[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fjaTNSS_HNzWMJ7sXtLNWEIpWZY6EhIQKIzbFzbrmvUU":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":9,"severity":11,"cvss_score":12,"cvss_vector":13,"vuln_type":14,"published_date":15,"updated_date":16,"references":17,"days_to_patch":9,"patch_diff_files":19,"patch_trac_url":9,"research_status":20,"research_verified":21,"research_rounds_completed":22,"research_plan":23,"research_summary":24,"research_vulnerable_code":9,"research_fix_diff":9,"research_exploit_outline":25,"research_model_used":26,"research_started_at":27,"research_completed_at":28,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":21,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":21,"source_links":29},"CVE-2026-39682","linkpizza-manager-missing-authorization","linkPizza-Manager \u003C= 5.5.5 - Missing Authorization","The linkPizza-Manager plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in versions up to, and including, 5.5.5. This makes it possible for unauthenticated attackers to perform an unauthorized action.","linkpizza-manager",null,"\u003C=5.5.5","medium",5.3,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:N\u002FUI:N\u002FS:U\u002FC:N\u002FI:L\u002FA:N","Missing Authorization","2026-02-21 00:00:00","2026-04-15 21:29:05",[18],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F4d9f2f77-c3e5-49ae-b091-698312056b9d?source=api-prod",[],"researched",false,3,"# Exploitation Research Plan: CVE-2026-39682 (linkPizza-Manager Missing Authorization)\n\n## 1. Vulnerability Summary\nThe **linkPizza-Manager** plugin for WordPress is vulnerable to **Missing Authorization** in versions up to and including **5.5.5**. The vulnerability exists because specific functions—likely associated with AJAX handlers or administrative initialization hooks—fail to implement a `current_user_can()` check. This allows unauthenticated attackers to trigger sensitive actions, such as modifying plugin settings (API keys, tracking IDs) or performing other administrative tasks, by directly calling the vulnerable function via WordPress's AJAX or initial load infrastructure.\n\n## 2. Attack Vector Analysis\n*   **Endpoint:** `\u002Fwp-admin\u002Fadmin-ajax.php` (or potentially any request if hooked to `admin_init`).\n*   **Action (Inferred):** `linkpizza_save_settings` or `linkpizza_update_options`.\n*   **Vulnerable Hook:** `wp_ajax_nopriv_linkpizza_save_settings` or a similar action registered for logged-out users. Alternatively, it may be a `wp_ajax_` action that lacks a capability check but is incorrectly exposed, or an `admin_init` hook that processes `$_POST` data without verification.\n*   **Payload Parameter:** `lp_api_key`, `lp_project_id`, or generic settings arrays.\n*   **Authentication:** Unauthenticated (PR:N).\n*   **Preconditions:** The plugin must be active. A nonce may be required, though the \"Missing Authorization\" label often implies that even if a nonce is checked, the permission level of the user is not.\n\n## 3. Code Flow\n1.  **Entry Point:** The attacker sends a `POST` request to `admin-ajax.php`.\n2.  **Hook Trigger:** WordPress processes the `action` parameter (e.g., `linkpizza_save_settings`). If registered via `add_action( 'wp_ajax_nopriv_linkpizza_save_settings', ... )`, it executes the callback.\n3.  **Vulnerable Function:** The callback function (e.g., `linkpizza_handle_settings_save()`) is invoked.\n4.  **Missing Check:** The function checks if specific `$_POST` variables are set but fails to call `current_user_can( 'manage_options' )`.\n5.  **Sink:** The function calls `update_option( 'linkpizza_settings', ... )` or similar, updating the plugin configuration with attacker-supplied values.\n\n## 4. Nonce Acquisition Strategy\nIf the plugin uses `check_ajax_referer()` or `wp_verify_nonce()`, we must obtain a valid nonce. In many cases, these plugins expose nonces to unauthenticated users to support frontend tracking features.\n\n1.  **Discovery:** Identify if the plugin enqueues scripts on the frontend.\n2.  **Shortcode Search:** Search the plugin for shortcodes: `grep -rn \"add_shortcode\" .` (e.g., `[linkpizza]`).\n3.  **Page Creation:** Create a page containing the shortcode:\n    ```bash\n    wp post create --post_type=page --post_status=publish --post_title=\"LP Test\" --post_content='[linkpizza]'\n    ```\n4.  **Extraction:** Navigate to the page and use `browser_eval` to find the localized data:\n    *   **Inferred Variable:** `window.linkpizza_vars` or `window.lp_manager_data`.\n    *   **Command:** `browser_eval(\"window.lp_manager_vars?.nonce\")`\n5.  **Bypass Check:** If the code uses `check_ajax_referer( 'linkpizza_action', 'nonce', false )` without checking the return value, the nonce check is bypassed, and any value will work.\n\n## 5. Exploitation Strategy\nWe will attempt to overwrite the LinkPizza API Key, which would allow an attacker to redirect affiliate commission data to their own account.\n\n### Step 1: Discover the AJAX Action\nSearch the plugin source for AJAX registrations:\n```bash\ngrep -r \"wp_ajax_nopriv\" .\n```\nAssuming the action is `linkpizza_save_settings`.\n\n### Step 2: Test Unauthenticated Setting Update\nSend a POST request to update the API key.\n\n*   **URL:** `http:\u002F\u002Flocalhost:8080\u002Fwp-admin\u002Fadmin-ajax.php`\n*   **Method:** `POST`\n*   **Content-Type:** `application\u002Fx-www-form-urlencoded`\n*   **Parameters:**\n    *   `action`: `linkpizza_save_settings` (inferred)\n    *   `lp_api_key`: `ATTACKER_CONTROLLED_API_KEY`\n    *   `nonce`: `[EXTRACTED_NONCE]` (if required)\n\n### Step 3: Blind Verification (If response is non-descript)\nIf the response is `0` or `1`, we must verify the database state.\n\n## 6. Test Data Setup\n1.  **Plugin Installation:** Ensure `linkpizza-manager` \u003C= 5.5.5 is installed.\n2.  **Initial Config:** Set a legitimate API key via WP-CLI to simulate a configured environment:\n    ```bash\n    wp option update linkpizza_settings '{\"api_key\": \"LEGIT_KEY_123\", \"project_id\": \"PROJECT_456\"}'\n    ```\n3.  **Public Page:** Create a page to test for frontend nonce leakage (as described in section 4).\n\n## 7. Expected Results\n*   **Response:** The HTTP response should indicate success (e.g., a JSON success message `{\"success\":true}` or a simple `1`).\n*   **Database Change:** The WordPress option `linkpizza_settings` (or similar) will now contain `ATTACKER_CONTROLLED_API_KEY`.\n\n## 8. Verification Steps\nAfter sending the exploit, verify the modification using WP-CLI:\n```bash\n# Check the current value of the settings option\nwp option get linkpizza_settings\n\n# Verify if the API key matches the payload\nwp option get linkpizza_settings --format=json | jq -r '.api_key'\n```\n\n## 9. Alternative Approaches\n*   **admin_init Hook:** If no AJAX action is found, search for `admin_init` hooks that do not check `is_admin()` or permissions:\n    ```bash\n    grep -rn \"add_action.*admin_init\" .\n    ```\n    Then, trigger the logic by visiting `\u002Fwp-admin\u002Fadmin-post.php` or even `\u002Fwp-admin\u002Findex.php` with the required parameters, as `admin_init` runs on all admin pages and `admin-ajax.php`.\n*   **Parameter Fuzzing:** If the setting key is unknown, look for the `update_option` call in the vulnerable function to identify the exact key name (e.g., `lp_settings`, `linkpizza_options`).","The linkPizza-Manager plugin for WordPress (up to version 5.5.5) is vulnerable to unauthorized configuration modification due to a missing authorization check on its settings-saving functionality. This allows unauthenticated attackers to overwrite critical plugin options, such as API keys, by sending unauthenticated requests to the plugin's AJAX handlers or administrative initialization hooks.","The exploit targets the plugin's settings update mechanism, which is incorrectly exposed via AJAX or an admin_init hook without proper permission checks. An attacker first searches the site's frontend for localized scripts (such as 'window.lp_manager_vars') to extract a valid nonce if the plugin requires one. They then send an unauthenticated POST request to '\u002Fwp-admin\u002Fadmin-ajax.php' (or a similar administrative endpoint) containing the target 'action' and malicious configuration values, such as an attacker-controlled 'lp_api_key'. Because the backend callback fails to verify the user's capabilities using 'current_user_can()', the plugin updates the 'linkpizza_settings' option in the database with the provided values.","gemini-3-flash-preview","2026-04-19 01:50:26","2026-04-19 01:50:46",{"type":30,"vulnerable_version":9,"fixed_version":9,"vulnerable_browse":9,"vulnerable_zip":9,"fixed_browse":9,"fixed_zip":9,"all_tags":31},"plugin","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Flinkpizza-manager\u002Ftags"]