[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$f1Ak0YO1c4QtyglWU1jIyJKNQtIjKScJv-e4easjp22Y":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":28,"research_verified":29,"research_rounds_completed":30,"research_plan":31,"research_summary":32,"research_vulnerable_code":33,"research_fix_diff":34,"research_exploit_outline":35,"research_model_used":36,"research_started_at":37,"research_completed_at":38,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":29,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":29,"source_links":39},"CVE-2026-32420","gamipress-cross-site-request-forgery-3","GamiPress \u003C= 7.6.6 - Cross-Site Request Forgery","The GamiPress plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 7.6.6. This is due to missing or incorrect nonce validation on a function. This makes it possible for unauthenticated attackers to perform an unauthorized action via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.","gamipress",null,"\u003C=7.6.6","7.6.7","medium",4.3,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:N\u002FUI:R\u002FS:U\u002FC:N\u002FI:L\u002FA:N","Cross-Site Request Forgery (CSRF)","2026-02-26 00:00:00","2026-04-15 21:01:32",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F2d7be70b-ac33-4fc2-a627-52f238c2011e?source=api-prod",49,[22,23,24,25,26,27],"gamipress.php","includes\u002Fadmin\u002Ftools\u002Fimport-export-setup.php","includes\u002Ffunctions\u002Fattachments.php","integrations\u002Fqsm\u002Fincludes\u002Frules-engine.php","integrations\u002Fsuremembers\u002Fincludes\u002Ftriggers.php","readme.txt","researched",false,3,"# Exploitation Research Plan: CVE-2026-32420 (GamiPress CSRF)\n\n## 1. Vulnerability Summary\nThe **GamiPress** plugin (\u003C= 7.6.6) for WordPress contains a Cross-Site Request Forgery (CSRF) vulnerability. Multiple AJAX handlers within the administrative tools lack nonce validation (`check_ajax_referer` or `wp_verify_nonce`). This allows an unauthenticated attacker to perform unauthorized actions by tricking a logged-in administrator into visiting a malicious webpage. While the vulnerability exists across several functions, the \"Import\u002FExport Setup\" tool is a primary example where privileged actions can be triggered without a security token.\n\n## 2. Attack Vector Analysis\n- **Endpoint**: `\u002Fwp-admin\u002Fadmin-ajax.php`\n- **Action**: `gamipress_export_setup` (and likely `gamipress_import_setup`, inferred from UI fields)\n- **HTTP Method**: `POST`\n- **Required Capability**: `gamipress_get_manager_capability()` (typically `manage_options`)\n- **Vulnerable Parameter**: `action` and `items[]`\n- **Preconditions**: An administrator with GamiPress management permissions must be logged in and visit a page controlled by the attacker.\n\n## 3. Code Flow\n1.  The plugin registers AJAX handlers in `includes\u002Fajax-functions.php` (included via `gamipress.php`).\n2.  The tool `includes\u002Fadmin\u002Ftools\u002F","The GamiPress plugin for WordPress (up to 7.6.6) is vulnerable to Cross-Site Request Forgery (CSRF) because it fails to perform nonce validation on its administrative AJAX handlers for importing and exporting site configurations. This allows an attacker to trick a logged-in administrator into triggering an unauthorized export of site data or importing a malicious configuration file.","\u002F\u002F includes\u002Fadmin\u002Ftools\u002Fimport-export-setup.php line 116\nfunction gamipress_ajax_export_setup_tool() {\n\n    global $wpdb;\n\n    $postmeta = GamiPress()->db->postmeta;\n\n    $items = $_POST['items'];\n\n    \u002F\u002F Check parameters received\n    if( ! isset( $items ) || empty( $items ) ) {\n        wp_send_json_error( __( 'No items selected.', 'gamipress' ) );\n    }\n---\n\u002F\u002F includes\u002Fadmin\u002Ftools\u002Fimport-export-setup.php line 338\nfunction gamipress_ajax_import_setup_tool() {\n\n    \u002F\u002F Check parameters received\n    if( ! isset( $_FILES['file'] ) ) {\n        wp_send_json_error( __( 'No setup to import.', 'gamipress' ) );\n    }","diff -ru \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fgamipress\u002F7.6.6\u002Fincludes\u002Fadmin\u002Ftools\u002Fimport-export-setup.php \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fgamipress\u002F7.6.7\u002Fincludes\u002Fadmin\u002Ftools\u002Fimport-export-setup.php\n--- \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fgamipress\u002F7.6.6\u002Fincludes\u002Fadmin\u002Ftools\u002Fimport-export-setup.php\t2026-02-17 12:41:20.000000000 +0000\n+++ \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fgamipress\u002F7.6.7\u002Fincludes\u002Fadmin\u002Ftools\u002Fimport-export-setup.php\t2026-02-20 08:21:10.000000000 +0000\n@@ -116,6 +116,9 @@\n  *\u002F\n function gamipress_ajax_export_setup_tool() {\n \n+    \u002F\u002F Security check, forces to die if not security passed\n+    check_ajax_referer( 'gamipress_admin', 'nonce' );\n+\n     global $wpdb;\n \n     $postmeta = GamiPress()->db->postmeta;\n@@ -338,6 +341,9 @@\n  *\u002F\n function gamipress_ajax_import_setup_tool() {\n \n+    \u002F\u002F Security check, forces to die if not security passed\n+    check_ajax_referer( 'gamipress_admin', 'nonce' );\n+\n     \u002F\u002F Check parameters received\n     if( ! isset( $_FILES['file'] ) ) {\n         wp_send_json_error( __( 'No setup to import.', 'gamipress' ) );","The exploit targets the `\u002Fwp-admin\u002Fadmin-ajax.php` endpoint via the `gamipress_export_setup` or `gamipress_import_setup` actions. An attacker hosts a malicious page that sends a POST request to this endpoint with parameters like `items[]` for export or a `file` for import. When an administrator with GamiPress management permissions (typically the `manage_options` capability) visits the attacker's page while logged into WordPress, their session cookies are automatically included in the request, bypassing the lack of nonce protection to execute the tool's logic.","gemini-3-flash-preview","2026-04-18 23:35:43","2026-04-18 23:36:36",{"type":40,"vulnerable_version":41,"fixed_version":11,"vulnerable_browse":42,"vulnerable_zip":43,"fixed_browse":44,"fixed_zip":45,"all_tags":46},"plugin","7.6.6","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fgamipress\u002Ftags\u002F7.6.6","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fgamipress.7.6.6.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fgamipress\u002Ftags\u002F7.6.7","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fgamipress.7.6.7.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fgamipress\u002Ftags"]