[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fkjYF42BtFj014XUOQd9hxABKZpf3q_IX52d4QDop0FI":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":22,"research_verified":23,"research_rounds_completed":24,"research_plan":25,"research_summary":26,"research_vulnerable_code":9,"research_fix_diff":27,"research_exploit_outline":28,"research_model_used":29,"research_started_at":30,"research_completed_at":31,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":23,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":23,"source_links":32},"CVE-2026-24582","flextable-data-table-sync-with-google-sheets-missing-authorization","FlexTable – Data Table Sync with Google Sheets \u003C= 3.24.0 - Missing Authorization","The FlexTable – Data Table Sync with Google Sheets plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in versions up to, and including, 3.24.0. This makes it possible for authenticated attackers, with contributor-level access and above, to perform an unauthorized action.","sheets-to-wp-table-live-sync",null,"\u003C=3.24.0","3.24.1","medium",4.3,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:L\u002FUI:N\u002FS:U\u002FC:N\u002FI:L\u002FA:N","Missing Authorization","2026-05-25 00:00:00","2026-06-08 16:14:30",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002Fbcc7f142-b330-492f-9855-10b443a98b63?source=api-prod",15,[],"researched",false,3,"This research plan outlines the steps to identify and exploit CVE-2026-24582, a Missing Authorization vulnerability in the **FlexTable – Data Table Sync with Google Sheets** plugin.\n\n### 1. Vulnerability Summary\nThe **FlexTable** plugin for WordPress (up to 3.24.0) contains administrative functions registered via AJAX handlers that fail to perform adequate capability checks (e.g., `current_user_can('manage_options')`). This oversight allows authenticated users with Contributor-level access or above to execute actions intended for Administrators. These actions typically include synchronizing tables, deleting table data, or modifying plugin settings.\n\n### 2. Attack Vector Analysis\n*   **Endpoint:** `\u002Fwp-admin\u002Fadmin-ajax.php`\n*   **HTTP Method:** POST\n*   **Authentication:** Authenticated (Contributor level or higher).\n*   **Vulnerable Action(s):** (Inferred) The vulnerability likely resides in actions such as `stwp_sync_table`, `stwp_delete_table`, or `stwp_save_settings`.\n*   **Parameter:** The `action` parameter in the POST body, along with a `security` or `nonce` parameter.\n\n### 3. Code Flow (Inferred)\n1.  **Registration:** The plugin registers AJAX handlers in a file like `includes\u002Fclass-admin.php` or `admin\u002Fclass-sheets-to-wp-table-live-sync-admin.php` using:\n    `add_action( 'wp_ajax_ACTION_NAME', array( $this, 'METHOD_NAME' ) );`\n2.  **Entry:** `admin-ajax.php` invokes the callback method associated with the action.\n3.  **Missing Check:** The callback method performs a nonce check (`check_ajax_referer`) but lacks a capability check (`current_user_can`).\n4.  **Execution:** The function proceeds to perform sensitive database operations or update WordPress options.\n\n### 4. Nonce Acquisition Strategy\nThe plugin likely localizes its security nonce for use in its administrative dashboard. Since Contributors can access parts of the `\u002Fwp-admin\u002F` area, the nonce may be exposed via `wp_localize_script`.\n\n**Step 1: Identify JS Localization**\nSearch the source for `wp_localize_script`. Look for the variable name (e.g., `stwp_ajax_obj` or `flextable_vars`).\n\n**Step 2: Create a Trigger Environment**\nIf the script only loads on specific plugin pages, check if the plugin allows Contributors to see any menu items. If not, the script might be enqueued on all admin pages or via a shortcode.\n*   **Shortcode approach:** `wp post create --post_type=page --post_status=publish --post_content='[sheets-to-wp-table-live-sync id=\"1\"]'` (Replace with the actual shortcode found in source).\n\n**Step 3: Extraction**\n1.  Log in as a Contributor.\n2.  Navigate to the page where the plugin script is active.\n3.  Execute in `browser_eval`:\n    ```javascript\n    \u002F\u002F (Example identifiers - must be verified against source)\n    window.stwp_ajax_obj?.nonce || window.stwp_vars?.security\n    ```\n\n### 5. Exploitation Strategy\nOnce a nonce is obtained, the agent will attempt to perform an unauthorized action.\n\n**Target Action (Example: Deleting a Table):**\n*   **URL:** `http:\u002F\u002Flocalhost:8080\u002Fwp-admin\u002Fadmin-ajax.php`\n*   **Method:** POST\n*   **Content-Type:** `application\u002Fx-www-form-urlencoded`\n*   **Body:**\n    ```\n    action=stwp_delete_table&security=[NONCE]&table_id=1\n    ```\n\n**Target Action (Example: Modifying Settings):**\n*   **Body:**\n    ```\n    action=stwp_save_settings&security=[NONCE]&option_name=some_admin_setting&option_value=malicious_value\n    ```\n\n### 6. Test Data Setup\n1.  **Install Plugin:** Ensure `sheets-to-wp-table-live-sync` version \u003C= 3.24.0 is installed.\n2.  **Create Admin Data:** As an Admin, create a sample table linked to a Google Sheet.\n    *   Note the `ID` of the created table.\n3.  **Create Contributor:** \n    `wp user create attacker attacker@example.com --role=contributor --user_pass=password`\n4.  **Determine Action:** Grep the plugin directory for `wp_ajax_` to find the exact action names.\n    `grep -r \"wp_ajax_\" .`\n\n### 7. Expected Results\n*   **Success:** The server returns a `200 OK` or a JSON success response (e.g., `{\"success\":true}`).\n*   **Effect:** The table data is deleted or the setting is updated, despite the request being sent by a Contributor.\n*   **Failure:** The server returns a `403 Forbidden` or a response indicating \"You do not have permission to perform this action.\"\n\n### 8. Verification Steps\nAfter the HTTP request, use WP-CLI to verify the change:\n1.  **Check if Table is Deleted:**\n    `wp db query \"SELECT * FROM wp_posts WHERE post_type='stwp_table' AND ID=1;\"` (Verify post type in source).\n2.  **Check Settings Update:**\n    `wp option get sheets_to_wp_settings`\n3.  **Confirm Role:** Ensure the `attacker` user still only has the `contributor` role.\n\n### 9. Alternative Approaches\n*   **Different Actions:** If `stwp_delete_table` is protected, test `stwp_sync_table` or `stwp_fetch_sheets`. Even if they don't delete data, unauthorized triggering of syncs can lead to resource exhaustion or data overwrite.\n*   **Shortcode Discovery:** Search for `add_shortcode` to find the correct string for creating the nonce-triggering page.\n*   **Direct Option Manipulation:** Check for actions that call `update_option` directly without validating the key name, which could lead to site takeover.","The FlexTable plugin for WordPress is vulnerable to unauthorized access in versions up to 3.24.0 because it fails to perform capability checks on administrative AJAX handlers. This allows authenticated users with Contributor-level access or higher to perform sensitive actions such as deleting tables, syncing data, or modifying plugin settings.","--- a\u002Fadmin\u002Fclass-sheets-to-wp-table-live-sync-admin.php\n+++ b\u002Fadmin\u002Fclass-sheets-to-wp-table-live-sync-admin.php\n@@ -120,6 +120,10 @@\n \tpublic function stwp_delete_table() {\n \t\tcheck_ajax_referer( 'stwp_security', 'security' );\n \n+\t\tif ( ! current_user_can( 'manage_options' ) ) {\n+\t\t\twp_die( -1 );\n+\t\t}\n+\n \t\t$table_id = isset( $_POST['table_id'] ) ? intval( $_POST['table_id'] ) : 0;\n \t\twp_delete_post( $table_id, true );\n \t\techo 'success';","The exploit is performed by an authenticated user with Contributor-level permissions who first extracts a security nonce (typically 'stwp_security') that the plugin localizes in the WordPress admin dashboard for its scripts. The attacker then sends a POST request to the '\u002Fwp-admin\u002Fadmin-ajax.php' endpoint with the 'action' parameter set to a vulnerable administrative function (such as 'stwp_delete_table', 'stwp_sync_table', or 'stwp_save_settings'), including the valid 'security' nonce and necessary parameters like 'table_id'. Because the plugin's callback functions verify the nonce but lack a capability check (e.g., 'current_user_can'), the server executes the privileged action despite the attacker's low-level authorization.","gemini-3-flash-preview","2026-06-04 21:21:07","2026-06-04 21:21:27",{"type":33,"vulnerable_version":34,"fixed_version":9,"vulnerable_browse":35,"vulnerable_zip":36,"fixed_browse":9,"fixed_zip":9,"all_tags":37},"plugin","3.19.2","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fsheets-to-wp-table-live-sync\u002Ftags\u002F3.19.2","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fsheets-to-wp-table-live-sync.3.19.2.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fsheets-to-wp-table-live-sync\u002Ftags"]