[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fLfBmlReSRnJTKAN5Ynd3chOO-egidtVJC58SwkX-q34":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":29,"research_verified":30,"research_rounds_completed":31,"research_plan":32,"research_summary":33,"research_vulnerable_code":34,"research_fix_diff":35,"research_exploit_outline":36,"research_model_used":37,"research_started_at":38,"research_completed_at":39,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":30,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":30,"source_links":40},"CVE-2026-39504","instawp-connect-missing-authorization-3","InstaWP Connect \u003C= 0.1.2.5 - Missing Authorization","The InstaWP Connect plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in versions up to, and including, 0.1.2.5. This makes it possible for authenticated attackers, with subscriber-level access and above, to perform an unauthorized action.","instawp-connect",null,"\u003C=0.1.2.5","0.1.2.7","medium",4.3,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:L\u002FUI:N\u002FS:U\u002FC:N\u002FI:L\u002FA:N","Missing Authorization","2026-03-11 00:00:00","2026-04-15 21:11:34",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002Fc6ab1328-b5a0-4592-8455-0bc1874f2b3e?source=api-prod",36,[22,23,24,25,26,27,28],"includes\u002Fclass-instawp-ajax.php","includes\u002Fclass-instawp-setting.php","includes\u002Fclass-instawp-tools.php","includes\u002Ffunctions.php","includes\u002Fsync\u002Fclass-instawp-sync-ajax.php","instawp-connect.php","readme.txt","researched",false,3,"# Exploitation Research Plan: CVE-2026-39504\n\n## 1. Vulnerability Summary\nThe **InstaWP Connect** plugin (versions up to 0.1.2.5) suffers from a **Missing Authorization** vulnerability in multiple AJAX handlers. Specifically, the `InstaWP_Sync_Ajax::handle_select2` function and several methods in `InstaWP_Ajax` fail to implement proper capability checks (`current_user_can`) or nonce verification (`check_ajax_referer`). This allows authenticated users with subscriber-level permissions to perform unauthorized actions, such as enumerating system users or triggering internal plugin state refreshes (e.g., staging site lists).\n\n## 2. Attack Vector Analysis\n- **Endpoint**: `\u002Fwp-admin\u002Fadmin-ajax.php`\n- **Actions**: \n    - `instawp_handle_select2` (Primary for Information Disclosure)\n    - `instawp_refresh_staging_sites` (Candidate for Integrity impact `I:L`)\n    - `instawp_check_usages_limit` (Candidate for Integrity impact `I:L`)\n- **Vulnerable Hook**: `wp_ajax_instawp_handle_select2` and others registered in `InstaWP_Ajax::__construct` and `InstaWP_Sync_Ajax::__construct`.\n- **Authentication**: Authenticated (Subscriber level and above).\n- **Preconditions**: The attacker must be logged into the WordPress site.\n\n## 3.","The InstaWP Connect plugin for WordPress is vulnerable to unauthorized access and information disclosure due to missing capability checks in several AJAX handlers, most notably the 'handle_select2' function. This allows authenticated attackers with subscriber-level permissions to enumerate system users and roles or trigger internal plugin actions like staging site refreshes.","\u002F\u002F includes\u002Fsync\u002Fclass-instawp-sync-ajax.php around line 141\n\n\tpublic function handle_select2() {\n\t\tif ( isset( $_GET['event'] ) ) {\n\t\t\tif ( $_GET['event'] === 'instawp_get_users' ) {\n\t\t\t\t$keyword = ! empty( $_GET['term'] ) ? sanitize_text_field( wp_unslash( $_GET['term'] ) ) : '';\n\t\t\t\t$args    = array(\n\t\t\t\t\t'search'         => $keyword,\n\t\t\t\t\t'paged'          => 1,\n\t\t\t\t\t'search_columns' => array( 'user_login', 'user_nicename', 'user_email' ),\n\t\t\t\t\t'fields'         => array( 'id', 'user_login' ),\n\t\t\t\t);\n\t\t\t\t$users   = get_users( $args );\n\t\t\t\t$this->send_success(\n\t\t\t\t\t'Users loaded',\n\t\t\t\t\tarray(\n\t\t\t\t\t\t'results' => $users,\n\t\t\t\t\t\t'opt_col' => array(\n\t\t\t\t\t\t\t'text' => 'user_login',\n\t\t\t\t\t\t\t'id'   => 'ID',\n\t\t\t\t\t\t),\n\t\t\t\t\t)\n\t\t\t\t);\n\t\t\t} elseif ( $_GET['event'] === 'instawp_get_users_exclude_current' ) {\n        \u002F\u002F ... logic continues without capability check\n\t\t\t} elseif ( $_GET['event'] === 'instawp_sync_tab_roles' ) {\n        \u002F\u002F ... role enumeration logic\n      }\n    }\n  }","diff -ru \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Finstawp-connect\u002F0.1.2.6\u002Fincludes\u002Fsync\u002Fclass-instawp-sync-ajax.php \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Finstawp-connect\u002F0.1.2.7\u002Fincludes\u002Fsync\u002Fclass-instawp-sync-ajax.php\n--- \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Finstawp-connect\u002F0.1.2.6\u002Fincludes\u002Fsync\u002Fclass-instawp-sync-ajax.php\t2026-03-06 14:39:10.000000000 +0000\n+++ \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Finstawp-connect\u002F0.1.2.7\u002Fincludes\u002Fsync\u002Fclass-instawp-sync-ajax.php\t2026-03-09 11:14:10.000000000 +0000\n@@ -139,6 +131,8 @@\n \t}\n \n \tpublic function handle_select2() {\n+\t\tInstaWP_Tools::verify_ajax_request( InstaWP_Setting::get_allowed_role() );\n+\n \t\tif ( isset( $_GET['event'] ) ) {\n \t\t\tif ( $_GET['event'] === 'instawp_get_users' ) {\n \t\t\t\t$keyword = ! empty( $_GET['term'] ) ? sanitize_text_field( wp_unslash( $_GET['term'] ) ) : '';","1. Authentication: Log in to the WordPress site as a low-privileged user (e.g., Subscriber).\n2. Endpoint: Target the WordPress AJAX endpoint at `\u002Fwp-admin\u002Fadmin-ajax.php`.\n3. Request Preparation: Craft a request with the action `instawp_handle_select2`. \n4. Payload: To enumerate users, set the `event` parameter to `instawp_get_users` and the `term` parameter to a search string (e.g., 'admin'). \n5. Execution: Send the GET or POST request. In vulnerable versions, the function lacks a `current_user_can` check and (in some cases) nonce verification, returning a JSON list of usernames and IDs matching the search term.\n6. Secondary Actions: Other actions like `instawp_refresh_staging_sites` can be similarly triggered by providing the appropriate `action` parameter without higher-level administrative privileges.","gemini-3-flash-preview","2026-04-18 04:24:34","2026-04-18 04:25:26",{"type":41,"vulnerable_version":42,"fixed_version":11,"vulnerable_browse":43,"vulnerable_zip":44,"fixed_browse":45,"fixed_zip":46,"all_tags":47},"plugin","0.1.2.6","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Finstawp-connect\u002Ftags\u002F0.1.2.6","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Finstawp-connect.0.1.2.6.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Finstawp-connect\u002Ftags\u002F0.1.2.7","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Finstawp-connect.0.1.2.7.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Finstawp-connect\u002Ftags"]