[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$ff95_-b454pNkKlq2D3TLEdey_r6D5oqM3pWMJn_RED8":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":9,"severity":11,"cvss_score":12,"cvss_vector":13,"vuln_type":14,"published_date":15,"updated_date":16,"references":17,"days_to_patch":9,"patch_diff_files":19,"patch_trac_url":9,"research_status":20,"research_verified":21,"research_rounds_completed":22,"research_plan":23,"research_summary":24,"research_vulnerable_code":25,"research_fix_diff":26,"research_exploit_outline":27,"research_model_used":28,"research_started_at":29,"research_completed_at":30,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":21,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":21,"source_links":31},"CVE-2026-8418","games-catalog-cross-site-request-forgery-to-arbitrary-gamepost-deletion","Games Catalog \u003C= 1.2.0 - Cross-Site Request Forgery to Arbitrary Game\u002FPost Deletion","The Games Catalog plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.2.0. This is due to missing or incorrect nonce validation on the gc_crud() function which handles the delete action (action=delete) via a GET request without any wp_verify_nonce() \u002F check_admin_referer() call. This makes it possible for unauthenticated attackers to delete arbitrary game catalog entries (including the associated WordPress post created for the game) via a forged request, granted they can trick a site administrator into performing an action such as clicking on a link.","game-catalog",null,"\u003C=1.2.0","medium",4.3,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:N\u002FUI:R\u002FS:U\u002FC:N\u002FI:L\u002FA:N","Cross-Site Request Forgery (CSRF)","2026-05-19 12:06:27","2026-05-20 01:25:44",[18],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F0888cda8-63ca-44f6-a3eb-765c14a7e6c7?source=api-prod",[],"researched",false,3,"# Exploitation Research Plan: CVE-2026-8418 (Games Catalog CSRF)\n\n## 1. Vulnerability Summary\nThe **Games Catalog** plugin (versions \u003C= 1.2.0) contains a Cross-Site Request Forgery (CSRF) vulnerability in its core CRUD handling function. The function `gc_crud()` (inferred to be located in the main plugin file or a dedicated admin handler) processes game management actions, including entry deletion, via GET requests. Because the function fails to implement WordPress nonce verification (`check_admin_referer()` or `wp_verify_nonce()`), an attacker can craft a malicious link that, when clicked by a logged-in administrator, deletes arbitrary game entries and their associated WordPress posts.\n\n## 2. Attack Vector Analysis\n*   **Endpoint:** `wp-admin\u002Fadmin.php` (standard admin page handler).\n*   **Hook:** Likely `admin_init` or `admin_menu` (the function `gc_crud()` is either hooked to initialize or called within an admin page callback).\n*   **Vulnerable Action:** `action=delete` (passed via GET).\n*   **Payload Parameter:** `id` (inferred, representing the internal game entry ID or the Post ID).\n*   **Authentication:** Requires a logged-in Administrator to trigger the request (CSRF).\n*   **Preconditions:** The attacker must know or guess the ID of the game entry to be deleted.\n\n## 3. Code Flow\n1.  **Entry Point:** An administrator visits a URL like `wp-admin\u002Fadmin.php?page=game-catalog&action=delete&id=123`.\n2.  **Hook Execution:** WordPress triggers the `admin_init` hook (or the specific menu page callback).\n3.  **Vulnerable Function:** `gc_crud()` is executed.\n4.  **Action Logic:**\n    *   The function checks `if ( isset( $_GET['action'] ) && $_GET['action'] == 'delete' )`.\n    *   It retrieves the target ID from `$_GET['id']` (inferred).\n    *   **The Flaw:** The function proceeds to perform the deletion without calling `check_admin_referer()` to verify a nonce.\n5.  **Sink:** The function calls `wp_delete_post( $post_id, true )` (or similar) to remove the game entry and the associated WordPress post from the database.\n\n## 4. Nonce Acquisition Strategy\nAccording to the vulnerability description, this is a case of **missing nonce validation**.\n*   **Nonce Status:** No nonce is required for this specific action.\n*   **Bypass:** Because `wp_verify_nonce()` is not called within `gc_crud()` for the `delete` action, the request is processed regardless of the presence or validity of a `_wpnonce` parameter.\n\n## 5. Exploitation Strategy\nThe goal is to demonstrate that a GET request from an authenticated administrator can delete a post without a nonce.\n\n1.  **Discovery:** Locate the admin page slug for the Games Catalog (usually `game-catalog`).\n2.  **Target Identification:** Identify a Post ID associated with a game entry.\n3.  **Request Construction:** Build the malicious GET request.\n4.  **Execution:** Use the `http_request` tool with the administrator's session cookies to simulate a CSRF attack.\n\n**Target URL Template:**\n`http:\u002F\u002F[target-site]\u002Fwp-admin\u002Fadmin.php?page=game-catalog&action=delete&id=[POST_ID]` (inferred)\n\n**HTTP Request Details:**\n*   **Method:** GET\n*   **Headers:** Standard browser headers; must include valid `Cookie` header for the Administrator.\n*   **Expected Response:** A 302 redirect back to the game list or a 200 OK with a success message, confirming the logic was processed.\n\n## 6. Test Data Setup\nTo reliably test the PoC, the following state must be prepared:\n1.  **Plugin Installation:** Ensure `game-catalog` v1.2.0 is active.\n2.  **Content Creation:** Create a dummy \"Game\" entry via the plugin UI or WP-CLI.\n    *   `wp post create --post_type=game --post_title=\"Exploit Test Game\" --post_status=publish`\n    *   *Note: Ensure the post type matches what the plugin uses (likely `game` or `gc_game`).*\n3.  **Identify ID:** Capture the ID of the newly created post:\n    *   `TARGET_ID=$(wp post list --post_type=game --title=\"Exploit Test Game\" --field=ID)`\n\n## 7. Expected Results\n*   **Successful Deletion:** The HTTP request returns a response indicating success or a redirect.\n*   **Database Change:** The post with `TARGET_ID` should no longer exist in the `wp_posts` table.\n*   **No Security Intervention:** No \"Are you sure you want to do this?\" (nonce failure) page is displayed.\n\n## 8. Verification Steps\nAfter executing the HTTP request, verify the deletion via WP-CLI:\n```bash\n# Check if the post still exists\nwp post exists [TARGET_ID]\nif [ $? -eq 1 ]; then\n    echo \"Success: Post deleted via CSRF.\"\nelse\n    echo \"Failure: Post still exists.\"\nfi\n```\n\n## 9. Alternative Approaches\nIf the `id` parameter or the page slug differs:\n1.  **Slug Guessing:** Check `wp-admin\u002Fadmin.php` for the `page` parameter value by running `grep -r \"add_menu_page\" wp-content\u002Fplugins\u002Fgame-catalog\u002F`.\n2.  **Action Investigation:** If `action=delete` fails, check the source of `gc_crud()` for variations like `gc_delete`, `delete_game`, or if it uses POST instead of GET (though the description explicitly states GET).\n3.  **ID Parameter:** If `id` doesn't work, check for `post`, `entry_id`, or `game_id`.","The Games Catalog plugin for WordPress (versions \u003C= 1.2.0) is vulnerable to Cross-Site Request Forgery (CSRF) because the gc_crud() function fails to perform nonce validation when handling the 'delete' action. This allows an attacker to trick an authenticated administrator into clicking a link that triggers the deletion of arbitrary game entries and their associated WordPress posts.","\u002F\u002F In the main plugin file or admin handler where gc_crud is defined\nfunction gc_crud() {\n    if ( isset( $_GET['action'] ) && $_GET['action'] == 'delete' ) {\n        \u002F\u002F Vulnerability: No check_admin_referer() or wp_verify_nonce() call here\n        $post_id = intval( $_GET['id'] );\n        wp_delete_post( $post_id, true );\n        \u002F\u002F ...\n    }\n}","--- a\u002Fgame-catalog.php\n+++ b\u002Fgame-catalog.php\n@@ -100,6 +100,7 @@\n function gc_crud() {\n-    if ( isset( $_GET['action'] ) && $_GET['action'] == 'delete' ) {\n+    if ( isset( $_GET['action'] ) && $_GET['action'] == 'delete' ) {\n+        check_admin_referer( 'gc_delete_post_' . $_GET['id'] );\n         $post_id = intval( $_GET['id'] );\n         wp_delete_post( $post_id, true );","1. Identify the target game entry ID to be deleted.\n2. Construct a malicious URL targeting the WordPress admin dashboard: `wp-admin\u002Fadmin.php?page=game-catalog&action=delete&id=[TARGET_ID]`.\n3. Entice a logged-in site administrator to visit the URL (e.g., via a phishing link or an embedded image in a comment).\n4. When the administrator visits the link, the plugin's `gc_crud()` function executes. Since there is no nonce verification, the plugin proceeds to call `wp_delete_post()` for the specified ID, resulting in the permanent deletion of the game post.","gemini-3-flash-preview","2026-05-20 16:56:59","2026-05-20 16:57:34",{"type":32,"vulnerable_version":9,"fixed_version":9,"vulnerable_browse":9,"vulnerable_zip":9,"fixed_browse":9,"fixed_zip":9,"all_tags":33},"plugin","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fgame-catalog\u002Ftags"]