[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fwcHFIZmjOpuQ50Rl7dMfjUnhhkMzSsAyIw1hYpUSCek":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":9,"severity":11,"cvss_score":12,"cvss_vector":13,"vuln_type":14,"published_date":15,"updated_date":16,"references":17,"days_to_patch":9,"patch_diff_files":19,"patch_trac_url":9,"research_status":20,"research_verified":21,"research_rounds_completed":22,"research_plan":23,"research_summary":24,"research_vulnerable_code":25,"research_fix_diff":26,"research_exploit_outline":27,"research_model_used":28,"research_started_at":29,"research_completed_at":30,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":21,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":21,"source_links":31},"CVE-2026-6294","google-pagerank-display-cross-site-request-forgery-to-settings-update-via-settings-page","Google PageRank Display \u003C= 1.4 - Cross-Site Request Forgery to Settings Update via Settings Page","The Google PageRank Display plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to and including 1.4. This is due to missing nonce validation in the gpdisplay_option() function, which handles the plugin settings page. The settings form does not include a wp_nonce_field(), and the form handler does not call check_admin_referer() or wp_verify_nonce() before processing the POST request. This makes it possible for unauthenticated attackers to trick a logged-in administrator into submitting a crafted request that changes the plugin's settings (stored via update_option()), such as the display style used to render the PageRank badge.","google-pagerank-display",null,"\u003C=1.4","medium",4.3,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:N\u002FUI:R\u002FS:U\u002FC:N\u002FI:L\u002FA:N","Cross-Site Request Forgery (CSRF)","2026-04-21 19:02:33","2026-04-22 07:45:42",[18],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002Fe39ebe27-7780-48b6-8dca-7da7a78fce69?source=api-prod",[],"researched",false,3,"This research plan outlines the methodology for a Proof-of-Concept (PoC) exploitation of CVE-2026-6294, a Cross-Site Request Forgery (CSRF) vulnerability in the Google PageRank Display plugin.\n\n### 1. Vulnerability Summary\nThe Google PageRank Display plugin (\u003C= 1.4) fails to implement CSRF protection on its settings page. The core logic resides in the `gpdisplay_option()` function, which is responsible for both rendering the settings form and processing the updates. Because the form lacks a WordPress nonce field (`wp_nonce_field()`) and the processing logic lacks validation (`check_admin_referer()` or `wp_verify_nonce()`), an attacker can perform state-changing operations (modifying plugin settings) by tricking an authenticated administrator into submitting a forged request.\n\n### 2. Attack Vector Analysis\n*   **Endpoint:** `\u002Fwp-admin\u002Foptions-general.php?page=google-pagerank-display` (inferred slug based on plugin name).\n*   **Vulnerable Action:** POST request to the settings page URL.\n*   **Vulnerable Function:** `gpdisplay_option()`\n*   **Required Authentication:** Authenticated Administrator (targeted via CSRF).\n*   **Preconditions:** The plugin must be active. An administrator must have an active session and be tricked into visiting a malicious page or clicking a malicious link.\n\n### 3. Code Flow (Inferred)\n1.  **Registration:** The plugin registers a settings page using `add_options_page()` or `add_menu_page()` within the `admin_menu` hook, designating `gpdisplay_option` as the callback.\n2.  **Entry Point:** An administrator visits the settings page or submits the form.\n3.  **Vulnerable Path:**\n    *   The `gpdisplay_option()` function is invoked.\n    *   The function likely checks for the presence of a POST variable (e.g., `if (isset($_POST['info_update']))` or `if (isset($_POST['submit']))`).\n    *   **The Vulnerability:** It proceeds to update options using `update_option()` based on the values in `$_POST` without calling `check_admin_referer()`.\n4.  **Sink:** `update_option('gpdisplay_style', ...)` and other plugin-specific options.\n\n### 4. Nonce Acquisition Strategy\n**No nonce is required.**\nAccording to the vulnerability description, the plugin is specifically vulnerable because it lacks nonce validation. The `gpdisplay_option()` function does not verify a nonce before calling `update_option()`. Therefore, no acquisition strategy is necessary; the exploit will proceed by omitting the nonce entirely.\n\n### 5. Exploitation Strategy\nThe goal is to change the `gpdisplay_style` option to an arbitrary value (e.g., `999` or a string if not properly type-validated).\n\n**Step-by-Step Plan:**\n1.  **Identify Parameters:** Access the plugin settings page as an admin to identify the exact `name` attributes of the input fields and the submit button.\n    *   *Inferred parameter names:* `gpdisplay_style`, `gpdisplay_position`, `info_update`.\n2.  **Craft the Forged Request:** Construct a POST request that mimics the legitimate settings update.\n3.  **Execute the Exploit:** Use the `http_request` tool (simulating the administrator's browser context) to send the POST request to the settings endpoint.\n\n**HTTP Request Payload (Example):**\n*   **URL:** `http:\u002F\u002Flocalhost:8080\u002Fwp-admin\u002Foptions-general.php?page=google-pagerank-display`\n*   **Method:** `POST`\n*   **Headers:** `Content-Type: application\u002Fx-www-form-urlencoded`\n*   **Body:** `gpdisplay_style=2&gpdisplay_position=top_left&info_update=Update+Options` (Note: `info_update` and other keys are inferred and must be verified by the agent inspecting the form).\n\n### 6. Test Data Setup\n1.  **Plugin Installation:** Install and activate `google-pagerank-display` version 1.4 or lower.\n2.  **Initial State Check:** Verify the current value of the plugin's settings using WP-CLI.\n    ```bash\n    wp option get gpdisplay_style\n    ```\n3.  **Admin User:** Ensure an administrator user exists (standard in test environments).\n\n### 7. Expected Results\n*   The server should respond with a `302 Redirect` (standard WordPress behavior after saving settings) or a `200 OK` showing the updated settings page.\n*   The response should NOT contain any \"Are you sure you want to do this?\" (WordPress's default \"cheatin' uh?\" message for failed nonce checks).\n*   The option in the database should be updated to the value provided in the exploit payload.\n\n### 8. Verification Steps\nAfter sending the malicious POST request, verify the state change via WP-CLI:\n```bash\n# Check if the style option was successfully changed to the attacker's value\nwp option get gpdisplay_style\n\n# Check if other manipulated options were changed\nwp option get gpdisplay_position\n```\nIf the values returned by `wp option get` match the values sent in the `http_request` payload, the CSRF is confirmed.\n\n### 9. Alternative Approaches\nIf the plugin uses a different slug or different parameter names:\n1.  **Slug Discovery:** Run `wp eval \"echo menu_page_url('google-pagerank-display', false);\"` or grep the plugin source for `add_options_page`.\n2.  **Parameter Discovery:** Navigate to the settings page using `browser_navigate` and use `browser_eval` to extract form field names:\n    ```javascript\n    Array.from(document.querySelectorAll('form input, form select')).map(el => el.name)\n    ```\n3.  **XSS Chain:** If the `gpdisplay_style` or other options are rendered on the frontend without escaping, the CSRF can be elevated to Stored XSS by injecting a script tag into the option value: `gpdisplay_style=\u003Cscript>alert(1)\u003C\u002Fscript>`.","The Google PageRank Display plugin for WordPress (versions up to and including 1.4) is vulnerable to Cross-Site Request Forgery (CSRF). The plugin's settings page lacks nonce validation, allowing an attacker to trick a logged-in administrator into submitting a malicious POST request that modifies plugin options such as the display style and position.","\u002F\u002F Inferred logic based on plugin behavior in gpdisplay_option function\n\u002F\u002F Path: google-pagerank-display.php\n\nfunction gpdisplay_option() {\n    if (isset($_POST['info_update'])) {\n        \u002F\u002F Vulnerability: No check_admin_referer() or wp_verify_nonce() call here\n        update_option('gpdisplay_style', $_POST['gpdisplay_style']);\n        update_option('gpdisplay_position', $_POST['gpdisplay_position']);\n    }\n\n    \u002F\u002F ... UI rendering logic ...\n    ?>\n    \u003Cform method=\"post\" action=\"\">\n        \u003C!-- Vulnerability: Missing wp_nonce_field() -->\n        \u003Cinput type=\"text\" name=\"gpdisplay_style\" value=\"\u003C?php echo get_option('gpdisplay_style'); ?>\">\n        \u003Cinput type=\"submit\" name=\"info_update\" value=\"Update Options\">\n    \u003C\u002Fform>\n    \u003C?php\n}","--- google-pagerank-display.php\n+++ google-pagerank-display.php\n@@ -1,6 +1,7 @@\n function gpdisplay_option() {\n     if (isset($_POST['info_update'])) {\n+        check_admin_referer('gpdisplay_update_settings', 'gpdisplay_nonce');\n         update_option('gpdisplay_style', $_POST['gpdisplay_style']);\n         update_option('gpdisplay_position', $_POST['gpdisplay_position']);\n     }\n@@ -10,6 +11,7 @@\n     ?>\n     \u003Cform method=\"post\" action=\"\">\n+        \u003C?php wp_nonce_field('gpdisplay_update_settings', 'gpdisplay_nonce'); ?>\n         \u003Cinput type=\"text\" name=\"gpdisplay_style\" ...>\n         \u003Cinput type=\"submit\" name=\"info_update\" value=\"Update Options\">\n     \u003C\u002Fform>","The exploit target is the plugin's settings page, typically located at \u002Fwp-admin\u002Foptions-general.php?page=google-pagerank-display. An attacker must trick a logged-in WordPress administrator into visiting a malicious website or clicking a link that triggers a hidden POST request to this endpoint. The request payload includes the parameters for the settings to be changed (e.g., gpdisplay_style and gpdisplay_position) along with a trigger parameter like info_update. Because the plugin does not verify a CSRF nonce, the server processes the request and updates the options in the database using the attacker-supplied values.","gemini-3-flash-preview","2026-04-27 14:07:26","2026-04-27 14:07:45",{"type":32,"vulnerable_version":9,"fixed_version":9,"vulnerable_browse":9,"vulnerable_zip":9,"fixed_browse":9,"fixed_zip":9,"all_tags":33},"plugin","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fgoogle-pagerank-display\u002Ftags"]