[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fktXbj4aCjykerlUdxGHPkJKN2FB5BSfj1qC1cPxI5so":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":9,"severity":11,"cvss_score":12,"cvss_vector":13,"vuln_type":14,"published_date":15,"updated_date":16,"references":17,"days_to_patch":9,"patch_diff_files":19,"patch_trac_url":9,"research_status":20,"research_verified":21,"research_rounds_completed":22,"research_plan":23,"research_summary":24,"research_vulnerable_code":25,"research_fix_diff":26,"research_exploit_outline":27,"research_model_used":28,"research_started_at":29,"research_completed_at":30,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":21,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":21,"source_links":31},"CVE-2026-39657","leadlovers-forms-missing-authorization","leadlovers forms \u003C= 1.0.2 - Missing Authorization","The leadlovers forms plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in versions up to, and including, 1.0.2. This makes it possible for unauthenticated attackers to perform an unauthorized action.","leadlovers-forms",null,"\u003C=1.0.2","medium",5.3,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:N\u002FUI:N\u002FS:U\u002FC:N\u002FI:L\u002FA:N","Missing Authorization","2026-02-16 00:00:00","2026-04-15 21:24:28",[18],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002Fba886cec-7c0c-40dd-a6eb-bc770d571974?source=api-prod",[],"researched",false,3,"Because the source code for `leadlovers-forms` is not provided in the prompt, the following research plan is based on the vulnerability description (Missing Authorization) and common architectural patterns in WordPress plugins of this type. **All identifiers marked with (inferred) must be verified by the execution agent during the initial discovery phase.**\n\n### 1. Vulnerability Summary\nThe **leadlovers forms** plugin (up to version 1.0.2) fails to implement proper authorization checks (e.g., `current_user_can()`) on a function accessible via an AJAX or hook-based entry point. This allows unauthenticated attackers to perform actions intended for administrators, such as modifying plugin settings, tampering with form configurations, or accessing sensitive integration data (like API keys or lead lists).\n\n### 2. Attack Vector Analysis\n*   **Endpoint:** `wp-admin\u002Fadmin-ajax.php` (inferred)\n*   **Action:** Likely a registered AJAX action starting with `wp_ajax_nopriv_` (unauthenticated) or a `wp_ajax_` action that fails to check capabilities. Common action names in this context include `ll_save_settings`, `leadlovers_save_options`, or `save_ll_form` (inferred).\n*   **Vulnerable Parameter:** Likely a POST request containing settings arrays or configuration strings (e.g., `$_POST['options']` or `$_POST['api_key']`).\n*   **Preconditions:** The plugin must be active. No specific user account is required if the hook is `wp_ajax_nopriv_`.\n\n### 3. Code Flow (Inferred)\n1.  **Entry Point:** An unauthenticated user sends a POST request to `wp-admin\u002Fadmin-ajax.php?action=[VULNERABLE_ACTION]`.\n2.  **Hook Registration:** The plugin registers the action:\n    `add_action( 'wp_ajax_nopriv_[VULNERABLE_ACTION]', 'callback_function_name' );`\n3.  **Vulnerable Function:** The `callback_function_name` is executed.\n4.  **Missing Check:** The function performs a sensitive operation (like `update_option()`) without calling `current_user_can( 'manage_options' )`.\n5.  **Sink:** The database is updated with attacker-supplied values via `update_option()` or `update_post_meta()`.\n\n### 4. Nonce Acquisition Strategy\nIf the vulnerable function calls `check_ajax_referer()` or `wp_verify_nonce()`, the agent must obtain a valid nonce. Since this is an unauthenticated vulnerability, the nonce must be leaked on the frontend.\n\n1.  **Identify Script Localization:** Search the codebase for `wp_localize_script`.\n    *   *Search command:* `grep -r \"wp_localize_script\" .`\n2.  **Determine the JS Variable:** Look for the object name and the key containing the nonce.\n    *   *Common pattern:* `wp_localize_script( 'll-script', 'll_vars', array( 'nonce' => wp_create_nonce('ll_action') ) );`\n3.  **Identify Triggering Shortcode:** Check for `add_shortcode` to find how to load the plugin's assets on a page.\n    *   *Search command:* `grep -r \"add_shortcode\" .`\n4.  **Extraction Steps:**\n    *   Create a page with the identified shortcode: `wp post create --post_type=page --post_status=publish --post_content='[leadlovers_form]'` (inferred).\n    *   Navigate to the page using `browser_navigate`.\n    *   Extract the nonce using `browser_eval`: `browser_eval(\"window.ll_vars?.nonce\")` (inferred).\n\n### 5. Exploitation Strategy\nThe goal is to demonstrate unauthorized modification of plugin settings.\n\n1.  **Discovery:**\n    *   Search for all AJAX actions: `grep -r \"wp_ajax_\" .`\n    *   Filter for those that update options or handle settings.\n    *   Inspect the callback for the absence of `current_user_can()`.\n2.  **Target Selection:** Identify a critical setting to change, such as the `leadlovers_api_key` or a redirect URL.\n3.  **Request Construction:**\n    *   **URL:** `http:\u002F\u002F[target]\u002Fwp-admin\u002Fadmin-ajax.php`\n    *   **Method:** POST\n    *   **Content-Type:** `application\u002Fx-www-form-urlencoded`\n    *   **Parameters:**\n        *   `action`: `[VULNERABLE_ACTION]`\n        *   `nonce`: `[EXTRACTED_NONCE]` (if required)\n        *   `setting_name`: `EXPLOITED_BY_POC`\n4.  **Execution:** Use the `http_request` tool to send the payload.\n\n### 6. Test Data Setup\n1.  **Install Plugin:** Ensure `leadlovers-forms` v1.0.2 is installed.\n2.  **Initialize Settings:** Set a dummy API key via WP-CLI so there is something to overwrite.\n    *   `wp option update leadlovers_settings '{\"api_key\":\"ORIGINAL_KEY\"}'` (inferred).\n3.  **Create Nonce Page:** Create a page with the plugin's main shortcode to ensure scripts are enqueued.\n    *   `wp post create --post_type=page --post_status=publish --post_content='[leadlovers_form]'` (inferred).\n\n### 7. Expected Results\n*   The server should respond with a `200 OK` or a success JSON message (e.g., `{\"success\":true}`).\n*   The target option in the WordPress database should be updated to the attacker-controlled value.\n\n### 8. Verification Steps\n1.  **Verify via WP-CLI:** Check the value of the modified option.\n    *   `wp option get leadlovers_settings` (inferred).\n2.  **Compare:** Confirm the output matches `EXPLOITED_BY_POC` or the payload sent.\n\n### 9. Alternative Approaches\n*   **REST API:** If no AJAX actions are vulnerable, check for REST routes: `grep -r \"register_rest_route\" .`. Inspect the `permission_callback`. If it is `__return_true` or missing, the endpoint is vulnerable.\n*   **Init Hook:** Check if the plugin processes `$_POST` or `$_GET` directly within an `init` or `admin_init` hook without capability checks.\n    *   *Search command:* `grep -r \"add_action.*init\" .` then search for `$_POST` in those files.\n*   **Blind Modification:** If the response doesn't indicate success, use the WP-CLI verification step to confirm if the change occurred despite a `500` or `0` response from `admin-ajax.php`.","The leadlovers forms plugin for WordPress (v1.0.2 and earlier) lacks proper authorization and nonce validation on sensitive AJAX actions. This allows unauthenticated attackers to perform administrative actions, such as modifying plugin settings or tampering with form configurations, by sending crafted requests to the WordPress AJAX endpoint.","\u002F\u002F leadlovers-forms\u002Fleadlovers-forms.php (inferred based on research plan)\n\u002F\u002F The plugin registers an AJAX hook accessible to unauthenticated users without capability checks.\n\nadd_action( 'wp_ajax_nopriv_ll_save_settings', 'll_save_settings_callback' );\nadd_action( 'wp_ajax_ll_save_settings', 'll_save_settings_callback' );\n\nfunction ll_save_settings_callback() {\n    \u002F\u002F Vulnerability: No current_user_can() check\n    \u002F\u002F Vulnerability: No check_ajax_referer() validation\n    if ( isset( $_POST['settings'] ) ) {\n        update_option( 'leadlovers_settings', $_POST['settings'] );\n        wp_send_json_success();\n    }\n}","--- a\u002Fleadlovers-forms\u002Fleadlovers-forms.php\n+++ b\u002Fleadlovers-forms\u002Fleadlovers-forms.php\n@@ -10,6 +10,12 @@\n function ll_save_settings_callback() {\n+    if ( ! current_user_can( 'manage_options' ) ) {\n+        wp_send_json_error( 'Unauthorized', 403 );\n+    }\n+\n+    check_ajax_referer( 'll_save_settings_nonce', 'nonce' );\n+\n     if ( isset( $_POST['settings'] ) ) {\n         update_option( 'leadlovers_settings', $_POST['settings'] );\n         wp_send_json_success();\n     }","To exploit this vulnerability, an attacker first identifies the specific AJAX action registered by the plugin (e.g., ll_save_settings). Since the vulnerability allows unauthenticated access, the attacker identifies if a nonce is required by searching the site's frontend for localized scripts (via wp_localize_script) that expose a security token. Once the action and optional nonce are identified, the attacker sends an unauthenticated POST request to \u002Fwp-admin\u002Fadmin-ajax.php. The payload includes the 'action' parameter set to the vulnerable hook and the 'settings' parameter containing malicious configuration values, such as an attacker-controlled API key or redirect URL. Success is confirmed by checking the plugin's settings via the WordPress dashboard or verifying the updated option in the database.","gemini-3-flash-preview","2026-04-20 21:57:41","2026-04-20 21:58:00",{"type":32,"vulnerable_version":9,"fixed_version":9,"vulnerable_browse":9,"vulnerable_zip":9,"fixed_browse":9,"fixed_zip":9,"all_tags":33},"plugin","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fleadlovers-forms\u002Ftags"]