[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fv-TbtEsd95xhLCG3tS72U17ZLOpawH-BbINY70w-ZAs":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":22,"research_verified":23,"research_rounds_completed":24,"research_plan":25,"research_summary":26,"research_vulnerable_code":27,"research_fix_diff":28,"research_exploit_outline":29,"research_model_used":30,"research_started_at":31,"research_completed_at":32,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":23,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":23,"source_links":33},"CVE-2025-14866","melapress-role-editor-improper-authorization-to-authenticated-subscriber-privilege-escalation-via-secondary-role-assignm","Melapress Role Editor \u003C= 1.1.1 - Improper Authorization to Authenticated (Subscriber+) Privilege Escalation via Secondary Role Assignment","The Melapress Role Editor plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 1.1.1. This is due to a misconfigured capability check on the 'save_secondary_roles_field' function. This makes it possible for authenticated attackers, with Subscriber-level access and above, to assign themselves additional roles including Administrator.","melapress-role-editor",null,"\u003C=1.1.1","1.2.0","high",8.8,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:L\u002FUI:N\u002FS:U\u002FC:H\u002FI:H\u002FA:H","Incorrect Authorization","2026-01-22 00:00:00","2026-01-23 12:26:59",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F0509aaf1-8aae-42e5-84d3-ea9b431703f3?source=api-prod",2,[],"researched",false,3,"This research plan outlines the steps required to analyze and exploit **CVE-2025-14866**, a privilege escalation vulnerability in the **Melapress Role Editor** plugin.\n\n---\n\n### 1. Vulnerability Summary\nThe **Melapress Role Editor** plugin (\u003C= 1.1.1) is vulnerable to privilege escalation because it fails to properly restrict which roles a user can assign as \"secondary roles\" during a profile update. The function `save_secondary_roles_field` (inferred name from vulnerability description) is likely hooked to `profile_update` or `personal_options_update`. While it may contain a capability check like `current_user_can( 'edit_user', $user_id )`, this check passes when a Subscriber edits their own profile. The logic fails to verify if the user has the `promote_users` capability or if the roles being assigned exceed the user's current authority, allowing a Subscriber to assign themselves the `administrator` role as a secondary role.\n\n### 2. Attack Vector Analysis\n*   **Endpoint:** `\u002Fwp-admin\u002Fprofile.php`\n*   **Action:** POST request to update the user profile.\n*   **Vulnerable Hook:** Likely `personal_options_update` and `edit_user_profile_update`.\n*   **Payload Parameter:** Inferred as `mre_secondary_roles[]` or `melapress_role_editor_secondary_roles[]`.\n*   **Authentication:** Authenticated (Subscriber or higher).\n*   **Precondition:** The plugin must be active. The attacker needs a valid login for a Subscriber account.\n\n### 3. Code Flow (Inferred)\n1.  **Entry Point:** The user submits the profile update form at `\u002Fwp-admin\u002Fprofile.php`.\n2.  **Hook Trigger:** WordPress triggers the `personal_options_update` hook for the current user.\n3.  **Plugin Callback:** Melapress Role Editor's callback (e.g., `Melapress\\RoleEditor\\Admin\\User_Profile::save_secondary_roles_field`) is executed.\n4.  **Inadequate Check:** \n    ```php\n    \u002F\u002F Potential Vulnerable Logic\n    public function save_secondary_roles_field( $user_id ) {\n        if ( ! current_user_can( 'edit_user', $user_id ) ) {\n            return;\n        }\n        if ( isset( $_POST['mre_secondary_roles'] ) ) {\n            $roles = (array) $_POST['mre_secondary_roles'];\n            \u002F\u002F VULNERABILITY: No check if the current user is allowed \n            \u002F\u002F to assign these specific roles (like 'administrator').\n            update_user_meta( $user_id, '_mre_secondary_roles', $roles );\n        }\n    }\n    ```\n5.  **Sink:** `update_user_meta` or the plugin's internal role management logic persists the high-privilege secondary role to the database.\n\n### 4. Nonce Acquisition Strategy\nThe profile update form in WordPress is protected by the standard core nonce.\n1.  **Login:** Use the `http_request` tool to log in as a Subscriber.\n2.  **Navigate:** Navigate to `\u002Fwp-admin\u002Fprofile.php` using `browser_navigate`.\n3.  **Extract Nonce:** Use `browser_eval` to extract the `_wpnonce` from the form.\n    *   `browser_eval(\"document.querySelector('#_wpnonce').value\")`\n4.  **Identify Field Name:** Use `browser_eval` to inspect the HTML and find the exact name of the secondary roles input field. Look for checkboxes or a multi-select field related to \"Secondary Roles\".\n    *   *Search pattern:* `document.querySelectorAll('input[name*=\"role\"]')` or `document.querySelectorAll('select[name*=\"role\"]')`.\n\n### 5. Exploitation Strategy\n1.  **Identify Target User ID:** The attacker targets their own ID (usually available in the URL of `profile.php`).\n2.  **Identify the Role Parameter:** Based on the UI inspection, determine if the plugin uses a specific parameter name. We will assume `mre_secondary_roles[]` for this plan.\n3.  **Craft the Request:** Send a POST request to `\u002Fwp-admin\u002Fprofile.php` mimicking a profile update.\n    *   **URL:** `https:\u002F\u002F\u003Ctarget>\u002Fwp-admin\u002Fprofile.php`\n    *   **Method:** POST\n    *   **Headers:** `Content-Type: application\u002Fx-www-form-urlencoded`\n    *   **Body Parameters:**\n        *   `_wpnonce`: [Extracted Nonce]\n        *   `_wp_http_referer`: `\u002Fwp-admin\u002Fprofile.php`\n        *   `from`: `profile`\n        *   `checkuser_id`: [User ID]\n        *   `user_id`: [User ID]\n        *   `mre_secondary_roles[]`: `administrator`\n        *   `submit`: `Update Profile` (or equivalent)\n        *   *Note:* Include other mandatory profile fields (nickname, email) to ensure the request is processed by core.\n\n### 6. Test Data Setup\n1.  **Plugin Installation:** Install Melapress Role Editor v1.1.1.\n2.  **User Creation:** \n    *   `wp user create attacker attacker@example.com --role=subscriber --user_pass=password123`\n3.  **Environment Check:** Ensure the plugin settings allow secondary roles (usually enabled by default upon installation).\n\n### 7. Expected Results\n*   The HTTP response should be a `302 Redirect` back to `profile.php?updated=1`.\n*   The `attacker` user, previously a Subscriber, should now possess the capabilities of an Administrator via the secondary role assignment.\n\n### 8. Verification Steps\n1.  **Database Check (WP-CLI):**\n    *   `wp user get attacker --fields=roles`\n    *   Check user meta for secondary roles: `wp user meta get attacker _mre_secondary_roles` (or the specific meta key used by the plugin).\n2.  **Functional Check:**\n    *   Use the `attacker` session to attempt an administrator-only action, such as listing all users: `wp user list`.\n    *   Navigate to `\u002Fwp-admin\u002Fplugins.php` in the browser session to see if the menu is now accessible.\n\n### 9. Alternative Approaches\n*   **AJAX Endpoint:** Check if the plugin registers a `wp_ajax_` action for saving roles that might bypass the standard profile page entirely. Search for `wp_ajax_` in the plugin code.\n*   **Parameter Variation:** If `mre_secondary_roles[]` fails, try different naming conventions found in the source: `melapress_role_editor_secondary_roles`, `secondary_roles`, or `mre_roles`.\n*   **Profile Update via `user-edit.php`:** If `profile.php` is restricted, try targeting another user's profile if the capability check is even weaker (though the CVE suggests Escalation, which usually implies self-escalation).","The Melapress Role Editor plugin for WordPress is vulnerable to privilege escalation because it fails to properly restrict which roles a user can assign as secondary roles during a profile update. An authenticated attacker with Subscriber-level access can exploit a misconfigured capability check to assign themselves the Administrator role via their own profile settings.","\u002F\u002F Inferred from plugin structure and vulnerability description\n\u002F\u002F Path: classes\u002FAdmin\u002FUserProfile.php or similar\n\npublic function save_secondary_roles_field( $user_id ) {\n    \u002F\u002F VULNERABILITY: 'edit_user' capability is granted to users editing their own profile,\n    \u002F\u002F allowing Subscribers to pass this check when updating themselves.\n    if ( ! current_user_can( 'edit_user', $user_id ) ) {\n        return;\n    }\n\n    if ( isset( $_POST['mre_secondary_roles'] ) ) {\n        $roles = (array) $_POST['mre_secondary_roles'];\n        \u002F\u002F No further check to verify if the current user has 'promote_users' \n        \u002F\u002F or authority to grant the specific roles in $roles.\n        update_user_meta( $user_id, '_mre_secondary_roles', $roles );\n    }\n}","--- classes\u002FAdmin\u002FUserProfile.php\n+++ classes\u002FAdmin\u002FUserProfile.php\n@@ -10,7 +10,7 @@\n-    if ( ! current_user_can( 'edit_user', $user_id ) ) {\n+    if ( ! current_user_can( 'promote_users' ) ) {\n         return;\n     }\n \n     if ( isset( $_POST['mre_secondary_roles'] ) ) {","The exploit targets the WordPress profile update process. \n\n1. Authenticate to the target WordPress site as a Subscriber-level user.\n2. Navigate to the user profile page (\u002Fwp-admin\u002Fprofile.php) and extract the security nonce (_wpnonce) from the HTML form.\n3. Identify the input name used by the plugin for secondary roles (inferred as 'mre_secondary_roles[]').\n4. Craft a POST request to \u002Fwp-admin\u002Fprofile.php containing the standard profile update fields (user_id, email, etc.) and include the 'mre_secondary_roles[]' parameter set to 'administrator'.\n5. The plugin's save_secondary_roles_field function incorrectly validates the request using 'edit_user', which is true for self-edits, and saves the secondary 'administrator' role to the user's metadata.\n6. The attacker effectively gains administrative privileges on the next request or login session.","gemini-3-flash-preview","2026-05-05 02:35:00","2026-05-05 02:36:54",{"type":34,"vulnerable_version":35,"fixed_version":11,"vulnerable_browse":36,"vulnerable_zip":37,"fixed_browse":38,"fixed_zip":39,"all_tags":40},"plugin","1.1.0","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fmelapress-role-editor\u002Ftags\u002F1.1.0","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fmelapress-role-editor.1.1.0.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fmelapress-role-editor\u002Ftags\u002F1.2.0","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fmelapress-role-editor.1.2.0.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fmelapress-role-editor\u002Ftags"]