[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fSfuPVz_fkH_raUHj9HzaLSYGMXWzB0hXuUXpa6XmoYs":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":22,"research_verified":23,"research_rounds_completed":24,"research_plan":25,"research_summary":26,"research_vulnerable_code":27,"research_fix_diff":28,"research_exploit_outline":29,"research_model_used":30,"research_started_at":31,"research_completed_at":32,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":23,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":23,"source_links":33},"CVE-2026-1860","kali-forms-insecure-direct-object-reference-to-authenticated-contributor-sensitive-form-data-exposure","Kali Forms \u003C= 2.4.8 - Insecure Direct Object Reference to Authenticated (Contributor+) Sensitive Form Data Exposure","The Kali Forms plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 2.4.8. This is due to the `get_items_permissions_check()` permission callback on the `\u002Fkaliforms\u002Fv1\u002Fforms\u002F{id}` REST API endpoint only checking for the `edit_posts` capability without verifying that the requesting user has ownership or authorization over the specific form resource. This makes it possible for authenticated attackers, with Contributor-level access and above, to read form configuration data belonging to other users (including administrators) by enumerating form IDs. Exposed data includes form field structures, Google reCAPTCHA secret keys (if configured), email notification templates, and server paths.","kali-forms",null,"\u003C=2.4.8","2.4.9","medium",4.3,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:L\u002FUI:N\u002FS:U\u002FC:L\u002FI:N\u002FA:N","Missing Authorization","2026-02-17 18:55:25","2026-02-18 07:25:43",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002Fa1529c89-5c5e-4a2d-be31-b55d2907c9b6?source=api-prod",1,[],"researched",false,3,"# Research Plan: CVE-2026-1860 - Kali Forms IDOR Sensitive Data Exposure\n\n## 1. Vulnerability Summary\nThe Kali Forms plugin (versions \u003C= 2.4.8) contains an Insecure Direct Object Reference (IDOR) vulnerability within its REST API implementation. Specifically, the endpoint `\u002Fwp-json\u002Fkaliforms\u002Fv1\u002Fforms\u002F{id}` uses a permission callback, `get_items_permissions_check()`, that only verifies if the current user possesses the `edit_posts` capability. \n\nIn WordPress, the **Contributor** role and above are granted `edit_posts` by default. The vulnerability exists because the plugin fails to verify if the requesting user is the owner of the form or possesses administrative privileges before returning the full configuration of a specific form ID. This allows any authenticated user with Contributor-level access to retrieve sensitive configuration data for any form on the system, including those created by administrators.\n\n## 2. Attack Vector Analysis\n*   **Endpoint:** `\u002Fwp-json\u002Fkaliforms\u002Fv1\u002Fforms\u002F{id}` (where `{id}` is the numeric ID of a form).\n*   **Method:** `GET`\n*   **Authentication:** Authenticated (Contributor role or higher).\n*   **Vulnerable Parameter:** The `{id}` path variable.\n*   **Sensitive Data Exposed:** \n    *   Form field structures and logic.\n    *   **Google reCAPTCHA secret keys.**\n    *   Email notification templates (containing internal email addresses and logic).\n    *   Server paths and internal configuration metadata.\n*   **Preconditions:** An attacker must have a valid account with at least `Contributor` permissions. At least one form must exist (created by another user, e.g., an Administrator).\n\n## 3. Code Flow\n1.  **Registration:** The plugin registers REST routes during the `rest_api_init` hook. The route `\u002Fkaliforms\u002Fv1\u002Fforms\u002F(?P\u003Cid>\\d+)` is mapped to a controller class (likely a subclass of `WP_REST_Controller`).\n2.  **Permission Check:** When a request hits the endpoint, WordPress calls the `permission_callback` defined for that route. In Kali Forms, this is `get_items_permissions_check()`.\n    *   *Vulnerable Logic:* The function likely contains `return current_user_can( 'edit_posts' );`.\n    *   *Missing Logic:* It lacks a check such as `get_post_field( 'post_author', $id ) == get_current_user_id()` or a check for `manage_options`.\n3.  **Data Retrieval:** Once permissions are \"validated,\" the `get_item()` method is called. This method fetches the form object (likely stored as a Custom Post Type or in a custom table) and returns the full configuration array as a JSON response.\n\n## 4. Nonce Acquisition Strategy\nSince this is a REST API exploit requiring authentication, a `_wpnonce` (specifically for the `wp_rest` action) is required to bypass WordPress's default REST API CSRF protection for authenticated requests.\n\n1.  **Login:** Log in as the **Contributor** user.\n2.  **Navigate to Admin:** Access the WordPress Dashboard (`\u002Fwp-admin\u002F`).\n3.  **Extract Nonce:** WordPress enqueues the `wp-api` script in the dashboard, which localizes the REST nonce into the `wpApiSettings` object.\n4.  **Execution Agent Steps:**\n    *   `browser_navigate(URL + \"\u002Fwp-admin\u002F\")`\n    *   `REST_NONCE = browser_eval(\"window.wpApiSettings?.nonce\")`\n5.  **Usage:** This nonce must be sent in the `X-WP-Nonce` HTTP header during the exploit.\n\n## 5. Exploitation Strategy\n1.  **Discovery:** Identify target form IDs. Since form IDs are usually sequential integer values, they can be easily enumerated.\n2.  **Request Construction:** Craft a GET request to the REST API endpoint.\n3.  **Payload via `http_request`:**\n    *   **Method:** `GET`\n    *   **URL:** `http:\u002F\u002Fvulnerable-site.com\u002Fwp-json\u002Fkaliforms\u002Fv1\u002Fforms\u002F{id}`\n    *   **Headers:**\n        *   `X-WP-Nonce: [EXTRACTED_NONCE]`\n        *   `Content-Type: application\u002Fjson`\n        *   `Cookie: [CONTRIBUTOR_COOKIES]`\n4.  **Looping:** If the specific form ID is unknown, iterate from `id=1` to `id=100`.\n\n## 6. Test Data Setup\nTo demonstrate the impact, the following setup is required:\n1.  **Install Kali Forms \u003C= 2.4.8.**\n2.  **Administrator Setup:**\n    *   Create a form named \"Sensitive Admin Form\".\n    *   In the form settings, configure a \"Secret\" value, such as a **reCAPTCHA Secret Key** (`6LeIxAcTAAAAAGG-vFI1TnRWxMZNF65lSclD5IIJ`) or a custom email notification template with a sensitive \"To\" address (`internal-archive@company.local`).\n    *   Identify the Form ID (e.g., look at the URL when editing the form: `post=123`).\n3.  **Contributor Setup:**\n    *   Create a user with the `Contributor` role.\n    *   Do **not** grant this user any special permissions or ownership over the Administrator's form.\n\n## 7. Expected Results\n*   The API should return a `200 OK` response.\n*   The response body will be a JSON object containing the complete configuration of the form.\n*   **Confirmation of Vulnerability:** The JSON will contain the `recaptcha_secret` or notification email details set by the Administrator, which should be inaccessible to a Contributor.\n\n## 8. Verification Steps\n1.  **Check Response Body:** Look for keys like `notifications`, `settings`, `recaptcha_v2_secret_key`, or `recaptcha_v3_secret_key`.\n2.  **WP-CLI Comparison:** Run `wp post get [ID] --format=json` as an admin to verify the data returned via the API matches the actual stored configuration.\n3.  **Role Verification:** Use `wp user get [USER_ID]` to confirm the attacker user only has the `contributor` role.\n\n## 9. Alternative Approaches\n*   **Endpoint Enumeration:** If `\u002Fkaliforms\u002Fv1\u002Fforms\u002F{id}` is blocked or changed, check for the collection endpoint `\u002Fkaliforms\u002Fv1\u002Fforms`. If the `get_items()` (plural) permission check is also broken, it may leak the entire list of forms and their configs at once.\n*   **X-WP-Nonce Bypass:** Check if the plugin registered the route without `permission_callback` entirely (unlikely based on the description) or if it uses a custom header for authentication.\n*   **Draft Forms:** Verify if the IDOR extends to \"draft\" or \"private\" forms that haven't been published yet.","The Kali Forms plugin for WordPress is vulnerable to an Insecure Direct Object Reference (IDOR) in versions up to 2.4.8. The plugin's REST API endpoint for retrieving individual form configurations only checks for the 'edit_posts' capability, allowing authenticated users with Contributor-level access or higher to view sensitive form data belonging to other users, including reCAPTCHA secret keys and email templates.","\u002F\u002F Inferred from Research Plan and Vulnerability Description\n\u002F\u002F Likely located in includes\u002Fapi\u002Fclass-kali-forms-rest-controller.php or similar\n\npublic function get_items_permissions_check( $request ) {\n    if ( ! current_user_can( 'edit_posts' ) ) {\n        return new WP_Error( 'rest_forbidden', __( 'You do not have permission to view these forms.', 'kali-forms' ), array( 'status' => 401 ) );\n    }\n\n    return true;\n}","--- a\u002Fincludes\u002Fapi\u002Fclass-kali-forms-rest-controller.php\n+++ b\u002Fincludes\u002Fapi\u002Fclass-kali-forms-rest-controller.php\n@@ -1,5 +1,5 @@\n public function get_items_permissions_check( $request ) {\n-    if ( ! current_user_can( 'edit_posts' ) ) {\n+    if ( ! current_user_can( 'manage_options' ) ) {\n         return new WP_Error( 'rest_forbidden', __( 'You do not have permission to view these forms.', 'kali-forms' ), array( 'status' => 401 ) );\n     }","The exploit involves an authenticated attacker with Contributor-level permissions using the WordPress REST API to retrieve sensitive form configurations. First, the attacker logs into the WordPress dashboard and extracts the REST API nonce from the 'wpApiSettings' JavaScript object. Next, the attacker sends a GET request to the '\u002Fwp-json\u002Fkaliforms\u002Fv1\u002Fforms\u002F{id}' endpoint, where {id} is the ID of a target form (often discovered through simple integer enumeration). By including the 'X-WP-Nonce' header in the request, the attacker bypasses standard CSRF protections. The server, failing to verify resource ownership or administrative privileges, responds with a JSON object containing the complete form configuration, exposing sensitive data such as Google reCAPTCHA secret keys, server paths, and internal email notification templates.","gemini-3-flash-preview","2026-04-19 06:03:16","2026-04-19 06:04:27",{"type":34,"vulnerable_version":35,"fixed_version":11,"vulnerable_browse":36,"vulnerable_zip":37,"fixed_browse":38,"fixed_zip":39,"all_tags":40},"plugin","2.4.8","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fkali-forms\u002Ftags\u002F2.4.8","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fkali-forms.2.4.8.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fkali-forms\u002Ftags\u002F2.4.9","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fkali-forms.2.4.9.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fkali-forms\u002Ftags"]