[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fVjMWW29zFkDjVZKCfVFFf4JJJSRi-bhyNWcxRsr61EA":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":26,"research_verified":27,"research_rounds_completed":28,"research_plan":29,"research_summary":9,"research_vulnerable_code":9,"research_fix_diff":9,"research_exploit_outline":9,"research_model_used":30,"research_started_at":31,"research_completed_at":32,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":27,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":27,"source_links":33},"CVE-2026-54837","intranet-private-site-all-in-one-intranet-missing-authorization","Intranet & Private Site – All-In-One Intranet \u003C= 1.8.1 - Missing Authorization","The Intranet & Private Site – All-In-One Intranet plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in versions up to, and including, 1.8.1. This makes it possible for unauthenticated attackers to perform an unauthorized action.","all-in-one-intranet",null,"\u003C=1.8.1","1.9.0","medium",5.3,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:N\u002FUI:N\u002FS:U\u002FC:N\u002FI:L\u002FA:N","Missing Authorization","2026-06-18 00:00:00","2026-06-23 15:52:04",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002Fcfe45a6b-bd31-4716-9d4d-f7d1b48f9884?source=api-prod",6,[22,23,24,25],"assets\u002Flang\u002Fall-in-one-intranet.pot","basic_all_in_one_intranet.php","core\u002Fcore_all_in_one_intranet.php","readme.txt","researched",false,3,"This research plan outlines the steps required to analyze and exploit **CVE-2026-54837**, a missing authorization vulnerability in the **All-In-One Intranet** plugin.\n\n---\n\n### 1. Vulnerability Summary\nThe **All-In-One Intranet** plugin (versions \u003C= 1.8.1) fails to implement proper capability checks or nonce verification within its settings-handling logic. Specifically, the `aioi_admin_init` function, which is hooked to `admin_init`, processes configuration updates without verifying if the requesting user has administrative privileges. Because `admin_init` is triggered during requests to `\u002Fwp-admin\u002Fadmin-post.php` (which is accessible to unauthenticated users), an attacker can modify plugin settings remotely.\n\nThe most critical impact is the ability to disable the \"Force site to be entirely private\" setting, effectively making a private corporate intranet public.\n\n### 2. Attack Vector Analysis\n*   **Target Endpoint:** `\u002Fwp-admin\u002Fadmin-post.php`\n*   **Trigger Hook:** `admin_init` -> `aioi_admin_init`\n*   **Vulnerable Parameter:** `aioi_options` (array)\n*   **Required Authentication:** None (Unauthenticated)\n*   **Preconditions:** The plugin must be active and the site must currently be set to \"Private\" (the default behavior).\n\n### 3. Code Flow\n1.  **Entry Point:** An unauthenticated attacker sends a `POST` request to `\u002Fwp-admin\u002Fadmin-post.php`.\n2.  **WordPress Loading:** WordPress initializes and identifies the request as being in the `is_admin()` context (since it is targeting a file in `\u002Fwp-admin\u002F`).\n3.  **Hook Execution:** The `admin_init` hook fires.\n4.  **Plugin Logic:** The `core_all_in_one_intranet::aioi_admin_init()` function (registered in `core\u002Fcore_all_in_one_intranet.php`) is executed.\n5.  **Missing Check:** The function checks if `$_POST['aioi_options']` (or a similar trigger like `aioi_save_settings`) is set. It fails to check `current_user_can('manage_options')` or `check_admin_referer()`.\n6.  **State Change:** The function calls `update_option( 'aioi_options', $_POST['aioi_options'] )`.\n7.  **Sink:** In the next request, `aioi_template_redirect()` calls `get_option_aioi()`, finds `aioi_privatesite` is `false`, and permits public access to the site.\n\n### 4. Nonce Acquisition Strategy\nThis vulnerability is classified as **Missing Authorization**, which typically includes a lack of CSRF protection (nonces). Based on the unauthenticated nature of the vulnerability (PR:N), no nonce is required for exploitation. The logic in `aioi_admin_init` likely proceeds directly to `update_option` if the correct POST parameters are present.\n\n### 5. Exploitation Strategy\nThe goal is to overwrite the `aioi_options` array and set `aioi_privatesite` to `0` (false).\n\n**Step 1: Identify the exact POST structure**\nThe plugin expects an array for `aioi_options`. We will send a POST request that mimics a settings submission.\n\n**Step 2: Construct the Payload**\n*   **URL:** `http:\u002F\u002F\u003Ctarget>\u002Fwp-admin\u002Fadmin-post.php`\n*   **Method:** `POST`\n*   **Headers:** `Content-Type: application\u002Fx-www-form-urlencoded`\n*   **Body:**\n    ```\n    aioi_options[aioi_privatesite]=0&aioi_options[aioi_autologout_time]=0&aioi_save_settings=1\n    ```\n    *(Note: `aioi_save_settings` is an inferred trigger name common in this plugin's era; if it fails, the agent should attempt the request with only the array).*\n\n**Step 3: Execute Request**\nUse the `http_request` tool to send the payload.\n\n### 6. Test Data Setup\n1.  **Install Plugin:** `wp plugin install all-in-one-intranet --version=1.8.1 --activate`\n2.  **Ensure Private Mode:** By default, the plugin enables privacy. Confirm by attempting to curl the homepage:\n    `curl -I http:\u002F\u002Flocalhost\u002F` (Should result in a `302 Redirect` to `wp-login.php`).\n3.  **Configure Options:** If necessary, ensure the options exist in the database:\n    `wp option update aioi_options '{\"aioi_privatesite\":true,\"aioi_autologout_time\":0}' --format=json`\n\n### 7. Expected Results\n*   **HTTP Response:** The request to `admin-post.php` may return a `302` redirect or a `200` with \"Settings saved\" (based on line 854 of `core_all_in_one_intranet.php`).\n*   **Site State:** The site is no longer private. Navigating to the homepage unauthenticated returns a `200 OK` and reveals the content.\n\n### 8. Verification Steps\nAfter sending the exploit, verify the change","gemini-3-flash-preview","2026-06-25 21:27:11","2026-06-25 21:29:00",{"type":34,"vulnerable_version":35,"fixed_version":11,"vulnerable_browse":36,"vulnerable_zip":37,"fixed_browse":38,"fixed_zip":39,"all_tags":40},"plugin","1.8.1","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fall-in-one-intranet\u002Ftags\u002F1.8.1","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fall-in-one-intranet.1.8.1.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fall-in-one-intranet\u002Ftags\u002F1.9.0","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fall-in-one-intranet.1.9.0.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fall-in-one-intranet\u002Ftags"]