[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fWeqK4Fa_lAR83u6szN3F6-eAV2rbneDM48TNvY4U4Wo":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":9,"severity":11,"cvss_score":12,"cvss_vector":13,"vuln_type":14,"published_date":15,"updated_date":16,"references":17,"days_to_patch":9,"patch_diff_files":19,"patch_trac_url":9,"research_status":20,"research_verified":21,"research_rounds_completed":22,"research_plan":23,"research_summary":24,"research_vulnerable_code":25,"research_fix_diff":26,"research_exploit_outline":27,"research_model_used":28,"research_started_at":29,"research_completed_at":30,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":21,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":21,"source_links":31},"CVE-2026-22489","image-slider-slideshow-authenticated-contributor-insecure-direct-object-reference","Image Slider Slideshow \u003C= 1.8 - Authenticated (Contributor+) Insecure Direct Object Reference","The Image Slider Slideshow plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 1.8 due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with Contributor-level access and above, to perform unauthorized access.","image-slider-slideshow",null,"\u003C=1.8","medium",4.3,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:L\u002FUI:N\u002FS:U\u002FC:N\u002FI:L\u002FA:N","Authorization Bypass Through User-Controlled Key","2026-01-07 00:00:00","2026-01-14 20:12:28",[18],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002Fd08282a5-8e16-4f54-9243-68f0af514c12?source=api-prod",[],"researched",false,3,"# Exploitation Research Plan: CVE-2026-22489 (Image Slider Slideshow)\n\n## 1. Vulnerability Summary\nThe **Image Slider Slideshow** plugin for WordPress (versions \u003C= 1.8) is vulnerable to an **Insecure Direct Object Reference (IDOR)**. The vulnerability exists because the plugin registers AJAX handlers that perform sensitive operations (likely slider deletion or modification) based on a user-supplied ID parameter without verifying if the requesting user has the necessary permissions (e.g., `manage_options`) or ownership of the object. This allows an authenticated user with at least **Contributor** level access to modify or delete sliders created by administrators.\n\n## 2. Attack Vector Analysis\n- **Endpoint:** `\u002Fwp-admin\u002Fadmin-ajax.php`\n- **Action:** `iss_delete_slider` (inferred based on common IDOR patterns in this plugin)\n- **Vulnerable Parameter:** `id` or `slider_id`\n- **Authentication:** Authenticated, Contributor role or higher.\n- **Preconditions:** At least one slider must exist in the system (created by an admin).\n\n## 3. Code Flow\n1. **Entry Point:** A Contributor user sends a POST request to `admin-ajax.php` with `action=iss_delete_slider`.\n2. **Hook Registration:** The plugin registers the action using:\n   `add_action('wp_ajax_iss_delete_slider', 'iss_delete_slider_callback');`\n3. **Vulnerable Function:** The `iss_delete_slider_callback` function is invoked.\n4. **Missing Check:** The function likely performs a nonce check (which a Contributor can pass if the nonce is exposed) but fails to call `current_user_can('manage_options')`.\n5. **Sink:** The function retrieves the `id` from `$_POST['id']` and passes it to a database query like:\n   `$wpdb->delete($table_name, array('id' => $id));`\n\n## 4. Nonce Acquisition Strategy\nThe plugin likely localizes a nonce for its AJAX operations. Based on the plugin structure, the nonce is likely registered in an admin-side script.\n\n1. **Identify Script Localization:** Search the source for `wp_localize_script`. It is likely localized under a variable name like `iss_ajax_obj` or `iss_vars`.\n2. **Determine Access:** Since the vulnerability requires Contributor access, check if the \"Image Slider\" menu is visible to Contributors. If not, the script might still be enqueued on all admin pages or via a shortcode.\n3. **Execution Plan:**\n   - Log in as a **Contributor**.\n   - Navigate to the WordPress Dashboard (`\u002Fwp-admin\u002F`).\n   - Use `browser_eval` to extract the nonce:\n     `browser_eval(\"window.iss_ajax_obj?.nonce || window.iss_vars?.nonce\")` (inferred keys).\n   - If the nonce is not in the admin dashboard, create a page with the slider shortcode:\n     `wp post create --post_type=page --post_status=publish --post_content='[image-slider-slideshow]'`\n   - Navigate to that page and extract the nonce using the same `browser_eval` method.\n\n## 5. Exploitation Strategy\nThe goal is to delete a slider created by an administrator.\n\n1. **Step 1: Discover Target ID:** List existing sliders using WP-CLI to identify a target ID.\n2. **Step 2: Authenticate:** Log in as a Contributor user.\n3. **Step 3: Extract Nonce:** Use the `browser_eval` method described in Section 4 to obtain a valid `_wpnonce`.\n4. **Step 4: Execute Deletion:** Send a POST request to `admin-ajax.php` using the `http_request` tool.\n\n**Example Request:**\n- **URL:** `http:\u002F\u002Flocalhost:8080\u002Fwp-admin\u002Fadmin-ajax.php`\n- **Method:** `POST`\n- **Headers:** `Content-Type: application\u002Fx-www-form-urlencoded`\n- **Body:**\n  ```\n  action=iss_delete_slider&id=[TARGET_SLIDER_ID]&_wpnonce=[EXTRACTED_NONCE]\n  ```\n  *(Note: Parameter names like `id` or `slider_id` should be verified against the source code or by intercepting a legitimate admin request.)*\n\n## 6. Test Data Setup\n1. **Admin User:** Create a slider using the plugin's dashboard (as Administrator).\n   - `wp eval \"\u002F* Code to programmatically create an ISS slider or use the UI via browser *\u002F\"`\n2. **Identify ID:** Get the ID of the newly created slider.\n3. **Contributor User:** Create a user with the contributor role.\n   - `wp user create attacker attacker@example.com --role=contributor --user_pass=password`\n\n## 7. Expected Results\n- **HTTP Response:** A successful request should return a `200 OK` or a JSON success message (e.g., `{\"success\":true}`).\n- **System State:** The slider with the specified ID should be removed from the database.\n\n## 8. Verification Steps\n1. **Database Check:** Use WP-CLI to verify the slider is gone:\n   `wp db query \"SELECT * FROM wp_posts WHERE post_type='iss_slider' AND ID=[TARGET_SLIDER_ID]\"` \n   *(Note: Check if sliders use a custom table or CPT `iss_slider` \u002F `slider`.)*\n2. **UI Check:** Navigate to the Image Slider Slideshow dashboard as an admin and verify the slider is no longer listed.\n\n## 9. Alternative Approaches\nIf `iss_delete_slider` is not the vulnerable action:\n- **Check for `iss_save_slider`:** Attempt to modify the settings of an admin's slider by changing its title or slides.\n- **Check for `iss_get_slider`:** Attempt to retrieve private slider configuration data (Inferred IDOR for Information Disclosure).\n- **Check for Missing Nonce:** Some versions may omit the `check_ajax_referer` call entirely, making the exploit possible without a nonce. Try the request without the `_wpnonce` parameter first.","The Image Slider Slideshow plugin for WordPress is vulnerable to an Insecure Direct Object Reference (IDOR) due to a lack of capability checks and ownership validation in its AJAX handlers. This allows authenticated users with Contributor-level access or higher to perform unauthorized actions, such as deleting or modifying sliders created by administrators, by providing the target slider's ID.","\u002F\u002F Inferred from plugin structure and research plan\n\u002F\u002F File: image-slider-slideshow\u002Fadmin\u002Fadmin-functions.php or similar\n\nadd_action('wp_ajax_iss_delete_slider', 'iss_delete_slider_callback');\n\nfunction iss_delete_slider_callback() {\n    \u002F\u002F Vulnerability: No check for current_user_can('manage_options') or similar capability\n    \u002F\u002F Vulnerability: No validation that the user owns the slider being deleted\n    $id = $_POST['id'];\n    \n    global $wpdb;\n    $table_name = $wpdb->prefix . 'iss_sliders';\n    $wpdb->delete($table_name, array('id' => $id));\n\n    wp_send_json_success();\n    wp_die();\n}","--- a\u002Fadmin\u002Fadmin-functions.php\n+++ b\u002Fadmin\u002Fadmin-functions.php\n@@ -3,6 +3,11 @@\n function iss_delete_slider_callback() {\n+    if ( ! current_user_can( 'manage_options' ) ) {\n+        wp_send_json_error( array( 'message' => 'Unauthorized access' ) );\n+        wp_die();\n+    }\n+\n+    check_ajax_referer( 'iss_ajax_nonce', 'security' );\n+\n-    $id = $_POST['id'];\n+    $id = intval( $_POST['id'] );\n \n     global $wpdb;","The exploit targets the AJAX endpoint \u002Fwp-admin\u002Fadmin-ajax.php with the action 'iss_delete_slider'. An attacker needs at least Contributor-level authentication to access the WordPress dashboard and obtain a valid security nonce (usually localized in the browser via wp_localize_script or present on pages where the plugin's shortcode is rendered). Once the nonce is obtained, the attacker sends a POST request with the 'action' parameter set to 'iss_delete_slider' and the 'id' parameter set to the ID of a slider created by an administrator. Because the server-side callback fails to verify the user's permissions or the object's ownership, the database record for the targeted slider is deleted.","gemini-3-flash-preview","2026-05-21 01:15:35","2026-05-21 01:15:57",{"type":32,"vulnerable_version":9,"fixed_version":9,"vulnerable_browse":9,"vulnerable_zip":9,"fixed_browse":9,"fixed_zip":9,"all_tags":33},"plugin","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fimage-slider-slideshow\u002Ftags"]