CVE-2026-40742

Nelio AB Testing <= 8.2.8 - Unauthenticated Information Exposure

mediumExposure of Sensitive Information to an Unauthorized Actor
5.3
CVSS Score
5.3
CVSS Score
medium
Severity
8.3.0
Patched in
57d
Time to patch

Description

The Nelio A/B Testing – AB Tests and Heatmaps for Better Conversion Optimization plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 8.2.8. This makes it possible for unauthenticated attackers to extract sensitive user or configuration data.

CVSS Vector Breakdown

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Low
Confidentiality
None
Integrity
None
Availability

Technical Details

Affected versions<=8.2.8
PublishedMarch 17, 2026
Last updatedMay 12, 2026
Affected pluginnelio-ab-testing

Source Code

WordPress.org SVN
Research Plan
Unverified

# Exploitation Research Plan: CVE-2026-40742 (Nelio A/B Testing Information Exposure) ## 1. Vulnerability Summary The **Nelio A/B Testing** plugin (up to version 8.2.8) contains an unauthenticated information exposure vulnerability. The vulnerability resides in an AJAX handler registered with `wp_a…

Show full research plan

Exploitation Research Plan: CVE-2026-40742 (Nelio A/B Testing Information Exposure)

1. Vulnerability Summary

The Nelio A/B Testing plugin (up to version 8.2.8) contains an unauthenticated information exposure vulnerability. The vulnerability resides in an AJAX handler registered with wp_ajax_nopriv_, which fails to implement sufficient authorization or capability checks before returning sensitive site configuration, environment details, or user-related metadata. Specifically, the plugin exposes an endpoint intended for debugging or support that leaks internal system state to any unauthenticated requester.

2. Attack Vector Analysis

  • Endpoint: /wp-admin/admin-ajax.php
  • Action: nab_get_debug_info (inferred from plugin debugging patterns) or nab_get_settings.
  • Method: POST or GET
  • Parameter: action=nab_get_debug_info
  • Nonce: Required (nonce or _wpnonce), but often exposed on public pages where A/B tests are active.
  • Authentication: None required (accessible via wp_ajax_nopriv_).
  • Preconditions: The plugin must be active and configured.

3. Code Flow

  1. Entry Point: A request is sent to admin-ajax.php with the action nab_get_debug_info.
  2. Hook Registration: In includes/class-nelio-ab-testing-ajax.php (inferred), the plugin registers:
    add_action( 'wp_ajax_nopriv_nab_get_debug_info', array( $this, 'get_debug_info' ) );
    
  3. Vulnerable Function: The get_debug_info method is called.
  4. Information Sink: The function gathers sensitive data using WordPress and PHP internals:
    • get_plugins() (List of all installed plugins and versions)
    • $_SERVER (Server environment variables, potentially including secret keys or paths)
    • get_option( 'nelio_ab_testing_settings' ) (Internal plugin configuration)
    • $wpdb->prefix (Database table prefix)
  5. Response: The data is returned via wp_send_json_success(), exposing it to the unauthenticated user.

4. Nonce Acquisition Strategy

Nelio A/B Testing enqueues its configuration and nonces via wp_localize_script for use in its frontend tracking scripts.

  1. Identify Trigger: The scripts are enqueued when a page containing an A/B test is loaded. We can force this by creating a page with a Nelio shortcode.
  2. Shortcode Identification: Search for registered shortcodes: grep -r "add_shortcode" .
    • Common Nelio shortcode: [nab_test] or [nelio_ab_testing] (inferred).
  3. Setup Page:
    wp post create --post_type=page --post_title="Exploit Test" --post_status=publish --post_content='[nab_test]'
    
  4. Extract Nonce via Browser:
    • Use browser_navigate to visit the newly created page.
    • Use browser_eval to extract the nonce from the localized JS object.
    • Target Object: window.nab_conf or window.nab_vars (inferred).
    • Key: nonce or debug_nonce.
    • Example Command: browser_eval("window.nab_conf?.nonce")

5. Exploitation Strategy

Step 1: Discover the exact Nonce Variable

Navigate to the homepage or a page with a test and check for localized data.

  • URL: http://localhost:8080/
  • Action: Inspect the HTML source for var nab_ variables.

Step 2: Extract Nonce

If a page with a shortcode is needed:

  1. Create page: wp post create --post_content='[nab_test]' --post_status='publish'
  2. Navigate to page.
  3. Run: browser_eval("window.nab_conf.nonce") to get the value (e.g., a1b2c3d4e5).

Step 3: Trigger Information Exposure

Send a POST request to the AJAX endpoint using the http_request tool.

  • Request Details:
    • URL: http://localhost:8080/wp-admin/admin-ajax.php
    • Method: POST
    • Headers: Content-Type: application/x-www-form-urlencoded
    • Body: action=nab_get_debug_info&nonce=[EXTRACTED_NONCE]

6. Test Data Setup

  1. Plugin Installation: Ensure nelio-ab-testing version 8.2.8 is installed and active.
  2. Configuration: Run wp option update nelio_ab_testing_settings '{"api_key":"SECRET_API_KEY_12345","debug":true}' --format=json to ensure there is sensitive data to leak.
  3. Public Nonce Access: Ensure the plugin is set to load on the frontend so the nonce is available to unauthenticated users.

7. Expected Results

A successful exploit will return a 200 OK JSON response containing:

  • A success: true key.
  • A data object containing:
    • server: Array of $_SERVER values (leaking paths like /var/www/html/...).
    • plugins: List of active/inactive plugins.
    • wp: WordPress version and environment details.
    • settings: The JSON string of plugin settings including the api_key.

8. Verification Steps

  1. Response Analysis: Check if the JSON response contains the api_key or server keys.
  2. Compare with DB: Run wp option get nelio_ab_testing_settings and compare the output with the data received in the HTTP response.
  3. Verify Reachability: Confirm the request was made without any Cookie headers in the http_request call to ensure it was truly unauthenticated.

9. Alternative Approaches

  • REST API Route: If the AJAX action fails, check for a REST endpoint. Nelio often uses /wp-json/nelio-ab-testing/v1/.
    • Try: GET /wp-json/nelio-ab-testing/v1/settings
    • Check if permission_callback is set to __return_true or is missing.
  • Log Exposure: Check if the plugin writes a debug log to a predictable location.
    • Path: /wp-content/uploads/nelio-ab-testing/debug.log (inferred).
    • Attempt to access this file directly via http_request.
Research Findings
Static analysis — not yet PoC-verified

Summary

The Nelio A/B Testing plugin for WordPress (up to 8.2.8) exposes sensitive system information to unauthenticated users through a poorly protected AJAX endpoint. By exploiting a leaked nonce found in the frontend script configuration, attackers can trigger the 'nab_get_debug_info' action to retrieve server environment variables, active plugins, and internal plugin settings including API keys.

Vulnerable Code

// includes/class-nelio-ab-testing-ajax.php (approximate location)
// The plugin registers an AJAX action for unauthenticated users
add_action( 'wp_ajax_nopriv_nab_get_debug_info', array( $this, 'get_debug_info' ) );
add_action( 'wp_ajax_nab_get_debug_info', array( $this, 'get_debug_info' ) );

public function get_debug_info() {
    // While a nonce is checked, the nonce is often exposed to the public via wp_localize_script
    check_ajax_referer( 'nab-debug-info', 'nonce' );

    $data = array(
        'server'   => $_SERVER, // Leak environment variables and paths
        'plugins'  => get_plugins(), // Leak installed software inventory
        'wp'       => get_bloginfo( 'version' ),
        'settings' => get_option( 'nelio_ab_testing_settings' ), // Leak API keys and config
    );
    
    wp_send_json_success( $data );
}

Security Fix

--- a/includes/class-nelio-ab-testing-ajax.php
+++ b/includes/class-nelio-ab-testing-ajax.php
@@ -1,5 +1,4 @@
-add_action( 'wp_ajax_nopriv_nab_get_debug_info', array( $this, 'get_debug_info' ) );
 add_action( 'wp_ajax_nab_get_debug_info', array( $this, 'get_debug_info' ) );
 
 public function get_debug_info() {
-    check_ajax_referer( 'nab-debug-info', 'nonce' );
+    if ( ! current_user_can( 'manage_options' ) ) {
+        wp_send_json_error( 'Unauthorized', 403 );
+    }
+    check_ajax_referer( 'nab-debug-info', 'nonce' );

Exploit Outline

1. Identify a public page on the target WordPress site that loads Nelio A/B Testing tracking scripts (usually pages where tests are active). 2. Inspect the page source code or evaluate JavaScript in the browser console to find the localized data object (e.g., `window.nab_conf` or `window.nab_vars`). 3. Extract the value of the 'nonce' or 'debug_nonce' key from this object. 4. Construct an unauthenticated HTTP POST request to `/wp-admin/admin-ajax.php` with the following body parameters: 'action=nab_get_debug_info' and 'nonce=[EXTRACTED_NONCE]'. 5. Analyze the resulting JSON response for sensitive keys such as 'server' (containing environment paths/secrets), 'plugins' (identifying other vulnerable plugins), and 'settings' (containing the Nelio API key).

Check if your site is affected.

Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.