[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fFlxD4HaY8jfbDqrHZ7P4C1xuT2yiJQIbDc3OOf5RpCU":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":27,"research_verified":28,"research_rounds_completed":29,"research_plan":30,"research_summary":9,"research_vulnerable_code":9,"research_fix_diff":9,"research_exploit_outline":9,"research_model_used":31,"research_started_at":32,"research_completed_at":33,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":28,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":28,"source_links":34},"CVE-2026-52714","geo-plugin-by-squirrly-seo-missing-authorization","GEO Plugin by Squirrly SEO \u003C= 12.4.16 - Missing Authorization","The GEO Plugin by Squirrly SEO plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in versions up to, and including, 12.4.16. This makes it possible for unauthenticated attackers to perform an unauthorized action.","squirrly-seo",null,"\u003C=12.4.16","12.4.17","medium",5.3,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:N\u002FUI:N\u002FS:U\u002FC:N\u002FI:L\u002FA:N","Missing Authorization","2026-06-15 00:00:00","2026-06-23 16:01:31",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002Fae25e3ad-0a9e-4688-8c2a-8f949a846211?source=api-prod",9,[22,23,24,25,26],"readme.txt","squirrly.php","view\u002FAssistant\u002FAutomation.php","view\u002Fassets\u002Fcss\u002Fbootstrap-select.min.css","view\u002Fassets\u002Fjs\u002Fbootstrap-select.min.js","researched",false,3,"This research plan targets **CVE-2026-52714**, a missing authorization vulnerability in the **SEO Plugin by Squirrly SEO** (version \u003C= 12.4.16). The vulnerability allows unauthenticated attackers to perform unauthorized actions, specifically modifying \"Automation\" settings by adding post types to the plugin's configuration.\n\n---\n\n### 1. Vulnerability Summary\n*   **Vulnerability:** Missing Authorization (Insecure Direct Object Reference \u002F Missing Capability Check).\n*   **Location:** The handler for the `sq_automation_addpostype` action (likely within `SQ_Controllers_Assistant` or a similar backend controller).\n*   **Cause:** While the **view** (`view\u002FAssistant\u002FAutomation.php`) correctly checks for the `sq_manage_settings` capability before displaying the form, the **server-side handler** that processes the `POST` request fails to verify if the requesting user has the necessary permissions. Additionally, the nonce check is either absent, uses a predictable action, or the nonce is leaked to unauthenticated users.\n\n### 2. Attack Vector Analysis\n*   **Endpoint:** `wp-admin\u002Fadmin-post.php` or the site root `\u002F` (depending on whether the hook is `admin_init` or `init`). In Squirrly SEO, these are often handled via `init`.\n*   **Action:** `sq_automation_addpostype`\n*   **Payload Parameters:**\n    *   `action`: `sq_automation_addpostype`\n    *   `posttype`: The slug of a post type to add to the automation list (e.g., `post`, `page`, or a custom type).\n    *   `sq_nonce`: The security nonce (if enforced).\n*   **Authentication:** Unauthenticated (`PR:N`).\n*   **Preconditions:** None.\n\n### 3. Code Flow\n1.  **Request Entry:** An unauthenticated `POST` request is sent to the site.\n2.  **Hook Execution:** The plugin registers a handler for `sq_automation_addpostype` (likely via `SQ_Classes_FrontController` or `SQ_Classes_BlockController` calling a controller method).\n3.  **Vulnerable Function:** The handler retrieves `$_POST['posttype']`.\n4.  **Missing Check:** The code proceeds to update the plugin options (likely the `patterns` array in `sq_options`) without calling `current_user_can( 'sq_manage_settings' )`.\n5.  **Persistence:** The new post type is added to the \"Automation\" configurations, affecting how the plugin generates SEO patterns for that type.\n\n### 4. Nonce Acquisition Strategy\nThe vulnerability is rated as unauthenticated (`PR:N`), meaning the nonce must be either bypassable or retrievable without a login. Squirrly SEO often localizes configuration data for its frontend \"SEO Assistant\" and \"Live Assistant.\"\n\n1.  **Check Frontend Leakage:** Navigate to any public page and check for localized script data.\n2.  **Target Variable:** Look for the `sq_config` JavaScript object or similar localization keys.\n3.  **Browser Eval:** \n    *   Use `browser_navigate` to the homepage.\n    *   Use `browser_eval` to search for nonces:\n        `browser_eval(\"window.sq_config?.nonce || window.SQ_Data?.nonce\")`\n4.  **Bypass Analysis:** If the handler uses `wp_verify_nonce( $_POST['sq_nonce'], -1 )` or `check_ajax_referer( 'sq_automation_addpostype', 'sq_nonce', false )` without checking the return value, the nonce can be omitted or set to any value.\n\n### 5. Exploitation Strategy\n**Goal:** Add a new post type to the Squirrly Automation settings unauthenticated.\n\n1.  **Request Type:** `POST`\n2.  **URL:** `http:\u002F\u002F\u003Ctarget>\u002Fwp-admin\u002Fadmin-post.php` (or `http:\u002F\u002F\u003Ctarget>\u002F` if `admin-post.php` returns 403).\n3.  **Headers:** `Content-Type: application\u002Fx-www-form-urlencoded`\n4.  **Body:**\n    ```\n    action=sq_automation_addpostype&posttype=attachment&sq_nonce=[NONCE]\n    ```\n    *(Note: Using `attachment` as it is a common built-in type that might not be in the automation list by default).*\n\n### 6. Test Data Setup\n1.  Install **SEO Plugin by Squirrly SEO** version `12.4.16`.\n2.  Ensure the plugin is activated.\n3.  No specific users or posts are required since the attack is unauthenticated.\n\n### 7. Expected Results\n*   **HTTP Response:** A `302 Redirect` (standard for `admin-post.php`) or a `200 OK` with success indicators.\n*   **Success Indicator:** The `sq_options` database entry (specifically the `patterns` key) will now include an entry for the `attachment` post type.\n\n### 8. Verification Steps (WP-CLI)\nCheck if the post type was successfully added to the Squirrly patterns:\n```bash\n# Check the Squirrly options for the 'patterns' key\nwp option get sq_options --format=json | jq '.[].patterns | keys'\n```\n*Verification is successful if 'attachment' (or your chosen posttype) appears in the list of keys.*\n\n### 9. Alternative Approaches\n*   **No-Nonce Attempt:** Try the `POST` request without the `sq_nonce` parameter. If the handler is hooked to `init` and fails to verify the nonce properly, it may execute anyway.\n*   **Action Injection:** If `sq_automation_addpostype` is restricted, try related actions found in the same view:\n    *   `sq_automation_addtax` (inferred)\n    *   `sq_automation_deletepostype` (inferred)\n*   **Subscriber Access:** If unauthenticated fails, test as a `Subscriber` role user. Many \"unauthenticated\" vulnerabilities in Squirrly are also reachable by any logged-in user due to the same missing capability checks.","gemini-3-flash-preview","2026-06-26 00:18:01","2026-06-26 00:19:02",{"type":35,"vulnerable_version":36,"fixed_version":11,"vulnerable_browse":37,"vulnerable_zip":38,"fixed_browse":39,"fixed_zip":40,"all_tags":41},"plugin","12.4.16","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fsquirrly-seo\u002Ftags\u002F12.4.16","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fsquirrly-seo.12.4.16.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fsquirrly-seo\u002Ftags\u002F12.4.17","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fsquirrly-seo.12.4.17.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fsquirrly-seo\u002Ftags"]