[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$ftwCStiKvyjicWD2yEMBhOUqo7bfTeJRRXiy0JiFxYJw":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":26,"research_verified":27,"research_rounds_completed":28,"research_plan":29,"research_summary":9,"research_vulnerable_code":9,"research_fix_diff":9,"research_exploit_outline":9,"research_model_used":30,"research_started_at":31,"research_completed_at":32,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":27,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":27,"source_links":33},"CVE-2026-54832","gutenverse-companion-missing-authorization","Gutenverse Companion \u003C= 2.5.0 - Missing Authorization","The Gutenverse Companion plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in versions up to, and including, 2.5.0. This makes it possible for unauthenticated attackers to perform an unauthorized action.","gutenverse-companion",null,"\u003C=2.5.0","2.5.1","medium",5.3,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:N\u002FUI:N\u002FS:U\u002FC:N\u002FI:L\u002FA:N","Missing Authorization","2026-06-17 00:00:00","2026-06-23 15:38:26",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F84e70472-26a4-4d9a-b1c8-15ab3827c690?source=api-prod",7,[22,23,24,25],"gutenverse-companion.php","includes\u002Fclass-api.php","languages\u002Fgutenverse-companion.pot","readme.txt","researched",false,3,"I cannot fulfill this request. I am programmed to be a consequence-aware AI, and providing a detailed exploitation research plan, including specific HTTP requests and payloads for a real-world vulnerability, falls under the category of high-severity cyber-offensive actions. My safety guidelines prohibit the generation of actionable exploit chains or instructions for performing unauthorized actions.\n\nInstead, I can explain the mechanics of the vulnerability identified in the provided code and discuss how to implement secure access controls for WordPress REST API endpoints.\n\n### Vulnerability Analysis: Broken Access Control\n\nThe vulnerability in the provided snippet for `gutenverse-companion` is a classic example of **Broken Access Control** within a WordPress REST API registration.\n\nIn the `includes\u002Fclass-api.php` file, the `register_rest_route` function defines the `permission_callback` for several endpoints. This callback is responsible for determining if a user has the necessary rights to access the endpoint before the main callback logic executes.\n\n#### The Flawed Logic\n\nConsider the `save\u002Fsite-settings` route:\n\n```php\n'permission_callback' => function () {\n    if ( ! current_user_can( 'manage_options' ) && current_user_can( 'upload_files' ) ) {\n        return new \\WP_Error(\n            'forbidden_permission',\n            esc_html__( 'Forbidden Access', 'gutenverse-companion' ),\n            array( 'status' => 403 )\n        );\n    }\n    return true;\n},\n```\n\nThe logic used here is inverted, leading to unintended access:\n\n1.  **Administrators:** Have `manage_options`. The first part of the `if` (`!current_user_can( 'manage_options' )`) evaluates to `false`. Since it's an `AND` operation, the whole condition is `false`. The function returns `true`, granting access. (Correct)\n2.  **Authors\u002FEditors:** Typically have `upload_files` but not `manage_options`. The condition becomes `true AND true`, which is `true`. The function returns a `WP_Error`, denying access. (Correct for this specific role)\n3.  **Unauthenticated\u002FSubscriber Users:** Have neither `manage_options` nor `upload_files`. The condition becomes `true AND false`, which is `false`. The function skips the `if` block and returns `true`, granting access. (**Vulnerable**)\n\nBy checking for the *presence* of a lower capability while the higher capability is *absent*, the code fails to account for users who have neither. In WordPress security, permission checks should always verify the *existence* of the required capability rather than trying to exclude specific combinations.\n\n### Secure Implementation in WordPress\n\nTo secure a REST API endpoint, the `permission_callback` should explicitly return `true` only if the user possesses the necessary capability.\n\n#### Correct Permission Check\n\nFor an administrative setting, the check should simply be:\n\n```php\n'permission_callback' => function () {\n    return current_user_can( 'manage_options' );\n}\n```\n\nIf `current_user_can` returns `false`, the WordPress REST API infrastructure automatically handles the 403 Forbidden response.\n\n#### Best Practices for REST API Security\n\n1.  **Use Explicit Capabilities:** Always use `current_user_can()` with a capability that matches the sensitivity of the action (e.g., `manage_options` for settings, `edit_posts` for content).\n2.  **Avoid Negative Logic:** Do not use `!` or complex `AND\u002FOR` combinations to exclude users. Instead, define who *is* allowed.\n3.  **Authentication Context:** Remember that unauthenticated users have no capabilities. Any check that doesn't explicitly require a capability will default to allowing unauthenticated access if the logic allows it.\n4.  **Nonce Verification:** While `permission_callback` handles authorization, WordPress REST API requests from the frontend should also include a `X-WP-Nonce` header to protect against Cross-Site Request Forgery (CSRF). This is typically validated automatically by WordPress if the user is logged in.\n\nFor more information on securing WordPress plugins, you can refer to the [WordPress Plugin Handbook on Security](https:\u002F\u002Fdeveloper.wordpress.org\u002Fplugins\u002Fsecurity\u002F) and the [REST API Handbook on Custom Endpoints](https:\u002F\u002Fdeveloper.wordpress.org\u002Frest-api\u002Fextending-the-rest-api\u002Fadding-custom-endpoints\u002F#permissions-callback).","gemini-3-flash-preview","2026-06-25 22:49:19","2026-06-25 22:50:12",{"type":34,"vulnerable_version":35,"fixed_version":11,"vulnerable_browse":36,"vulnerable_zip":37,"fixed_browse":38,"fixed_zip":39,"all_tags":40},"plugin","2.5.0","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fgutenverse-companion\u002Ftags\u002F2.5.0","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fgutenverse-companion.2.5.0.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fgutenverse-companion\u002Ftags\u002F2.5.1","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fgutenverse-companion.2.5.1.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fgutenverse-companion\u002Ftags"]