[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fUQnSUl3LKzrIai_RWwKHFRccvcTF8gMbjkzOPvEIgqc":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":9,"severity":11,"cvss_score":12,"cvss_vector":13,"vuln_type":14,"published_date":15,"updated_date":16,"references":17,"days_to_patch":9,"patch_diff_files":19,"patch_trac_url":9,"research_status":20,"research_verified":21,"research_rounds_completed":22,"research_plan":23,"research_summary":24,"research_vulnerable_code":9,"research_fix_diff":9,"research_exploit_outline":25,"research_model_used":26,"research_started_at":27,"research_completed_at":28,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":21,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":21,"source_links":29},"CVE-2026-39697","maio-the-new-ai-geo-seo-tool-missing-authorization","MAIO – The new AI GEO \u002F SEO tool \u003C= 6.5.2 - Missing Authorization","The MAIO – The new AI GEO \u002F SEO tool plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in versions up to, and including, 6.5.2. This makes it possible for unauthenticated attackers to perform an unauthorized action.","maio-the-new-ai-geo-seo-tool",null,"\u003C=6.5.2","medium",5.3,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:N\u002FUI:N\u002FS:U\u002FC:N\u002FI:L\u002FA:N","Missing Authorization","2026-02-27 00:00:00","2026-04-15 21:31:34",[18],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002Fdacbf63f-a68d-405e-ae98-a6800b0880c7?source=api-prod",[],"researched",false,3,"Since the source code for the **MAIO – ChatGPT SEO Tracking & AI Search Optimization** plugin (version \u003C= 6.5.2) is not provided, this research plan focuses on identifying the specific unauthenticated AJAX or REST API endpoints that lack capability checks. Based on the vulnerability description \"Missing Authorization,\" we will look for functions hooked to `wp_ajax_nopriv_*` or REST routes with weak `permission_callback` functions.\n\n### 1. Vulnerability Summary\nThe vulnerability is a **Missing Authorization** flaw in the MAIO plugin. This occurs when a plugin registers a sensitive action (such as updating settings, deleting data, or triggering AI processes) via WordPress AJAX or REST API but fails to verify if the requesting user has the necessary permissions (e.g., `current_user_can('manage_options')`). Because it likely uses the `wp_ajax_nopriv_` hook, unauthenticated attackers can trigger the function.\n\n### 2. Attack Vector Analysis\n*   **Endpoint:** `\u002Fwp-admin\u002Fadmin-ajax.php` (for AJAX) or `\u002Fwp-json\u002Fmaio\u002Fv1\u002F...` (for REST).\n*   **Action\u002FRoute:** Likely prefixed with `maio_`.\n*   **Authentication:** None required (unauthenticated).\n*   **Preconditions:** The plugin must be active. If the function requires a nonce, we must find a way to extract it.\n\n### 3. Code Flow (Inferred)\n1.  **Entry Point:** The plugin registers a handler using `add_action( 'wp_ajax_nopriv_{action_name}', '{callback_function}' )`.\n2.  **Trigger:** An unauthenticated user sends a POST request to `admin-ajax.php` with `action={action_name}`.\n3.  **Vulnerable Code:** The `{callback_function}` is executed. It might perform a `check_ajax_referer()` (nonce check) but lacks a `current_user_can()` check.\n4.  **Sink:** The function performs a privileged operation such as `update_option()`, `wp_insert_post()`, or modifying plugin-specific configuration.\n\n### 4. Nonce Acquisition Strategy\nMany MAIO features likely involve frontend SEO tracking or AI interactions, meaning nonces are often exposed to all visitors.\n\n1.  **Identify the Script\u002FVariable:** Search the codebase for `wp_localize_script`.\n    *   `grep -r \"wp_localize_script\" .`\n2.  **Locate the Nonce Action:** Find where the nonce is created.\n    *   `grep -r \"wp_create_nonce\" .`\n3.  **Extraction:**\n    *   Check if the plugin has a shortcode (e.g., `[maio_...]`).\n    *   `grep -r \"add_shortcode\" .`\n    *   Create a test page with the shortcode: `wp post create --post_type=page --post_status=publish --post_content='[shortcode_found]'`\n    *   Use `browser_navigate` to visit the page.\n    *   Use `browser_eval` to extract the nonce: `browser_eval(\"window.maio_obj?.nonce\")` (Replace `maio_obj` with the actual JS variable found in step 1).\n\n### 5. Exploitation Strategy\nThe agent should follow these steps to find and exploit the specific missing authorization:\n\n#### Step A: Find the vulnerable hook\nSearch for unauthenticated AJAX handlers that don't check permissions:\n```bash\n# Find all nopriv AJAX actions\ngrep -r \"wp_ajax_nopriv_\" .\n```\nFor each handler found, check the callback function for:\n1.  Presence of `update_option`, `delete_option`, or sensitive database writes.\n2.  Absence of `current_user_can`.\n\n#### Step B: Targeted Search (Hypothetical Vulnerable Pattern)\nCommonly, SEO plugins allow unauthenticated \"tracking\" or \"logging.\" If these functions allow passing arbitrary option names, they are highly critical.\n```bash\n# Search for functions that update settings without capability checks\ngrep -rn \"update_option\" . -B 5 | grep \"function\"\n```\n\n#### Step C: Construct the Request\nOnce the action (e.g., `maio_save_setting`) and parameters (e.g., `option_name`, `option_value`) are identified:\n\n*   **URL:** `http:\u002F\u002Flocalhost:8080\u002Fwp-admin\u002Fadmin-ajax.php`\n*   **Method:** POST\n*   **Body (URL-encoded):**\n    ```text\n    action=maio_save_setting&nonce=[EXTRACTED_NONCE]&setting_key=users_can_register&setting_value=1\n    ```\n*   **Headers:** `Content-Type: application\u002Fx-www-form-urlencoded`\n\n### 6. Test Data Setup\n1.  **Install Plugin:** Ensure `maio-the-new-ai-geo-seo-tool` version 6.5.2 is installed.\n2.  **Initial State:** Confirm a target setting is at its default (e.g., `wp option get users_can_register` returns `0`).\n3.  **Identify Nonce Source:** If the AJAX handler uses `check_ajax_referer`, find which page enqueues the script and create that page if necessary.\n\n### 7. Expected Results\n*   **Successful Exploitation:** The server returns a `200 OK` or a JSON success response (e.g., `{\"success\":true}`).\n*   **Impact:** A WordPress option or plugin setting is modified. For example, the `users_can_register` option is changed to `1`, or a new administrator user is indirectly created\u002Fenabled.\n\n### 8. Verification Steps\nAfter sending the `http_request`, verify the change using WP-CLI:\n```bash\n# Check if a specific option was changed\nwp option get [MODIFIED_OPTION_NAME]\n\n# Or if it was a plugin-specific setting\nwp option get maio_settings\n```\n\n### 9. Alternative Approaches\n*   **REST API:** If no AJAX hooks are vulnerable, check `register_rest_route`. Look for routes where `'permission_callback'` is missing or returns `true` for unauthenticated users.\n*   **Option Injection:** If the vulnerable function uses `update_option( $_POST['key'], $_POST['value'] )` without a whitelist, try to overwrite `default_role` to `administrator` or `users_can_register` to `1`.\n*   **Bypass Nonce:** Check if `check_ajax_referer` is called with the third parameter set to `false` (e.g., `check_ajax_referer( 'action', 'nonce', false )`). If the return value isn't checked, the nonce is irrelevant.","The MAIO – ChatGPT SEO Tracking & AI Search Optimization plugin for WordPress (\u003C= 6.5.2) is vulnerable to unauthorized access because it fails to perform capability checks on certain AJAX actions registered for unauthenticated users. This allows attackers to trigger administrative functions, such as modifying plugin settings or site options, by sending crafted requests to the site's AJAX endpoint.","To exploit this vulnerability, an attacker first identifies an unauthenticated AJAX handler registered via the 'wp_ajax_nopriv_' hook that performs sensitive operations like 'update_option'. Next, the attacker retrieves a valid security nonce from the site's frontend, which is typically found within script blocks or localized JavaScript data (e.g., via 'wp_localize_script'). The attacker then submits a POST request to '\u002Fwp-admin\u002Fadmin-ajax.php' with the 'action' parameter set to the vulnerable hook, the retrieved nonce, and parameters to modify specific configuration values. Because the callback function fails to verify user permissions using 'current_user_can()', the server executes the privileged action regardless of the requester's authentication status.","gemini-3-flash-preview","2026-04-18 22:53:35","2026-04-18 22:53:52",{"type":30,"vulnerable_version":9,"fixed_version":9,"vulnerable_browse":9,"vulnerable_zip":9,"fixed_browse":9,"fixed_zip":9,"all_tags":31},"plugin","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fmaio-the-new-ai-geo-seo-tool\u002Ftags"]