[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fsxS48UE8uYmCVHNNm7oVvGQUWQvI75isB3AQN406jFc":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":22,"research_verified":23,"research_rounds_completed":24,"research_plan":25,"research_summary":26,"research_vulnerable_code":9,"research_fix_diff":9,"research_exploit_outline":27,"research_model_used":28,"research_started_at":29,"research_completed_at":30,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":23,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":23,"source_links":31},"CVE-2026-25036","passster-missing-authorization","Passster \u003C= 4.2.25 - Missing Authorization","The Passster – Password Protect Pages and Content plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in all versions up to, and including, 4.2.25. This makes it possible for authenticated attackers, with Contributor-level access and above, to perform an unauthorized action.","content-protector",null,"\u003C=4.2.25","4.2.26","medium",4.3,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:L\u002FUI:N\u002FS:U\u002FC:N\u002FI:L\u002FA:N","Missing Authorization","2026-02-12 00:00:00","2026-02-16 22:32:05",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002Fb08ebc3b-ee89-4a4d-8a4c-8513e13b32b6?source=api-prod",5,[],"researched",false,3,"This research plan outlines the steps to investigate and exploit **CVE-2026-25036**, a missing authorization vulnerability in the **Passster** plugin for WordPress.\n\n---\n\n### 1. Vulnerability Summary\n*   **Vulnerability:** Missing Authorization\n*   **Affected Plugin:** Passster – Password Protect Pages and Content (slug: `content-protector`)\n*   **Affected Versions:** \u003C= 4.2.25\n*   **Vulnerability Location:** Likely an AJAX handler registered via `wp_ajax_` in the plugin's administration or AJAX handling classes (e.g., `includes\u002Fclass-passster-ajax.php`).\n*   **Reason:** The function triggered by the AJAX action fails to perform a capability check (e.g., `current_user_can( 'manage_options' )`) and\u002For does not properly verify a nonce that is restricted to administrators. This allows any authenticated user with dashboard access (Contributor level and above) to execute the function.\n\n### 2. Attack Vector Analysis\n*   **Endpoint:** `\u002Fwp-admin\u002Fadmin-ajax.php`\n*   **Authentication:** Authenticated, Contributor-level access (or higher).\n*   **Vulnerable Action (Inferred):** Likely related to statistics, log management, or setting updates. Based on the \"Integrity: Low\" rating, we will target the statistics deletion or log clearing functionality.\n*   **Potential Actions to Audit:**\n    1.  `ps_delete_statistics` (or `passster_delete_statistics`)\n    2.  `ps_clear_logs`\n    3.  `ps_save_settings` (if it affects non-critical parameters)\n*   **Preconditions:** The attacker must be logged in as a Contributor. The plugin must be active.\n\n### 3. Code Flow (Inferred)\n1.  **Registration:** The plugin registers an AJAX handler using `add_action( 'wp_ajax_[ACTION_NAME]', [ $this, 'function_name' ] )`.\n2.  **Trigger:** A Contributor sends a POST request to `admin-ajax.php` with the `action` parameter set to the vulnerable hook.\n3.  **Execution:**\n    *   WordPress calls the registered function.\n    *   The function checks for a nonce (if present), which may be accessible to Contributors via the admin dashboard scripts.\n    *   The function **fails** to call `current_user_can()`.\n    *   The function performs a database operation (e.g., `$wpdb->query(\"DELETE FROM ...\")`) or updates an option.\n\n### 4. Nonce Acquisition Strategy\nEven if authorization is missing, WordPress plugins often check nonces.\n1.  **Identify Shortcode\u002FScript Loading:** Check where the admin scripts are enqueued. Passster typically enqueues admin scripts for all users who can access the backend.\n2.  **Identify Localized Variable:** Look for `wp_localize_script` in `includes\u002Fclass-passster-admin.php` (or similar).\n    *   **Probable JS Object:** `passster_admin` or `passster_vars`.\n    *   **Probable Nonce Key:** `nonce` or `ajax_nonce`.\n3.  **Acquisition Steps:**\n    1.  Log in as a **Contributor**.\n    2.  Navigate to the WordPress Dashboard (`\u002Fwp-admin\u002F`).\n    3.  Use `browser_eval` to extract the nonce:\n        ```javascript\n        \u002F\u002F Example guess - will be verified in exploration phase\n        window.passster_admin?.nonce || window.passster_vars?.nonce\n        ```\n\n### 5. Exploitation Strategy\nWe will attempt to perform an unauthorized action, such as deleting plugin statistics.\n\n**Step 1: Discovery**\n*   Search for `add_action( 'wp_ajax_` in the plugin directory.\n*   Identify the function associated with sensitive-looking actions (e.g., `delete`, `save`, `update`).\n*   Confirm the absence of `current_user_can` in that function.\n\n**Step 2: Preparation**\n*   Create a Contributor user.\n*   Ensure some \"Statistics\" or \"Logs\" exist in the plugin (if applicable) to prove deletion.\n\n**Step 3: Execution (Targeting Statistics Deletion)**\n*   **URL:** `http:\u002F\u002Flocalhost:8080\u002Fwp-admin\u002Fadmin-ajax.php`\n*   **Method:** POST\n*   **Headers:** `Content-Type: application\u002Fx-www-form-urlencoded`\n*   **Payload:**\n    ```text\n    action=[ACTION_NAME]&_wpnonce=[NONCE]&other_params=...\n    ```\n*   **Action Name:** To be determined during discovery (e.g., `ps_delete_statistics`).\n\n### 6. Test Data Setup\n1.  **Plugin Setup:** Install and activate Passster 4.2.25.\n2.  **Generate Data:** \n    *   Create a password-protected post: `wp post create --post_type=post --post_title=\"Protected\" --post_status=publish --post_content='[passster password=\"password\"]Secret Content[\u002Fpassster]'`\n    *   Visit the post and enter the password several times to generate statistics entries in the database.\n3.  **User Setup:**\n    *   Create a Contributor: `wp user create attacker attacker@example.com --role=contributor --user_pass=password`\n\n### 7. Expected Results\n*   **Success:** The server returns a `200 OK` or a JSON success message (e.g., `{\"success\": true}`).\n*   **Data Impact:** The statistics table in the database is cleared or a specific setting is changed, despite the user only being a Contributor.\n\n### 8. Verification Steps\n1.  **CLI Check:** Use `wp db query \"SELECT COUNT(*) FROM wp_passster_statistics\"` (adjust table name based on discovery) before and after the exploit.\n2.  **Expected Count:** The count should drop to 0 after the POST request.\n3.  **Access Check:** Verify that a Contributor normally *cannot* access the Statistics page in the UI, confirming the AJAX request bypassed intended UI restrictions.\n\n### 9. Alternative Approaches\nIf statistics deletion is not the vulnerable path:\n*   **Settings Update:** Check for `ps_save_settings`. If vulnerable, try to change the `passster_instructions` or similar low-impact setting via `admin-ajax.php`.\n*   **Post Meta:** Check if any AJAX actions allow updating post meta without checking if the user can edit that specific post.\n*   **Bypass Nonce:** If `check_ajax_referer` is called with `die=false` and the return value is not checked, the exploit can be performed without a valid nonce. Look for:\n    ```php\n    check_ajax_referer( 'action', 'nonce', false );\n    \u002F\u002F ... logic proceeds regardless of check_ajax_referer result ...\n    ```","The Passster plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on its AJAX handlers in versions up to 4.2.25. This allows authenticated attackers with Contributor-level access or higher to perform unauthorized administrative actions, such as deleting plugin statistics.","1. Authenticate as a Contributor-level user and access the WordPress dashboard.\n2. Extract the required AJAX nonce from localized scripts in the admin dashboard, typically stored in the `passster_admin` or `passster_vars` JavaScript objects.\n3. Send a POST request to `\u002Fwp-admin\u002Fadmin-ajax.php` with the 'action' parameter set to a vulnerable handler (such as 'ps_delete_statistics') and include the extracted nonce.\n4. Verify that the administrative action (e.g., statistics deletion) is executed successfully, confirming that the server processed the request without verifying the user's administrative capabilities.","gemini-3-flash-preview","2026-04-21 00:10:57","2026-04-21 00:12:49",{"type":32,"vulnerable_version":33,"fixed_version":11,"vulnerable_browse":34,"vulnerable_zip":35,"fixed_browse":36,"fixed_zip":37,"all_tags":38},"plugin","4.2.25","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fcontent-protector\u002Ftags\u002F4.2.25","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fcontent-protector.4.2.25.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fcontent-protector\u002Ftags\u002F4.2.26","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fcontent-protector.4.2.26.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fcontent-protector\u002Ftags"]