[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fGxYIdjL0itEZ2JeYFBwyKV0ydEmJ9Nm_q5U2ldNrsGc":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":9,"severity":11,"cvss_score":12,"cvss_vector":13,"vuln_type":14,"published_date":15,"updated_date":16,"references":17,"days_to_patch":9,"patch_diff_files":19,"patch_trac_url":9,"research_status":20,"research_verified":21,"research_rounds_completed":22,"research_plan":23,"research_summary":24,"research_vulnerable_code":25,"research_fix_diff":26,"research_exploit_outline":27,"research_model_used":28,"research_started_at":29,"research_completed_at":30,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":21,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":21,"source_links":31},"CVE-2026-8423","javibola-custom-theme-test-cross-site-request-forgery","JaviBola Custom Theme Test \u003C= 2.0.5 - Cross-Site Request Forgery","The JaviBola Custom Theme Test plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.0.5. This is due to missing or incorrect nonce validation on the options page. This makes it possible for unauthenticated attackers to change the site's active theme by modifying the jbct_theme option via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.","javibola-custom-theme",null,"\u003C=2.0.5","medium",4.3,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:N\u002FUI:R\u002FS:U\u002FC:N\u002FI:L\u002FA:N","Cross-Site Request Forgery (CSRF)","2026-05-19 12:07:03","2026-05-20 01:25:49",[18],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F68a8a277-2ea6-4d75-b8cd-4d20eb17b3aa?source=api-prod",[],"researched",false,3,"# Exploitation Research Plan - CVE-2026-8423 (JaviBola Custom Theme Test)\n\n## 1. Vulnerability Summary\nThe **JaviBola Custom Theme Test** plugin (\u003C= 2.0.5) contains a Cross-Site Request Forgery (CSRF) vulnerability. The plugin allows administrators to select and \"test\" different themes by updating a plugin-specific option, `jbct_theme`. However, the code responsible for processing the update fails to perform nonce validation (via `check_admin_referer` or `wp_verify_nonce`). An attacker can trick a logged-in administrator into submitting a forged request, leading to an unauthorized change of the site's active theme or the plugin's \"test\" theme configuration.\n\n## 2. Attack Vector Analysis\n*   **Vulnerable Endpoint**: `\u002Fwp-admin\u002Fadmin.php` or `\u002Fwp-admin\u002Foptions-general.php` (specific slug is likely `javibola-custom-theme`).\n*   **HTTP Method**: `POST`\n*   **Authentication**: Required (Administrator victim session).\n*   **Vulnerable Parameter**: `jbct_theme` (The value representing the theme slug).\n*   **Preconditions**: An administrator must be logged into the WordPress dashboard and be tricked into visiting a malicious URL or auto-submitting an HTML form.\n\n## 3. Code Flow (Inferred)\n1.  **Hook Registration**: The plugin likely registers an admin menu page via `add_options_page` or `add_menu_page` with a slug like `javibola-custom-theme`.\n2.  **Setting Update Logic**: Within the menu callback function or an `admin_init` hook, the plugin checks for the presence of `$_POST['jbct_theme']`.\n3.  **Vulnerable Sink**:\n    ```php\n    if ( isset( $_POST['jbct_theme'] ) ) {\n        \u002F\u002F Missing: check_admin_referer('jbct_action_nonce');\n        update_option( 'jbct_theme', sanitize_text_field( $_POST['jbct_theme'] ) );\n        \u002F\u002F The plugin may then call switch_theme() or use a filter to swap themes.\n    }\n    ```\n4.  **Failure**: Because no nonce check is present, any POST request containing `jbct_theme` sent to the admin context will trigger the update if the user has sufficient permissions.\n\n## 4. Nonce Acquisition Strategy\nAccording to the vulnerability description, the plugin **lacks nonce validation**. \n*   **If missing**: No nonce is required in the exploit payload.\n*   **If incorrect\u002Fbypassable**: If the code uses a generic nonce (like `-1`) or doesn't check the return value of `wp_verify_nonce`, the exploit will simply omit the nonce or provide a dummy value.\n\nTo confirm the absence of a nonce:\n1.  Navigate to the plugin settings page: `browser_navigate(\"\u002Fwp-admin\u002Foptions-general.php?page=javibola-custom-theme\")`.\n2.  Inspect the HTML form for a hidden field named `_wpnonce` or similar. \n3.  If a nonce exists but the CVE states it is missing\u002Fincorrect, try the exploit without the parameter.\n\n## 5. Exploitation Strategy\nThe goal is to change the `jbct_theme` option to a target theme (e.g., `twentytwentyfour`).\n\n**Step-by-Step Plan:**\n1.  **Identify Target Theme**: Use `wp theme list` to find an installed theme slug that is not currently active.\n2.  **Simulate Admin Request**: Since this is a PoC in an isolated environment, use the `http_request` tool with the administrator's cookies to send a POST request without a nonce.\n3.  **Payload**:\n    *   **URL**: `https:\u002F\u002F[TARGET]\u002Fwp-admin\u002Foptions-general.php?page=javibola-custom-theme` (inferred slug)\n    *   **Method**: `POST`\n    *   **Headers**: `Content-Type: application\u002Fx-www-form-urlencoded`\n    *   **Body**: `jbct_theme=[TARGET_THEME_SLUG]&submit=Save+Changes`\n\n## 6. Test Data Setup\n1.  **Install Plugin**: `wp plugin install javibola-custom-theme --version=2.0.5 --activate`\n2.  **Identify Current Theme**: `wp theme list --status=active`\n3.  **Prepare Target**: Ensure at least two themes are installed (e.g., `twentytwentythree` and `twentytwentyfour`).\n\n## 7. Expected Results\n*   The server should return a `302 Redirect` or a `200 OK` indicating the settings were saved.\n*   The WordPress option `jbct_theme` in the `wp_options` table should be updated to the value provided in the payload.\n*   If the plugin applies the theme immediately, the site frontend should render using the new theme.\n\n## 8. Verification Steps\nAfter sending the `http_request`, verify the change using WP-CLI:\n1.  **Check Option**: `wp option get jbct_theme`\n2.  **Check Active Theme**: `wp theme list --status=active` (to see if the plugin actually switched the site's active theme).\n3.  **Confirm Result**: Compare the output of `wp option get jbct_theme` with the payload value.\n\n## 9. Alternative Approaches\nIf the settings page slug differs or the update logic is triggered via AJAX:\n1.  **Check AJAX Handlers**: `grep -rn \"wp_ajax\" wp-content\u002Fplugins\u002Fjavibola-custom-theme\u002F`\n2.  **Search for option name**: `grep -rn \"jbct_theme\" wp-content\u002Fplugins\u002Fjavibola-custom-theme\u002F` to find the exact file and hook processing the request.\n3.  **Check admin_post**: If the form targets `admin-post.php`, the action parameter will be required: `action=jbct_save_settings&jbct_theme=...`.","The JaviBola Custom Theme Test plugin for WordPress is vulnerable to Cross-Site Request Forgery (CSRF) in versions up to 2.0.5. This occurs because the plugin fails to perform nonce validation when processing settings updates, allowing attackers to change the site's configured test theme by tricking an administrator into making a forged request.","\u002F\u002F File: wp-content\u002Fplugins\u002Fjavibola-custom-theme\u002Fjavibola-custom-theme.php (estimated location)\n\nif ( isset( $_POST['jbct_theme'] ) ) {\n    \u002F\u002F Vulnerability: No check_admin_referer() or wp_verify_nonce() call here\n    update_option( 'jbct_theme', sanitize_text_field( $_POST['jbct_theme'] ) );\n}","--- a\u002Fwp-content\u002Fplugins\u002Fjavibola-custom-theme\u002Fjavibola-custom-theme.php\n+++ b\u002Fwp-content\u002Fplugins\u002Fjavibola-custom-theme\u002Fjavibola-custom-theme.php\n@@ -1,5 +1,6 @@\n if ( isset( $_POST['jbct_theme'] ) ) {\n+    check_admin_referer( 'jbct_save_settings', 'jbct_nonce' );\n     update_option( 'jbct_theme', sanitize_text_field( $_POST['jbct_theme'] ) );\n }","The exploit targets the plugin's administrative settings page which lacks CSRF protection. An attacker can use an external site or a malicious HTML email to force an administrator's browser to send a POST request to the WordPress admin panel. \n\n- Endpoint: \u002Fwp-admin\u002Foptions-general.php?page=javibola-custom-theme (or the plugin's specific menu slug)\n- Method: POST\n- Payload Shape: jbct_theme=[TARGET_THEME_SLUG]&submit=Save+Changes\n- Authentication: Requires the victim to have an active session with Administrator privileges. \n\nBecause the plugin does not verify a nonce, it will process the `update_option` call for any POST request containing the `jbct_theme` parameter, successfully changing the site's theme configuration.","gemini-3-flash-preview","2026-05-20 16:54:15","2026-05-20 16:54:59",{"type":32,"vulnerable_version":9,"fixed_version":9,"vulnerable_browse":9,"vulnerable_zip":9,"fixed_browse":9,"fixed_zip":9,"all_tags":33},"plugin","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fjavibola-custom-theme\u002Ftags"]