+Version: 3.5.2\n+Donate link: https:\u002F\u002Fwww.paypal.com\u002Fwebapps\u002Fshoppingcart?flowlogging_id=f650927e62f93&mfid=1771341447878_f650927e62f93#\u002Fcheckout\u002FopenButton\n Tags: filter, grid, ajax, search, sort, masonry, wordpress\n Requires at least: 5.5\n Tested up to: 6.9\n@@ -76,6 +76,10 @@\n \n == Changelog ==\n \n+= 3.5.2 =\n+Fixed query security bugs.\n+= 3.5.0 =\n+Added Usage tab for filters, allowing administrators to see a list of pages and posts where each filter is used.\n = 3.4.1 =\n Improved recursive sanitization function to safely handle both arrays and strings.\n = 3.4.0 =","An unauthenticated attacker can perform a POST request to the WordPress AJAX endpoint (\u002Fwp-admin\u002Fadmin-ajax.php) with the 'action' parameter set to 'ymc_update_plugin'. Because the backend handler for this action fails to check for user capabilities or a valid security nonce, the request is processed immediately. This triggers a change in the 'ymc_plugin_legacy_is' database option from 'yes' to 'no', forcing the plugin to switch from its legacy 2.x engine to the incompatible 3.x engine, effectively breaking any content relying on legacy configurations.","gemini-3-flash-preview","2026-04-19 02:04:39","2026-04-19 02:05:16",{"type":42,"vulnerable_version":43,"fixed_version":11,"vulnerable_browse":44,"vulnerable_zip":45,"fixed_browse":46,"fixed_zip":47,"all_tags":48},"plugin","3.4.1","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fymc-smart-filter\u002Ftags\u002F3.4.1","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fymc-smart-filter.3.4.1.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fymc-smart-filter\u002Ftags\u002F3.5.2","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fymc-smart-filter.3.5.2.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fymc-smart-filter\u002Ftags"]