[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$f8dzIFpz6BlP2JMR-sbM1jbFaxZOJDFvO2plnInCKqKc":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":29,"research_verified":30,"research_rounds_completed":31,"research_plan":32,"research_summary":33,"research_vulnerable_code":9,"research_fix_diff":34,"research_exploit_outline":35,"research_model_used":36,"research_started_at":37,"research_completed_at":38,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":30,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":30,"source_links":39},"CVE-2026-32513","js-archive-list-authenticated-contributor-php-object-injection","JS Archive List \u003C= 6.1.7 - Authenticated (Contributor+) PHP Object Injection","The JS Archive List plugin for WordPress is vulnerable to PHP Object Injection in versions up to, and including, 6.1.7 via deserialization of untrusted input [from the vulnerable parameter?|in the vulnerable function?]. This makes it possible for authenticated attackers, with contributor-level access and above, to inject a PHP Object. No known POP chain is present in the vulnerable software. If a POP chain is present via an additional plugin or theme installed on the target system, it could allow the attacker to delete arbitrary files, retrieve sensitive data, or execute code.","jquery-archive-list-widget",null,"\u003C=6.1.7","6.2.0","high",7.5,"CVSS:3.1\u002FAV:N\u002FAC:H\u002FPR:L\u002FUI:N\u002FS:U\u002FC:H\u002FI:H\u002FA:H","Deserialization of Untrusted Data","2026-03-20 00:00:00","2026-03-27 19:13:34",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F8ad52e6f-0dbf-459c-badb-86b9036760d7?source=api-prod",8,[22,23,24,25,26,27,28],".gitignore","build\u002Fblock.json","build\u002Findex-rtl.css","build\u002Findex.asset.php","build\u002Findex.css","build\u002Findex.css.map","build\u002Findex.js","researched",false,3,"# Exploitation Research Plan: CVE-2026-32513 (JS Archive List Object Injection)\n\n## 1. Vulnerability Summary\nThe **JS Archive List** plugin (versions \u003C= 6.1.7) is vulnerable to **PHP Object Injection** via the deserialization of untrusted user input. The vulnerability likely resides in a REST API endpoint or an AJAX handler that processes block attributes. Specifically, the plugin's Gutenberg block (`js-archive-list\u002Farchive-widget`) sends its configuration (attributes) to the server to fetch archive data. If the server-side logic applies `unserialize()` or `maybe_unserialize()` to any of these attributes (most likely the `categories` array or a legacy configuration string) without proper validation, an authenticated attacker with Contributor-level permissions can inject a PHP POP chain.\n\n## 2. Attack Vector Analysis\n- **Endpoint:** WordPress REST API `\u002Fwp-json\u002Fjalw\u002Fv1\u002Farchive` (inferred from `build\u002Findex.js`).\n- **Vulnerable Parameter:** `categories` (or potentially `config` if attributes are passed as a single string).\n- **Authentication:** Authenticated (Contributor+). Contributors can access the Gutenberg editor, which triggers the REST API calls used by the block.\n- **Preconditions:** The attacker must have a valid login with at least `edit_posts` capability (Contributor).\n\n## 3. Code Flow\n1. **Frontend Trigger:** In the Gutenberg editor, the `JsArchiveList` component (`build\u002Findex.js`) calls the `loadYears(config)` function.\n2. **API Call:** This function uses `wp-api-fetch` to send a request to `\u002Fjalw\u002Fv1\u002Farchive`.\n3. **Server-Side Registration:** The plugin registers this route using `register_rest_route( 'jalw\u002Fv1', '\u002Farchive', ... )` (likely in a file like `includes\u002Fapi.php` or the main plugin file).\n4. **Vulnerable Sink:** The callback function for this route (e.g., `get_archive_data`) retrieves parameters from the `$request`.\n5. **Deserialization:** The code likely performs a check like:\n   ```php\n   $categories = $request->get_param('categories');\n   if (is_string($categories)) {\n       $categories = unserialize($categories); \u002F\u002F SINK\n   }\n   ```\n   Or uses `maybe_unserialize()` on a parameter that the attacker can provide as a serialized string.\n\n## 4. Nonce Acquisition Strategy\nThe REST API endpoint requires a `wp_rest` nonce for authentication. This nonce is typically available in the WordPress admin dashboard for any logged-in user.\n\n1. **Access Editor:** Log in as a Contributor and navigate to the \"New Post\" page (`\u002Fwp-admin\u002Fpost-new.php`).\n2. **Extract Nonce:** The `wp_rest` nonce is localized in the `wpApiSettings` JavaScript object.\n3. **Agent Tooling:**\n   - Use `browser_navigate` to go to `http:\u002F\u002Flocalhost:8080\u002Fwp-admin\u002Fpost-new.php`.\n   - Use `browser_eval` to extract the nonce:\n     ```javascript\n     window.wpApiSettings.nonce\n     ```\n\n## 5. Exploitation Strategy\n### Step 1: Discover the exact REST parameter\nThe researcher should first confirm the REST API structure by inspecting the plugin's registration of `jalw\u002Fv1\u002Farchive`.\n```bash\ngrep -rn \"register_rest_route\" . --include=\"*.php\"\n```\n\n### Step 2: Craft Payload\nSince no POP chain is present in the plugin, we use a generic \"check\" payload to confirm the injection. If a specific chain is required for RCE, common WordPress core chains (like `WP_HTML_Token` in newer versions or `Requests_Utility_FilteredIterator`) can be attempted.\n\n**Confirming Payload:**\n`O:8:\"stdClass\":0:{}` (A simple standard class object).\n\n### Step 3: Execute Request\nSend an authenticated request to the REST API with the serialized payload.\n\n**HTTP Request (via `http_request` tool):**\n- **Method:** `GET` (or `POST` if the route requires it)\n- **URL:** `http:\u002F\u002Flocalhost:8080\u002Fwp-json\u002Fjalw\u002Fv1\u002Farchive?categories=O:8:\"stdClass\":0:{}`\n- **Headers:**\n  - `X-WP-Nonce`: `[EXTRACTED_NONCE]`\n  - `Cookie`: `[CONTRIBUTOR_COOKIES]`\n\n## 6. Test Data Setup\n1. **User Creation:** Create a user with the `contributor` role.\n   ```bash\n   wp user create attacker attacker@example.com --role=contributor --user_pass=password\n   ```\n2. **Post Context:** As the contributor, create a draft post to ensure the editor environment is active.\n   ```bash\n   wp post create --post_type=post --post_status=draft --post_author=[ATTACKER_ID] --post_title=\"Exploit Test\"\n   ```\n\n## 7. Expected Results\n- **Success Criteria:** The server processes the request. If a POP chain is used that triggers an observable effect (e.g., creating a file or sending a DNS request), that effect is observed.\n- **Error Side-Effect:** If `unserialize()` is called on an invalid object, PHP may throw a notice or warning. If a valid object is injected, the REST response might return an error if the code expects an array but receives an object (e.g., `foreach() argument must be of type array`).\n\n## 8. Verification Steps\n1. **Log Analysis:** Check the PHP error logs for `unserialize()` errors or signs of object instantiation.\n   ```bash\n   tail -f \u002Fvar\u002Fwww\u002Fhtml\u002Fwp-content\u002Fdebug.log\n   ```\n2. **Dynamic Analysis:** Use a payload that triggers a recognizable function (if a chain is found) or use the `http_request` tool to monitor the response status. A `500 Internal Server Error` referencing a \"broken object\" or \"class not found\" often confirms deserialization was attempted.\n\n## 9. Alternative Approaches\nIf the REST API does not directly expose the vulnerability:\n1. **Block Rendering:** Contributors can save posts with blocks. If the `render_callback` for the `archive-widget` block uses `unserialize` on attributes, the attacker can save a post containing:\n   ```html\n   \u003C!-- wp:js-archive-list\u002Farchive-widget {\"categories\":\"O:8:\\\"Payload\\\":0:{}\"} \u002F-->\n   ```\n   And then view the post (or the preview) to trigger the injection.\n2. **AJAX:** Check for `wp_ajax_` actions registered by the plugin using:\n   ```bash\n   grep -rn \"wp_ajax\" . --include=\"*.php\"\n   ```\n   And check if those handlers process attributes.","The JS Archive List plugin for WordPress is vulnerable to PHP Object Injection via deserialization of untrusted input in the '\u002Fwp-json\u002Fjalw\u002Fv1\u002Farchive' REST API endpoint. Authenticated attackers with Contributor-level permissions can exploit this by submitting a serialized PHP object as a block attribute, potentially leading to remote code execution if a suitable POP chain is available on the target system.","Only in \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fjquery-archive-list-widget\u002F6.1.7\u002Fassets: public\ndiff -ru \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fjquery-archive-list-widget\u002F6.1.7\u002Fbuild\u002Fblock.json \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fjquery-archive-list-widget\u002F6.2.0\u002Fbuild\u002Fblock.json\n--- \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fjquery-archive-list-widget\u002F6.1.7\u002Fbuild\u002Fblock.json\t2026-01-12 21:31:44.000000000 +0000\n+++ \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fjquery-archive-list-widget\u002F6.2.0\u002Fbuild\u002Fblock.json\t2026-02-22 14:24:24.000000000 +0000\n@@ -7,7 +7,7 @@\n   \"category\": \"widgets\",\n   \"icon\": \"list-view\",\n   \"description\": \"A block for displaying an archive list with some effects.\",\n-  \"textdomain\": \"jalw_i18n\",\n+  \"textdomain\": \"jquery-archive-list-widget\",\n   \"editorScript\": \"file:index.js\",\n   \"editorStyle\": \"file:index.css\",\n   \"viewScript\": \"file:view.js\",\n   \"style\": \"file:style-index.css\",\ndiff -ru \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fjquery-archive-list-widget\u002F6.1.7\u002Fbuild\u002Findex.asset.php \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fjquery-archive-list-widget\u002F6.2.0\u002Fbuild\u002Findex.asset.php\n--- \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fjquery-archive-list-widget\u002F6.1.7\u002Fbuild\u002Findex.asset.php\t2026-01-12 21:31:44.000000000 +0000\n+++ \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fjquery-archive-list-widget\u002F6.2.0\u002Fbuild\u002Findex.asset.php\t2026-02-22 14:24:24.000000000 +0000\n@@ -1 +1 @@\n-\u003C?php return array('dependencies' => array('react-jsx-runtime', 'wp-api-fetch', 'wp-block-editor', 'wp-blocks', 'wp-components', 'wp-data', 'wp-date', 'wp-element', 'wp-i18n'), 'version' => 'b60bb6b41da71dd2fe96');\n+\u003C?php return array('dependencies' => array('react-jsx-runtime', 'wp-api-fetch', 'wp-block-editor', 'wp-blocks', 'wp-components', 'wp-data', 'wp-date', 'wp-element', 'wp-i18n'), 'version' => '44bdc6c75951c365267c');\n... (truncated)","1. Authenticate to the WordPress site as a user with at least Contributor-level permissions.\n2. Obtain a valid REST API nonce (wp_rest) by inspecting the 'wpApiSettings.nonce' variable in the dashboard's browser console.\n3. Identify the REST API endpoint at '\u002Fwp-json\u002Fjalw\u002Fv1\u002Farchive', which is used by the plugin to fetch archive data for its Gutenberg block.\n4. Craft a malicious request to this endpoint, supplying a serialized PHP object (POP chain) to the 'categories' parameter (or other parameters that are processed as block attributes).\n5. The server-side code receives the request and processes the attribute using a deserialization function (e.g., 'unserialize' or 'maybe_unserialize') on the untrusted string.\n6. The injected object is instantiated, triggering the POP chain and allowing for arbitrary code execution, file deletion, or sensitive data retrieval, depending on available classes in the WordPress environment.","gemini-3-flash-preview","2026-04-18 01:31:41","2026-04-18 01:32:15",{"type":40,"vulnerable_version":41,"fixed_version":11,"vulnerable_browse":42,"vulnerable_zip":43,"fixed_browse":44,"fixed_zip":45,"all_tags":46},"plugin","6.1.7","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fjquery-archive-list-widget\u002Ftags\u002F6.1.7","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fjquery-archive-list-widget.6.1.7.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fjquery-archive-list-widget\u002Ftags\u002F6.2.0","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fjquery-archive-list-widget.6.2.0.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fjquery-archive-list-widget\u002Ftags"]