[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fRDFUszK6Mqggqc29JbXVwiBPEgt16mByQcPccLk7te8":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":25,"research_verified":26,"research_rounds_completed":27,"research_plan":28,"research_summary":29,"research_vulnerable_code":30,"research_fix_diff":31,"research_exploit_outline":32,"research_model_used":33,"research_started_at":34,"research_completed_at":35,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":26,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":26,"source_links":36},"CVE-2026-32330","photo-gallery-by-10web-cross-site-request-forgery-2","Photo Gallery by 10Web \u003C= 1.8.37 - Cross-Site Request Forgery","The Photo Gallery by 10Web plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.8.37. This is due to missing or incorrect nonce validation on a function. This makes it possible for unauthenticated attackers to perform an unauthorized action via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.","photo-gallery",null,"\u003C=1.8.37","1.8.38","medium",4.3,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:N\u002FUI:R\u002FS:U\u002FC:N\u002FI:L\u002FA:N","Cross-Site Request Forgery (CSRF)","2026-02-08 00:00:00","2026-04-15 20:59:53",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F5fb176f2-d966-4d78-9915-e6903d8f226a?source=api-prod",67,[22,23,24],"photo-gallery.php","readme.txt","wd\u002Fincludes\u002Fdeactivate.php","researched",false,3,"# Exploitation Research Plan - CVE-2026-32330\n\n## 1. Vulnerability Summary\nThe **Photo Gallery by 10Web** plugin (\u003C= 1.8.37) is vulnerable to Cross-Site Request Forgery (CSRF). The vulnerability exists in the plugin's deactivation feedback mechanism located in `wd\u002Fincludes\u002Fdeactivate.php`. Specifically, the function `submit_and_deactivate`, which is hooked to `admin_init`, fails to perform any nonce validation before processing a deactivation request. \n\nBy tricking an administrator into submitting a forged POST request, an attacker can force the plugin to generate a valid WordPress core deactivation nonce and redirect the administrator's browser to the plugin deactivation URL. This results in the unauthorized deactivation of the plugin.\n\n## 2. Attack Vector Analysis\n*   **Endpoint:** `\u002Fwp-admin\u002F` (Any admin page, including `admin-ajax.php`, as it triggers `admin_init`)\n*   **Hook:** `admin_init`\n*   **Vulnerable Function:** `TenWebNewLibDeactivate::submit_and_deactivate`\n*   **Action:** Deactivating the plugin.\n*   **Authentication Level:** Unauthenticated to initiate the CSRF, but requires an Administrator to process the forged request.\n*   **Payload Parameter:** `bwg_submit_and_deactivate` (where `bwg` is the plugin prefix).\n\n## 3. Code Flow\n1.  **Entry Point:** An administrator visits a malicious page while logged into WordPress.\n2.  **Forged Request:** The malicious page sends a POST request to the WordPress site.\n3.  **Hook Trigger:** WordPress processes the request; since it is directed at the admin area, it fires the `admin_init` hook.\n4.  **Vulnerable Callback:** The `admin_init` hook triggers `TenWebNewLibDeactivate::submit_and_deactivate()` in `wd\u002Fincludes\u002Fdeactivate.php`.\n5.  **Parameter Check:** The function checks if `isset($_POST[\"bwg_submit_and_deactivate\"])` (line 78).\n6.  **Logic Flaw:** If the parameter equals `1` or `2`, the code proceeds to generate a `$deactivate_url` using `wp_create_nonce('deactivate-plugin_' . ...)` (lines 100-104).\n7.  **Execution:** The function echoes a `\u003Cscript>` tag that sets `window.location.href` to this freshly generated, valid deactivation URL (line 105).\n8.  **Outcome:** The administrator's browser follows the redirect, and because the nonce is valid and specific to the administrator's session, WordPress deactivates the plugin.\n\n## 4. Nonce Acquisition Strategy\n**No nonce is required to initiate the attack.** \n\nThis is a \"Nonce Leakage\u002FGeneration\" CSRF. The vulnerability is that the plugin *generates* the required WordPress core nonce for the attacker when the unprotected `submit_and_deactivate` function is called. The attacker does not need to know the nonce beforehand; they only need to trigger the code that creates it.\n\n## 5. Exploitation Strategy\nThe exploitation will involve simulating an administrator submitting the forged request.\n\n### Step-by-Step Plan:\n1.  **Authenticate:** Log in to the WordPress instance as an administrator using the `login_as_admin` tool.\n2.  **Trigger Vulnerability:** Use the `http_request` tool to send a POST request to `\u002Fwp-admin\u002F` with the payload parameter.\n3.  **Payload:**\n    *   **Method:** `POST`\n    *   **URL:** `http:\u002F\u002Flocalhost:8080\u002Fwp-admin\u002Fadmin-ajax.php` (or any admin path)\n    *   **Headers:** `Content-Type: application\u002Fx-www-form-urlencoded`\n    *   **Body:** `bwg_submit_and_deactivate=1`\n4.  **Observe Response:** The response should contain a script block similar to: \n    `\u003Cscript>window.location.href=\"...\u002Fwp-admin\u002Fplugins.php?action=deactivate&plugin=photo-gallery%2Fphoto-gallery.php&_wpnonce=[NONCE_VALUE]\";\u003C\u002Fscript>`\n5.  **Verify Inactivity:** Check the plugin status via WP-CLI to confirm it has been deactivated.\n\n## 6. Test Data Setup\n1.  **Install Plugin:** Ensure \"Photo Gallery by 10Web\" version 1.8.37 is installed.\n2.  **Activate Plugin:** Ensure the plugin is active: `wp plugin activate photo-gallery`.\n3.  **Confirm Status:** Verify it is active before the exploit: `wp plugin is-active photo-gallery`.\n\n## 7. Expected Results\n*   The POST request to `\u002Fwp-admin\u002Fadmin-ajax.php` returns a `200 OK` status.\n*   The response body contains the JavaScript redirect: `window.location.href`.\n*   The redirect URL contains a valid `_wpnonce` for the `deactivate-plugin_photo-gallery\u002Fphoto-gallery.php` action.\n*   Following the redirect (or simply checking plugin status if using a real browser context) results in the plugin status changing to `inactive`.\n\n## 8. Verification Steps\nAfter performing the `http_request`, run the following WP-CLI command:\n```bash\nwp plugin is-active photo-gallery\n```\n*   **Success Criteria:** The command returns a non-zero exit code or explicitly states the plugin is inactive.\n*   **Secondary Verification:** Check if the plugin exists but is deactivated:\n```bash\nwp plugin list --name=photo-gallery --field=status\n```\nExpected output: `inactive`.\n\n## 9. Alternative Approaches\nIf a simple POST does not deactivate the plugin (e.g., if the agent doesn't execute the returned script), use `browser_navigate` to simulate the CSRF:\n1.  Create a local HTML file on the agent's filesystem containing an auto-submitting form.\n2.  Navigate the browser to that local file while the admin session is active.\n3.  The browser will submit the form to `\u002Fwp-admin\u002F`, execute the returned script, and follow the redirect to `plugins.php`, completing the deactivation.","The Photo Gallery by 10Web plugin for WordPress is vulnerable to Cross-Site Request Forgery (CSRF) in versions up to 1.8.37 because the deactivation feedback handler fails to perform nonce validation. An attacker can trick an administrator into submitting a crafted POST request that forces the plugin to generate a valid WordPress core deactivation nonce and redirect the browser to the deactivation URL, leading to unauthorized plugin deactivation.","\u002F\u002F wd\u002Fincludes\u002Fdeactivate.php lines 74-107\n\n  public function submit_and_deactivate() {\n    $wd_options = $this->config;\n    if ( isset($_POST[$wd_options->prefix . \"_submit_and_deactivate\"]) ) {\n\n      if ( $_POST[$wd_options->prefix . \"_submit_and_deactivate\"] == 2 || $_POST[$wd_options->prefix . \"_submit_and_deactivate\"] == 3 ) {\n        \u002F\u002F ... logic for sending feedback to developer ...\n      }\n      if ( $_POST[$wd_options->prefix . \"_submit_and_deactivate\"] == 2 || $_POST[$wd_options->prefix . \"_submit_and_deactivate\"] == 1 ) {\n        $deactivate_url = add_query_arg(array(\n                                          'action' => 'deactivate',\n                                          'plugin' => plugin_basename($wd_options->plugin_main_file),\n                                          '_wpnonce' => wp_create_nonce('deactivate-plugin_' . plugin_basename($wd_options->plugin_main_file)),\n                                        ), admin_url('plugins.php'));\n        echo '\u003Cscript>window.location.href=\"' . $deactivate_url . '\";\u003C\u002Fscript>';\n      }\n    }\n  }","--- \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fphoto-gallery\u002F1.8.37\u002Fwd\u002Fincludes\u002Fdeactivate.php\\t2022-06-16 06:23:42.000000000 +0000\\n+++ \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fphoto-gallery\u002F1.8.38\u002Fwd\u002Fincludes\u002Fdeactivate.php\\t2026-02-11 13:57:30.000000000 +0000\\n@@ -73,7 +73,7 @@\\n \\n   public function submit_and_deactivate() {\\n     $wd_options = $this->config;\\n-    if ( isset($_POST[$wd_options->prefix . \"_submit_and_deactivate\"]) ) {\\n+    if ( isset($_POST[$wd_options->prefix . \"_submit_and_deactivate\"]) && wp_verify_nonce($_POST[$wd_options->prefix . '_save_form_fild'], $wd_options->prefix . '_save_form') ) {\\n \\n       if ( $_POST[$wd_options->prefix . \"_submit_and_deactivate\"] == 2 || $_POST[$wd_options->prefix . \"_submit_and_deactivate\"] == 3 ) {\\n         $data = array();","The exploit is a 'Nonce Leakage' CSRF that requires tricking an administrator into making a forged request. 1. The attacker creates a malicious page with a form that sends a POST request to \u002Fwp-admin\u002Fadmin-ajax.php (which triggers admin_init). 2. The POST request includes the parameter 'bwg_submit_and_deactivate' set to '1'. 3. When the administrator visits this page, the form is submitted. 4. Because the plugin lacks nonce checks on the 'submit_and_deactivate' function, it generates a valid WordPress deactivation URL containing a fresh, session-specific '_wpnonce'. 5. The plugin then returns a \u003Cscript> tag that automatically redirects the administrator's browser to this generated URL, resulting in the plugin being deactivated without the administrator's intent.","gemini-3-flash-preview","2026-04-21 03:10:25","2026-04-21 03:10:54",{"type":37,"vulnerable_version":38,"fixed_version":11,"vulnerable_browse":39,"vulnerable_zip":40,"fixed_browse":41,"fixed_zip":42,"all_tags":43},"plugin","1.8.37","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fphoto-gallery\u002Ftags\u002F1.8.37","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fphoto-gallery.1.8.37.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fphoto-gallery\u002Ftags\u002F1.8.38","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fphoto-gallery.1.8.38.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fphoto-gallery\u002Ftags"]