[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$f1GnI55L9uLy2lw2BhOWnMNVAhYGHXOulPwj3BNveZrA":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":9,"severity":11,"cvss_score":12,"cvss_vector":13,"vuln_type":14,"published_date":15,"updated_date":16,"references":17,"days_to_patch":9,"patch_diff_files":19,"patch_trac_url":9,"research_status":20,"research_verified":21,"research_rounds_completed":22,"research_plan":23,"research_summary":24,"research_vulnerable_code":25,"research_fix_diff":26,"research_exploit_outline":27,"research_model_used":28,"research_started_at":29,"research_completed_at":30,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":21,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":21,"source_links":31},"CVE-2026-24521","kama-thumbnail-cross-site-request-forgery","Kama Thumbnail \u003C= 3.5.1 - Cross-Site Request Forgery","The Kama Thumbnail plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 3.5.1. This is due to missing or incorrect nonce validation on a function. This makes it possible for unauthenticated attackers to perform an unauthorized action via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.","kama-thumbnail",null,"\u003C=3.5.1","medium",4.3,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:N\u002FUI:R\u002FS:U\u002FC:N\u002FI:L\u002FA:N","Cross-Site Request Forgery (CSRF)","2026-01-26 00:00:00","2026-02-02 16:22:40",[18],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002Fc30a4292-228a-483b-a443-0ccb1eca5a16?source=api-prod",[],"researched",false,3,"This plan outlines the research and exploitation strategy for **CVE-2026-24521**, a Cross-Site Request Forgery (CSRF) vulnerability in the **Kama Thumbnail** WordPress plugin (versions \u003C= 3.5.1).\n\n---\n\n### 1. Vulnerability Summary\nThe **Kama Thumbnail** plugin fails to implement or correctly verify WordPress nonces in one of its administrative action handlers. This allows an unauthenticated attacker to trick a logged-in administrator into performing state-changing actions, such as updating plugin settings or clearing thumbnail caches, by visiting a malicious webpage.\n\n### 2. Attack Vector Analysis\n*   **Endpoint:** `\u002Fwp-admin\u002Fadmin-post.php` or `\u002Fwp-admin\u002Fadmin-ajax.php` (inferred).\n*   **Action Hook:** Likely `admin_post_kama_thumb_options` or a similar hook registered via `add_action( 'admin_init', ... )` (inferred).\n*   **HTTP Method:** `POST`\n*   **Payload Parameter:** Any plugin setting (e.g., `kama_thumbnail_options[width]`, `kama_thumbnail_options[height]`, or a toggle for automatic generation).\n*   **Authentication Level:** CSRF requires an active administrator session; however, the request itself is \"unauthenticated\" from the attacker's perspective.\n*   **Preconditions:** An administrator must be logged into the target WordPress site and must be tricked into visiting an attacker-controlled URL or submitting a forged form.\n\n### 3. Code Flow\n1.  **Entry Point:** The plugin registers a handler for administrative actions using `add_action( 'admin_post_{action}', ... )` or directly processes `$_POST` data inside a function hooked to `admin_init`.\n2.  **Vulnerable Sink:** The handler (e.g., `kama_thumbnail_options_save` - inferred) proceeds to call `update_option( 'kama_thumbnail_options', ... )` using values from `$_POST`.\n3.  **Missing Check:** Before updating the options, the code fails to call `check_admin_referer()` or `wp_verify_nonce()`.\n4.  **State Change:** The database state is modified based on the forged request parameters.\n\n### 4. Nonce Acquisition Strategy\nAccording to the vulnerability description, the nonce check is either **missing** or **incorrectly validated**. \n\n*   **If Missing:** No nonce is required. The exploit can be triggered with a direct POST request containing only the action and the desired payload.\n*   **If Incorrectly Validated:** The plugin might be using a generic nonce (e.g., action `-1`) or verifying a nonce that is exposed on a public page.\n*   **Strategy for the Agent:**\n    1.  The agent should first attempt the exploit **without** a nonce.\n    2.  If the plugin requires a nonce, the agent should search the source code for `wp_create_nonce`. \n    3.  If found, check if it's localized via `wp_localize_script`.\n    4.  If localized, the agent must:\n        *   Identify the script handle and the variable name (e.g., `kama_thumb_data?.nonce`).\n        *   Use `browser_navigate` to a page where the plugin is active (e.g., a post with thumbnails).\n        *   Use `browser_eval(\"window.kama_thumb_data?.nonce\")` to extract it.\n\n### 5. Exploitation Strategy\nThe goal is to demonstrate that an attacker can modify the plugin's settings via a CSRF-style request.\n\n**Step 1: Identify the Vulnerable Action**\nSearch the plugin directory for the settings saving logic:\n`grep -rn \"update_option\" \u002Fvar\u002Fwww\u002Fhtml\u002Fwp-content\u002Fplugins\u002Fkama-thumbnail\u002F`\nLook for the function containing this call and trace back to its `add_action` registration.\n\n**Step 2: Craft the Payload**\nAssume the action is `kama_thumb_options` and the settings are stored in an array named `kama_thumb`. A malicious payload might change the default thumbnail width to an extreme value.\n\n**Step 3: Execute the Exploit (via http_request)**\n```javascript\n\u002F\u002F Simulated CSRF via a POST request as the Admin\nawait http_request.post('http:\u002F\u002Flocalhost:8080\u002Fwp-admin\u002Fadmin-post.php', {\n  headers: {\n    'Content-Type': 'application\u002Fx-www-form-urlencoded',\n  },\n  params: {\n    'action': 'kama_thumb_options', \u002F\u002F (Inferred action name)\n    'kama_thumb[width]': '9999',\n    'kama_thumb[height]': '9999',\n    'save_options': '1'\n  }\n});\n```\n*Note: The agent must use the admin's session\u002Fcookies for this to succeed in a test environment.*\n\n### 6. Test Data Setup\n1.  **Plugin Installation:** Install and activate `kama-thumbnail` version 3.5.1.\n2.  **Baseline Check:** Run `wp option get kama_thumbnail_options` to record the current (default) values.\n3.  **Administrator Session:** Ensure the `http_request` tool is configured with the cookies of a logged-in administrator.\n\n### 7. Expected Results\n*   The server should return a `302 Redirect` back to the settings page (typical behavior for `admin-post.php`).\n*   The `kama_thumbnail_options` entry in the `wp_options` table should be updated with the attacker's values.\n\n### 8. Verification Steps\nAfter sending the HTTP request, verify the success of the exploit using WP-CLI:\n```bash\nwp option get kama_thumbnail_options\n```\nCheck if the output reflects the values sent in the `POST` request (e.g., `width: 9999`).\n\n### 9. Alternative Approaches\n*   **Settings Reset:** If updating specific settings fails, try to trigger a \"Reset Settings\" action if one exists, which often uses a different (and sometimes unprotected) action hook.\n*   **Cache Clearing:** If settings update is protected, test the \"Clear Cache\" functionality. While \"Low Integrity,\" clearing the cache of a high-traffic site via CSRF can lead to a Denial of Service (DoS) by causing a massive CPU spike during regeneration. Look for actions like `kama_thumb_clear_cache`.\n*   **JS-based Extraction:** If a nonce is present but poorly implemented, use `browser_eval` to see if the nonce is available on the frontend to unauthenticated users (e.g., `uid=0` nonces).","The Kama Thumbnail plugin for WordPress is vulnerable to Cross-Site Request Forgery (CSRF) due to a lack of nonce validation in its administrative settings handler. This allows unauthenticated attackers to modify plugin configurations or clear the thumbnail cache by tricking a logged-in administrator into submitting a forged request.","\u002F\u002F kama-thumbnail\u002Fkama-thumbnail.php (Inferred location)\n\nadd_action( 'admin_init', 'kama_thumbnail_options_save' );\n\nfunction kama_thumbnail_options_save() {\n    \u002F\u002F The function lacks a call to check_admin_referer() or wp_verify_nonce()\n    if ( isset( $_POST['save_options'] ) ) {\n        $options = $_POST['kama_thumbnail_options'];\n        update_option( 'kama_thumbnail_options', $options );\n        \n        \u002F\u002F Redirection logic often follows\n        wp_redirect( admin_url( 'options-general.php?page=kama-thumbnail&settings-updated=true' ) );\n        exit;\n    }\n}\n\n---\n\n\u002F\u002F Alternative vulnerable sink for cache clearing\nadd_action( 'admin_post_kama_thumb_clear_cache', 'kama_thumb_clear_cache' );\n\nfunction kama_thumb_clear_cache() {\n    \u002F\u002F Missing nonce verification allows CSRF to clear the cache directory\n    $cache_dir = KAMA_THUMB_CACHE_DIR;\n    kama_thumb_recursive_remove( $cache_dir );\n    wp_redirect( wp_get_referer() );\n    exit;\n}","--- kama-thumbnail\u002Fkama-thumbnail.php\n+++ kama-thumbnail\u002Fkama-thumbnail.php\n@@ -5,6 +5,10 @@\n \n function kama_thumbnail_options_save() {\n     if ( isset( $_POST['save_options'] ) ) {\n+        if ( ! isset( $_POST['kama_thumb_nonce'] ) || ! wp_verify_nonce( $_POST['kama_thumb_nonce'], 'kama_thumb_save_action' ) ) {\n+            wp_die( 'Security check failed' );\n+        }\n+\n         $options = $_POST['kama_thumbnail_options'];\n         update_option( 'kama_thumbnail_options', $options );\n \n@@ -20,6 +24,10 @@\n \n function kama_thumb_clear_cache() {\n+    if ( ! isset( $_GET['_wpnonce'] ) || ! wp_verify_nonce( $_GET['_wpnonce'], 'kama_thumb_clear_cache_action' ) ) {\n+        wp_die( 'Security check failed' );\n+    }\n+\n     $cache_dir = KAMA_THUMB_CACHE_DIR;\n     kama_thumb_recursive_remove( $cache_dir );","The exploit targets administrative endpoints like \u002Fwp-admin\u002Fadmin-post.php or the plugin's settings page via a Cross-Site Request Forgery attack. \n\n1. **Methodology**: The attacker crafts a malicious HTML page containing a hidden form that targets the WordPress administrative backend. \n2. **Payload**: The form includes the `action` parameter (e.g., `kama_thumb_options`) and desired configuration values such as `kama_thumbnail_options[width]=9999`. To trigger the save logic, the `save_options` parameter is included.\n3. **Execution**: The attacker tricks a logged-in site administrator into visiting the malicious page. Upon visit, the form is automatically submitted (via JavaScript) to the WordPress site.\n4. **Outcome**: Because the plugin does not verify a cryptographic nonce, the WordPress core processes the request as a legitimate action performed by the administrator, resulting in unauthorized changes to the plugin's database options or deletion of the thumbnail cache.","gemini-3-flash-preview","2026-05-05 00:17:23","2026-05-05 00:17:43",{"type":32,"vulnerable_version":9,"fixed_version":9,"vulnerable_browse":9,"vulnerable_zip":9,"fixed_browse":9,"fixed_zip":9,"all_tags":33},"plugin","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fkama-thumbnail\u002Ftags"]