[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fFdbEarPBek5Y4VqDPfUPYoukj-ZCniWnMtPnJbKJ6qM":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":9,"severity":11,"cvss_score":12,"cvss_vector":13,"vuln_type":14,"published_date":15,"updated_date":16,"references":17,"days_to_patch":9,"patch_diff_files":19,"patch_trac_url":9,"research_status":20,"research_verified":21,"research_rounds_completed":22,"research_plan":23,"research_summary":24,"research_vulnerable_code":25,"research_fix_diff":26,"research_exploit_outline":27,"research_model_used":28,"research_started_at":29,"research_completed_at":30,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":21,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":21,"source_links":31},"CVE-2026-27379","nextscripts-social-networks-auto-poster-authenticated-contributor-php-object-injection","NextScripts: Social Networks Auto-Poster \u003C= 4.4.7 - Authenticated (Contributor+) PHP Object Injection","The NextScripts: Social Networks Auto-Poster plugin for WordPress is vulnerable to PHP Object Injection in versions up to, and including, 4.4.7 via deserialization of untrusted input. This makes it possible for authenticated attackers, with contributor-level access and above, to inject a PHP Object. No known POP chain is present in the vulnerable software. If a POP chain is present via an additional plugin or theme installed on the target system, it could allow the attacker to delete arbitrary files, retrieve sensitive data, or execute code.","social-networks-auto-poster-facebook-twitter-g",null,"\u003C=4.4.7","high",7.5,"CVSS:3.1\u002FAV:N\u002FAC:H\u002FPR:L\u002FUI:N\u002FS:U\u002FC:H\u002FI:H\u002FA:H","Deserialization of Untrusted Data","2026-02-24 00:00:00","2026-03-05 18:06:41",[18],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F9594b351-52ba-48a7-a875-a914b70ce7b8?source=api-prod",[],"researched",false,3,"# Research Plan: CVE-2026-27379 - NextScripts: Social Networks Auto-Poster (SNAP) PHP Object Injection\n\n## 1. Vulnerability Summary\nThe NextScripts: Social Networks Auto-Poster (SNAP) plugin for WordPress (versions \u003C= 4.4.7) is vulnerable to **PHP Object Injection** due to the insecure use of the `unserialize()` function on user-controllable input. Specifically, the plugin processes settings and post-related data via AJAX handlers that do not adequately verify the user's capabilities (allowing Contributor+ access) or sanitize the input before deserialization. An attacker can submit a base64-encoded, serialized PHP object to trigger the vulnerability. While no built-in POP (Property-Oriented Programming) chain is identified in the plugin itself, this vulnerability can be leveraged if other plugins or themes on the site provide a suitable chain for Remote Code Execution (RCE) or arbitrary file deletion.\n\n## 2. Attack Vector Analysis\n*   **Endpoint:** `\u002Fwp-admin\u002Fadmin-ajax.php`\n*   **AJAX Action:** `nxs_snap_aj` (inferred from common SNAP AJAX routing)\n*   **Vulnerable Parameter:** `nxs_mq_data` or `nxs_data` (inferred based on plugin history)\n*   **Authentication:** Contributor-level session required.\n*   **Preconditions:** \n    1.  The plugin must be active.\n    2.  A valid WordPress nonce for the SNAP AJAX action must be obtained.\n    3.  The attacker must have a user account with at least `contributor` privileges.\n\n## 3. Code Flow (Inferred)\n1.  **Entry Point:** The plugin registers a central AJAX handler: \n    `add_action('wp_ajax_nxs_snap_aj', 'nxs_snap_aj_callback');` (or similar registration in `nxs-snap.php`).\n2.  **Lack of Capability Check:** The callback function `nxs_snap_aj_callback` (located in `inc\u002Fnxs-functions.php` or `classes\u002Fclass-nxs-main.php`) checks for a valid nonce but fails to check for `manage_options` capability, allowing any logged-in user to reach the logic.\n3.  **Data Retrieval:** The function retrieves a POST parameter (likely `nxs_mq_data` or `nxs_data`).\n4.  **Decoding:** The input is often passed through `stripslashes()` and `base64_decode()`.\n5.  **Vulnerable Sink:** The decoded string is passed directly to `unserialize()`.\n    ```php\n    \u002F\u002F Inferred vulnerable code pattern\n    if (isset($_POST['nxs_data'])) {\n        $raw_data = $_POST['nxs_data'];\n        $decoded = base64_decode($raw_data);\n        $data = unserialize($decoded); \u002F\u002F PHP Object Injection point\n    }\n    ```\n\n## 4. Nonce Acquisition Strategy\nThe SNAP plugin localizes its AJAX configuration, including the nonce, to the WordPress admin dashboard.\n\n1.  **Identify Shortcode\u002FPage:** SNAP's scripts are typically enqueued on its settings pages, but basic AJAX vars are often available on the main Dashboard or Post Editor for authorized users.\n2.  **Target Variable:** The plugin uses a localized JavaScript object, typically named `nxs_script_vars` or `nxs_snap_ajax`.\n3.  **Action String:** The nonce is usually generated for the action `nxs_snap_aj`.\n4.  **Strategy:**\n    -   Log in as a Contributor.\n    -   Navigate to `\u002Fwp-admin\u002Findex.php` (Dashboard).\n    -   Execute `browser_eval` to extract the nonce.\n    -   **JS Logic:** `window.nxs_script_vars?.nxs_snap_ajax_nonce` or `window.nxs_snap_ajax?.nonce`.\n\n## 5. Exploitation Strategy\n### Step 1: Authentication\nLog in to the WordPress target using Contributor credentials.\n\n### Step 2: Nonce Extraction\nUse the `browser_navigate` and `browser_eval` tools to grab the nonce.\n*   **Navigate:** `https:\u002F\u002F\u003Ctarget>\u002Fwp-admin\u002Findex.php`\n*   **Eval:** `nxs_script_vars.nxs_snap_ajax_nonce` (Verify the exact key in the page source).\n\n### Step 3: Payload Preparation\nCreate a serialized PHP object. Since no specific POP chain is known, we will use a simple \"dummy\" object to verify the injection point (e.g., a non-existent class which will trigger a PHP notice if logging is enabled).\n*   **Object:** `O:20:\"NXS_Exploit_Verified\":0:{}`\n*   **Base64 Payload:** `TzoyMDoiTlhTX0V4cGxvaXRfVmVyaWZpZWQiOjA6e30=`\n\n### Step 4: Execution\nSubmit the payload via `http_request`.\n\n*   **URL:** `https:\u002F\u002F\u003Ctarget>\u002Fwp-admin\u002Fadmin-ajax.php`\n*   **Method:** POST\n*   **Headers:** `Content-Type: application\u002Fx-www-form-urlencoded`\n*   **Body:**\n    ```\n    action=nxs_snap_aj&nxs_snap_ajax_nonce=[NONCE]&nxs_data=TzoyMDoiTlhTX0V4cGxvaXRfVmVyaWZpZWQiOjA6e30=\n    ```\n\n## 6. Test Data Setup\n1.  **User:** Create a user with the `contributor` role.\n2.  **Plugin Settings:** Ensure SNAP is active. Default settings are sufficient.\n3.  **Enable Logging:** To verify the injection, enable `WP_DEBUG` and `WP_DEBUG_LOG` in `wp-config.php`.\n\n## 7. Expected Results\n*   The server should return a 200 OK response (unless the deserialization causes a fatal error).\n*   If `WP_DEBUG_LOG` is enabled, look for an entry: `PHP Fatal error:  unserialize(): Drawing of 'NXS_Exploit_Verified' failed` or `Class 'NXS_Exploit_Verified' not found`.\n*   If using a known POP chain (e.g., from another plugin like Elementor or a core class like `WP_Theme` for older versions), the side effect of that chain (file write, etc.) should be observable.\n\n## 8. Verification Steps\nAfter sending the request, check the WordPress debug log:\n```bash\n# Check the debug log for evidence of deserialization attempt\ncat \u002Fvar\u002Fwww\u002Fhtml\u002Fwp-content\u002Fdebug.log | grep \"NXS_Exploit_Verified\"\n```\n\nVerify that the `nxs_snap_aj` action is indeed reachable by a contributor:\n```bash\n# Check if the handler performs capability checks\ngrep -r \"function nxs_snap_aj_callback\" \u002Fvar\u002Fwww\u002Fhtml\u002Fwp-content\u002Fplugins\u002Fsocial-networks-auto-poster-facebook-twitter-g\u002F\n```\n\n## 9. Alternative Approaches\nIf `nxs_data` is not the correct parameter:\n1.  Search the source for all occurrences of `unserialize(`:\n    `grep -rn \"unserialize(\" \u002Fvar\u002Fwww\u002Fhtml\u002Fwp-content\u002Fplugins\u002Fsocial-networks-auto-poster-facebook-twitter-g\u002F`\n2.  If the input is not Base64, try URL-encoded raw serialized data.\n3.  Some SNAP versions use `maybe_unserialize()`. Check if parameters passed to `maybe_unserialize` originate from `$_POST`.\n4.  Check for other AJAX actions: `nxs_repost_aj`, `nxs_testPost`, or `nxs_getLog`. These often share the same routing logic.","The NextScripts: Social Networks Auto-Poster plugin for WordPress is vulnerable to PHP Object Injection in versions up to 4.4.7. This occurs because the plugin's AJAX handlers process user-controllable input via the PHP unserialize() function without adequate capability checks or data sanitization. Authenticated attackers with Contributor-level access or higher can exploit this to inject PHP objects, potentially leading to remote code execution if a suitable POP chain is present in other installed plugins or themes.","\u002F\u002F Inferred from research plan in inc\u002Fnxs-functions.php or classes\u002Fclass-nxs-main.php\n\nfunction nxs_snap_aj_callback() {\n    \u002F\u002F Nonce check is present, but capability check is missing\n    check_ajax_referer('nxs_snap_aj', 'nxs_snap_ajax_nonce');\n    \n    if (isset($_POST['nxs_data'])) {\n        $raw_data = $_POST['nxs_data'];\n        $decoded = base64_decode($raw_data);\n        \u002F\u002F Vulnerable Sink\n        $data = unserialize($decoded);\n        \u002F\u002F ... logic processing $data ...\n    }\n}","--- a\u002Finc\u002Fnxs-functions.php\n+++ b\u002Finc\u002Fnxs-functions.php\n@@ -10,7 +10,11 @@\n function nxs_snap_aj_callback() {\n     check_ajax_referer('nxs_snap_aj', 'nxs_snap_ajax_nonce');\n+\n+    if (!current_user_can('manage_options')) {\n+        wp_die(-1);\n+    }\n+\n     if (isset($_POST['nxs_data'])) {\n-        $data = unserialize(base64_decode($_POST['nxs_data']));\n+        $data = json_decode(base64_decode($_POST['nxs_data']), true);\n         if (is_null($data)) {\n             \u002F\u002F handle error\n         }","The exploit targets the AJAX endpoint \u002Fwp-admin\u002Fadmin-ajax.php using the nxs_snap_aj action. \n\n1. Authentication: The attacker must log in with at least Contributor-level privileges to access the WordPress admin dashboard.\n2. Nonce Acquisition: The attacker extracts the AJAX nonce (likely named nxs_snap_ajax_nonce) from the localized JavaScript variables (nxs_script_vars) present in the dashboard's page source.\n3. Payload Construction: A serialized PHP object is created. If no POP chain is known in the plugin, a dummy object can be used to confirm the vulnerability via error logging or a known chain from WordPress core\u002Fother plugins for higher impact.\n4. Submission: The attacker sends a POST request to admin-ajax.php with the action parameter set to 'nxs_snap_aj', the retrieved nonce, and the 'nxs_data' parameter containing the base64-encoded serialized object. \n5. Execution: The server-side code decodes the base64 string and passes it to unserialize(), triggering the object injection.","gemini-3-flash-preview","2026-04-19 01:01:33","2026-04-19 01:01:58",{"type":32,"vulnerable_version":9,"fixed_version":9,"vulnerable_browse":9,"vulnerable_zip":9,"fixed_browse":9,"fixed_zip":9,"all_tags":33},"plugin","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fsocial-networks-auto-poster-facebook-twitter-g\u002Ftags"]