[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fquWzBP2M8RFo332wtribMOBCKu5YQTTTjEp2oUcxh8M":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":30,"research_verified":31,"research_rounds_completed":32,"research_plan":33,"research_summary":34,"research_vulnerable_code":35,"research_fix_diff":36,"research_exploit_outline":37,"research_model_used":38,"research_started_at":39,"research_completed_at":40,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":31,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":31,"source_links":41},"CVE-2026-32413","permalink-manager-lite-missing-authorization-2","Permalink Manager Lite \u003C 2.5.3 - Missing Authorization","The Permalink Manager Lite plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in versions up to 2.5.3. This makes it possible for unauthenticated attackers to perform an unauthorized action.","permalink-manager",null,"\u003C2.5.3","2.5.3","medium",5.3,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:N\u002FUI:N\u002FS:U\u002FC:N\u002FI:L\u002FA:N","Missing Authorization","2026-02-25 00:00:00","2026-04-15 21:15:18",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002Fa61335cb-024d-4f58-8e58-c5b2064d8b51?source=api-prod",50,[22,23,24,25,26,27,28,29],"README.txt","includes\u002Fcore\u002Fpermalink-manager-actions.php","includes\u002Fcore\u002Fpermalink-manager-core-functions.php","includes\u002Fcore\u002Fpermalink-manager-debug.php","includes\u002Fcore\u002Fpermalink-manager-helper-functions.php","includes\u002Fcore\u002Fpermalink-manager-uri-functions-post.php","includes\u002Fintegrations\u002Fpermalink-manager-language-plugins.php","includes\u002Fintegrations\u002Fpermalink-manager-third-parties.php","researched",false,3,"# CVE-2026-32413: Permalink Manager Lite \u003C 2.5.3 - Missing Authorization Research Plan\n\nThe **Permalink Manager Lite** plugin is vulnerable to unauthorized settings modification and data manipulation due to a missing capability check in its core action processing function. While the plugin implements nonce verification, it fails to verify that the user performing the action has the `manage_options` capability. If an attacker can obtain a valid nonce (which is often leaked in the plugin's UI or frontend components), they can modify plugin settings, regenerate permastructures, or update the entire permalink database.\n\n## 1. Vulnerability Summary\n- **Vulnerable Function:** `Permalink_Manager_Actions::trigger_action()`\n- **File:** `includes\u002Fcore\u002Fpermalink-manager-actions.php`\n- **Hook:** `admin_init` (Priority 9)\n- **Problem:** The function processes critical administrative actions (saving settings, updating permalinks, importing data) by verifying only a WordPress nonce (`permalink-manager`) without checking if the user has administrative privileges (`current_user_can( 'manage_options' )`).\n- **Impact:** Unauthenticated attackers (via `admin-ajax.php`) or low-privileged users who can obtain the nonce can modify the site's permalink structure, which can lead to widespread 404 errors, SEO damage, or redirection of traffic.\n\n## 2. Attack Vector Analysis\n- **Endpoint:** `\u002Fwp-admin\u002Fadmin-ajax.php` (triggers `admin","The Permalink Manager Lite plugin fails to perform an authorization check (such as current_user_can) in its trigger_action function, which is hooked to admin_init. This allows unauthenticated or low-privileged users who can obtain a valid nonce to perform sensitive administrative actions, including modifying plugin settings, changing permastructures, or updating the entire permalink database.","\u002F\u002F includes\u002Fcore\u002Fpermalink-manager-actions.php:40\npublic function trigger_action() {\n    global $permalink_manager_after_sections_html;\n\n    \u002F\u002F 1. Check if the form was submitted\n    if ( empty( $_POST ) ) {\n        return;\n    }\n\n    \u002F\u002F 2. Do nothing if search query is not empty\n    if ( isset( $_REQUEST['search-submit'] ) || isset( $_REQUEST['filter-button'] ) ) {\n        if ( wp_verify_nonce( $_POST[ 'uri_editor' ], 'permalink-manager' ) ) {\n            $this->trigger_filter_action();\n        }\n\n        return;\n    }\n\n    $actions_map = array(\n        'uri_editor'                     => array( 'function' => 'update_all_permalinks', 'display_uri_table' => true ),\n        'permalink_manager_options'      => array( 'function' => 'save_settings' ),\n        'permalink_manager_permastructs' => array( 'function' => 'save_permastructures' ),\n        'import'                         => array( 'function' => 'import_custom_permalinks_uris' ),\n    );\n\n    \u002F\u002F 3. Find the action\n    foreach ( $actions_map as $action => $map ) {\n        if ( isset( $_POST[ $action ] ) && wp_verify_nonce( $_POST[ $action ], 'permalink-manager' ) ) {\n            \u002F\u002F Execute the function\n            $output = call_user_func( array( $this, $map['function'] ) );\n\n            \u002F\u002F ...\n        }\n    }\n}","diff -ru \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fpermalink-manager\u002F2.5.2.4\u002Fincludes\u002Fcore\u002Fpermalink-manager-actions.php \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fpermalink-manager\u002F2.5.3\u002Fincludes\u002Fcore\u002Fpermalink-manager-actions.php\n--- \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fpermalink-manager\u002F2.5.2.4\u002Fincludes\u002Fcore\u002Fpermalink-manager-actions.php\t2026-01-09 16:45:20.000000000 +0000\n+++ \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fpermalink-manager\u002F2.5.3\u002Fincludes\u002Fcore\u002Fpermalink-manager-actions.php\t2026-02-10 14:49:46.000000000 +0000\n@@ -30,16 +30,12 @@\n \t\t}\n \n \t\t\u002F\u002F 2. Do nothing if search query is not empty\n-\t\tif ( isset( $_REQUEST['search-submit'] ) || isset( $_REQUEST['filter-button'] ) ) {\n-\t\t\tif ( wp_verify_nonce( $_POST[ 'uri_editor' ], 'permalink-manager' ) ) {\n-\t\t\t\t$this->trigger_filter_action();\n-\t\t\t}\n-\n-\t\t\treturn;\n+\t\tif ( isset( $_POST['uri_editor_nonce'] ) && ( isset( $_REQUEST['search-submit'] ) || isset( $_REQUEST['filter-button'] ) ) ) {\n+\t\t\t$this->trigger_filter_action();\n \t\t}\n \n \t\t$actions_map = array(\n-\t\t\t'uri_editor'                     => array( 'function' => 'update_all_permalinks', 'display_uri_table' => true ),\n+\t\t\t'uri_editor_nonce'               => array( 'function' => 'update_all_permalinks', 'display_uri_table' => true ),\n \t\t\t'permalink_manager_options'      => array( 'function' => 'save_settings' ),\n \t\t\t'permalink_manager_permastructs' => array( 'function' => 'save_permastructures' ),\n \t\t\t'import'                         => array( 'function' => 'import_custom_permalinks_uris' ),\n@@ -47,7 +43,9 @@\n \n \t\t\u002F\u002F 3. Find the action\n \t\tforeach ( $actions_map as $action => $map ) {\n-\t\t\tif ( isset( $_POST[ $action ] ) && wp_verify_nonce( $_POST[ $action ], 'permalink-manager' ) ) {\n+\t\t\t$nonce = ( isset( $_POST[ $action ] ) ) ? sanitize_key( $_POST[ $action ] ) : '';\n+\n+\t\t\tif ( ! empty( $nonce ) && wp_verify_nonce( $nonce, 'permalink-manager' ) ) {\n \t\t\t\t\u002F\u002F Execute the function\n \t\t\t\t$output = call_user_func( array( $this, $map['function'] ) );\n \n@@ -74,17 +72,21 @@\n \t * @return void\n \t *\u002F\n \tpublic function trigger_filter_action() {\n+\t\tif ( empty( $_POST['uri_editor_nonce'] ) || ! wp_verify_nonce( sanitize_key( $_POST['uri_editor_nonce'] ), 'permalink-manager' ) ) {\n+\t\t\treturn;\n+\t\t}\n+\n \t\t$query_args = array(\n-\t\t\t'langcode' => ! empty( $_REQUEST['langcode'] ) ? $_REQUEST['langcode'] : null,\n-\t\t\t'month'    => ! empty( $_REQUEST['month'] ) ? $_REQUEST['month'] : null,\n-\t\t\t's'        => ! empty( $_REQUEST['s'] ) ? $_REQUEST['s'] : null,\n+\t\t\t'langcode' => ! empty( $_REQUEST['langcode'] ) ? sanitize_key( $_REQUEST['langcode'] ) : null,\n+\t\t\t'month'    => ! empty( $_REQUEST['month'] ) ? sanitize_key( $_REQUEST['month'] ) : null,\n+\t\t\t's'        => ! empty( $_REQUEST['s'] ) ? sanitize_text_field( wp_unslash( $_REQUEST['s'] ) ) : null,\n \t\t);\n \n \t\tif ( ! empty( $query_args ) ) {\n \t\t\t$sendback = remove_query_arg( array_keys( $query_args ), wp_get_referer() );\n \t\t\t$sendback = add_query_arg( array_filter( $query_args ), $sendback );\n \n-\t\t\twp_redirect( $sendback );\n+\t\t\twp_safe_redirect( $sendback );\n \t\t\texit;\n \t\t}\n \t}","The exploit targets the Permalink_Manager_Actions::trigger_action function, which is executed via the admin_init hook. An attacker needs to: \n1. Obtain a valid WordPress nonce for the 'permalink-manager' action. This nonce is often available to low-privileged users who have access to the dashboard or can be leaked via certain frontend contexts.\n2. Construct a POST request to any administrative URL (e.g., \u002Fwp-admin\u002Fadmin-ajax.php) which triggers the admin_init hook.\n3. Include an action parameter from the $actions_map in the POST body (e.g., permalink_manager_options) with the valid nonce as its value.\n4. Provide the corresponding payload for the function being called (e.g., providing a list of plugin settings to modify in the POST body for the save_settings function).\n5. Because the plugin only verifies the nonce and does not verify the user's capabilities, it will execute the sensitive function with administrative privileges.","gemini-3-flash-preview","2026-04-19 00:25:20","2026-04-19 00:26:09",{"type":42,"vulnerable_version":43,"fixed_version":11,"vulnerable_browse":44,"vulnerable_zip":45,"fixed_browse":46,"fixed_zip":47,"all_tags":48},"plugin","2.5.2.4","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fpermalink-manager\u002Ftags\u002F2.5.2.4","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fpermalink-manager.2.5.2.4.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fpermalink-manager\u002Ftags\u002F2.5.3","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fpermalink-manager.2.5.3.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fpermalink-manager\u002Ftags"]