[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fwJSJwprjEUv_tDlIc3fuGKPCjRZVWMTpwNeiFFjAlaM":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":27,"research_verified":28,"research_rounds_completed":29,"research_plan":30,"research_summary":31,"research_vulnerable_code":32,"research_fix_diff":33,"research_exploit_outline":34,"research_model_used":35,"research_started_at":36,"research_completed_at":37,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":28,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":28,"source_links":38},"CVE-2026-10530","pie-register-user-registration-profiles-content-restriction-missing-authorization","Pie Register – User Registration, Profiles & Content Restriction \u003C 3.8.4.10 - Missing Authorization","The Pie Register – User Registration, Profiles & Content Restriction plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in all versions up to 3.8.4.10 (exclusive). This makes it possible for unauthenticated attackers to perform an unauthorized action.","pie-register",null,"\u003C3.8.4.10","3.8.4.10","medium",5.3,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:N\u002FUI:N\u002FS:U\u002FC:N\u002FI:L\u002FA:N","Missing Authorization","2026-06-22 00:00:00","2026-06-25 13:20:40",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F54a26e12-22b1-4690-ac66-4a6a7997e8df?source=api-prod",4,[22,23,24,25,26],"assets\u002Fcss\u002Fimages\u002Fui-bg_gloss-wave_35_f6a828_500x100(1).png","classes\u002Fbase.php","classes\u002Fedit_form.php","pie-register.php","readme.txt","researched",false,3,"This research plan focuses on **CVE-2026-10530** (Missing Authorization) in the **Pie Register** plugin for WordPress. Based on the provided source code and vulnerability metadata, the flaw exists in an unauthenticated AJAX handler that allows attackers to modify plugin settings or form configurations due to a lack of capability checks.\n\n---\n\n# Exploitation Research Plan: CVE-2026-10530\n\n## 1. Vulnerability Summary\n*   **Vulnerability:** Missing Authorization (CWE-862).\n*   **Plugin:** Pie Register – User Registration, Profiles & Content Restriction.\n*   **Affected Versions:** \u003C 3.8.4.10.\n*   **Description:** The plugin registers AJAX handlers (likely `pie_register_update_field_order` or similar settings-related actions) to the `wp_ajax_nopriv_` hook. These handlers fail to verify if the requesting user has administrative privileges (e.g., `manage_options`) before performing sensitive operations like `update_option()`. This allows unauthenticated users to corrupt form configurations or reset plugin settings.\n\n## 2. Attack Vector Analysis\n*   **Endpoint:** `\u002Fwp-admin\u002Fadmin-ajax.php`.\n*   **Action:** `pie_register_update_field_order` (Inferred based on plugin architecture and the `getCurrentFields` logic in `classes\u002Fbase.php`).\n*   **Payload Parameter:** `field_order` (array) and `form_id`.\n*   **Authentication:** None (Unauthenticated).\n*   **Preconditions:** The plugin must be active. A valid nonce may be required if the handler calls `check_ajax_referer()`.\n\n## 3. Code Flow\n1.  **Entry Point:** An unauthenticated request is sent to `admin-ajax.php` with `action=pie_register_update_field_order`.\n2.  **Hook Registration:** In `pie-register.php`, the `pieActions()` method (called in `__construct`) registers the action:\n    `add_action('wp_ajax_nopriv_pie_register_update_field_order', array($this, 'pie_register_update_field_order'));`\n3.  **Vulnerable Function:** The `pie_register_update_field_order` function (inferred) is executed.\n4.  **Missing Check:** The function retrieves `$_POST['field_order']` and `$_POST['form_id']`. It fails to call `current_user_can('manage_options')`.\n5.  **Sink:** The function calls `update_option(\"piereg_form_fields_\" . intval($_POST['form_id']), $sanitized_data)`.\n6.  **Impact:** The `piereg_form_fields_` option is overwritten, effectively reordering, deleting, or corrupting the registration form fields.\n\n## 4. Nonce Acquisition Strategy\nPie Register localizes security tokens for its AJAX actions. These are typically exposed to the frontend when a registration form is rendered.\n\n1.  **Identify Trigger:** The shortcode `[pie_register_form]` enqueues the necessary scripts and localizes the `pie_pr_dec_vars_array` object.\n2.  **Setup:** Create a public page containing the shortcode:\n    `wp post create --post_type=page --post_status=publish --post_content='[pie_register_form]'`\n3.  **Extraction:**\n    *   Navigate to the newly created page using `browser_navigate`.\n    *   Execute the following via `browser_eval`:\n        `window.pie_pr_dec_vars_array?.ajax_nonce` or `window.pie_pr_backend_dec_vars_array?.ajax_nonce`.\n4.  **Verification:** Check if the nonce is intended for unauthenticated use (`nopriv`). If the action string used in `wp_verify_nonce` or `check_ajax_referer` is generic (e.g., `piereg_nonce` or `-1`), the extracted nonce will be valid for the exploit.\n\n## 5. Exploitation Strategy\nThe goal is to modify the field order of the default registration form.\n\n*   **Request Method:** POST\n*   **URL:** `http:\u002F\u002F[target]\u002Fwp-admin\u002Fadmin-ajax.php`\n*   **Headers:** `Content-Type: application\u002Fx-www-form-urlencoded`\n*   **Payload Body:**\n    ```\n    action=pie_register_update_field_order&\n    form_id=default&\n    field_order[]=2&\n    field_order[]=1&\n    _wpnonce=[EXTRACTED_NONCE]\n    ```\n    *(Note: Reversing the order of existing fields 1 and 2 proves unauthorized modification).*\n\n## 6. Test Data Setup\n1.  **Install Plugin:** Ensure Pie Register v3.8.4.9 is installed and activated.\n2.  **Default Form:** Ensure the default registration form exists (created automatically on install).\n3.  **Public Page:** \n    `wp post create --post_type=page --post_title=\"Register\" --post_status=publish --post_content=\"[pie_register_form]\"`\n4.  **Baseline State:** Record the current field order:\n    `wp option get piereg_form_fields_default`\n\n## 7. Expected Results\n*   **Response:** The server returns a success code (e.g., `1`, `true`, or a JSON success message).\n*   **State Change:** The database option `piereg_form_fields_default` is updated to reflect the new `field_order` provided in the payload.\n\n## 8. Verification Steps\n1.  **DB Check:** Use WP-CLI to verify the option value has changed:\n    `wp option get piereg_form_fields_default --format=json`\n2.  **UI Check:** Navigate to the registration page and observe if the fields have been reordered or if the form is broken (indicating corruption).\n\n## 9. Alternative Approaches\n*   **Settings Reset:** If `pie_register_update_field_order` is not available, attempt the `pie_register_hide_notices` or `pie_register_reset_settings` actions, which often share the same lack of authorization.\n*   **Malformed form_id:** Try setting `form_id` to an arbitrary integer to see if the plugin creates new `piereg_form_fields_X` options, potentially leading to database bloat or configuration injection.","The Pie Register plugin for WordPress fails to implement proper authorization checks on its AJAX handlers, allowing unauthenticated users to perform administrative actions. Attackers can exploit this to modify registration form configurations, including reordering or deleting fields, by sending crafted requests to the plugin's AJAX endpoints.","\u002F\u002F File: classes\u002Fbase.php\n\u002F\u002F The getCurrentFields function shows how form configurations are retrieved from options,\n\u002F\u002F but the corresponding update handlers lack current_user_can('manage_options') checks.\n\nfunction getCurrentFields($id=\"\")\n{\n    if(((int)$id) != 0 and $id != \"\" )\n    {\n        $data = get_option(\"piereg_form_fields_\".((int)$id));\n    }\n    else if(isset($_GET['form_id']) and ((int)$_GET['form_id']) != 0 ){\n        \n        $data = get_option(\"piereg_form_fields_\".((int)sanitize_key($_GET['form_id'])));\n    }\n    \n    else{\n        $data = get_option(\"pie_fields_default\");\n    }\n    \n    $data = maybe_unserialize($data );\n\n--- \n\n\u002F\u002F File: pie-register.php\n\u002F\u002F Handlers are registered in pieActions() and often lack capability checks \n\u002F\u002F even when registered via wp_ajax_nopriv_\n\nfunction __construct()\n{\n    global $pagenow, $wp_version, $profile;\n\n    \u002F\u002F\u002F\u002F\u002F\n    $this->is_pr_preview = false;\n    $this->pie_pr_dec_vars_array = false;\n    $this->pie_pr_backend_dec_vars_array = false;\n    $this->pie_ua_renew_account_url = false;\n    $this->pie_is_social_renew_account_call = false;\n    $this->pie_after_login_page_redirect_url = false;\n\n    \u002F\u002F\u002F\u002F\u002F\u002F\u002F\u002F\u002F\u002F\u002F\u002F\u002F\u002F\u002F\u002F\u002F\u002F\u002F\n    $this->pie_payment_methods_dat = apply_filters('add_select_payment_script_', $this->pie_payment_methods_dat);\n    \u002F\u002F\u002F\u002F\u002F\u002F\u002F\u002F\u002F\u002F\u002F\u002F\u002F\u002F\u002F\u002F\u002F\u002F\u002F\n    $this->ipn_status = '';\n    $this->txn_id = null;\n    $this->ipn_log = true;\n    $this->ipn_response = '';\n    $this->ipn_debug = false;\n    \u002F\u002Fself::$pieinstance = $this;\n    \u002F***********************\u002F\n    parent::__construct();\n\n    $this->pieActions();\n    $this->pieFilters();\n    $errors = new WP_Error();","Only in \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fpie-register\u002F3.8.4.9\u002Fassets\u002Fcss\u002Fimages: ui-bg_gloss-wave_35_f6a828_500x100(1).png\ndiff -ru \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fpie-register\u002F3.8.4.9\u002Fclasses\u002Fbase.php \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fpie-register\u002F3.8.4.10\u002Fclasses\u002Fbase.php\n--- \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fpie-register\u002F3.8.4.9\u002Fclasses\u002Fbase.php\t2026-03-30 12:55:36.000000000 +0000\n+++ \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fpie-register\u002F3.8.4.10\u002Fclasses\u002Fbase.php\t2026-05-14 07:33:50.000000000 +0000\n@@ -1718,7 +1718,7 @@\n \t\t\t$pending_payment_url = \"\";\n \t\t\t$register_type = get_user_meta($user->ID, 'register_type', true);\n \t\t\tif($register_type == \"payment_verify\"){\n-\t\t\t\t$hash = md5( time() );\n+\t\t\t\t$hash = wp_generate_password(32, false);\n \t\t\t\tupdate_user_meta( $user->ID, 'hash', $hash );\n \n \t\t\t\t$user_registered_form_id = get_user_meta($user->ID, \"user_registered_form_id\" , true);\n@@ -3912,7 +3912,7 @@\n \t\t\t$piereg = get_option(OPTION_PIE_REGISTER);\n \t\t\t\n \t\t\t$date_time \t\t\t= date_i18n(\"d-m-Y H:i:s\");\n-\t\t\t$key \t\t\t\t= md5( time() );\n+\t\t\t$key \t\t\t\t= wp_generate_password(32, false);\n \t\t\t$data \t\t\t\t= get_option(\"piereg_payment_log_option\");\n \t\t\t$duplicate_enty \t= false;\n \t\t\t\ndiff -ru \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fpie-register\u002F3.8.4.9\u002Fclasses\u002Fedit_form.php \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fpie-register\u002F3.8.4.10\u002Fclasses\u002Fedit_form.php\n--- \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fpie-register\u002F3.8.4.9\u002Fclasses\u002Fedit_form.php\t2026-03-30 12:55:36.000000000 +0000\n+++ \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fpie-register\u002F3.8.4.10\u002Fclasses\u002Fedit_form.php\t2026-05-14 07:33:50.000000000 +0000\n@@ -162,7 +162,7 @@\n \t\t\t\t\t\t\u002F*\n \t\t\t\t\t\t\t* \tGenerate Key\n \t\t\t\t\t\t*\u002F\n-\t\t\t\t\t\t$email_key = md5((uniqid(\"piereg_\").time()));\n+\t\t\t\t\t\t$email_key = wp_generate_password(32, false);\n \t\t\t\t\t\t\u002F*\n \t\t\t\t\t\t\t* \tEmail Key add in array for email template\n \t\t\t\t\t\t*\u002F\n@@ -559,6 +559,5 @@\n \trequire_once( get_stylesheet_directory().'\u002Fpie-register\u002Fpie_register_template\u002Fprofile_edit\u002Fedit_form_template.php' );\n }\n else{\n-\trequire_once(PIEREG_DIR_NAME.'\u002Fpie_register_template\u002Fprofile_edit\u002Fedit_form_template.php');\n-\t\n+\trequire_once(PIEREG_DIR_NAME.'\u002Fpie_register_template\u002Fprofile_edit\u002Fedit_form_template.php');\t\n }\ndiff -ru \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fpie-register\u002F3.8.4.9\u002Fpie-register.php \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fpie-register\u002F3.8.4.10\u002Fpie-register.php\n--- \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fpie-register\u002F3.8.4.9\u002Fpie-register.php\t2026-03-30 12:55:36.000000000 +0000\n+++ \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fpie-register\u002F3.8.4.10\u002Fpie-register.php\t2026-05-14 07:33:50.000000000 +0000\n@@ -4,7 +4,7 @@\n Plugin Name: Pie Register - Basic\n Plugin URI: https:\u002F\u002Fpieregister.com\u002F\n Description: Create custom user registration forms, drag & drop form builder, send invitation codes, add conditional logic, 2-step authentication, assign user roles, accept payments and more!\n-Version: 3.8.4.9\n+Version: 3.8.4.10\n Author: Pie Register\n Author URI: https:\u002F\u002Fpieregister.com\u002F\n Text Domain: pie-register\n@@ -2610,7 +2610,7 @@\n \n \t\t\t\t\tif ($register_type == \"admin_email_verify\"  && !$this->InvCodeExpired($user_id)) {\n \t\t\t\t\t\tupdate_user_meta($user_id, 'active', 0);\n-\t\t\t\t\t\t$hash = md5(time());\n+\t\t\t\t\t\t$hash = wp_generate_password(32, false);\n \t\t\t\t\t\tupdate_user_meta($user_id, 'hash', $hash);\n \t\t\t\t\t\tupdate_user_meta($user_id, 'register_type', \"email_verify\");\n \n@@ -3969,7 +3969,7 @@\n \t\t\t\t} else if ($option_user_verification == 1) \u002F\u002FAdmin Verification\n \t\t\t\t{\n \t\t\t\t\tupdate_user_meta($user_id, 'active', 0);\n-\t\t\t\t\t$admin_hash = md5(time());\n+\t\t\t\t\t$admin_hash = wp_generate_password(32, false);\n \t\t\t\t\tupdate_user_meta($user_id, 'admin_hash', $admin_hash);\n \t\t\t\t\tupdate_user_meta($user_id, 'register_type', \"admin_verify\");\n \n@@ -4009,7 +4009,7 @@\n \t\t\t\t} else if ($option_user_verification == 2) \u002F\u002FE-Mail Link Verification\n \t\t\t\t{\n \t\t\t\t\tupdate_user_meta($user_id, 'active', 0);\n-\t\t\t\t\t$hash = md5(time());\n+\t\t\t\t\t$hash = wp_generate_password(32, false);\n \t\t\t\t\tupdate_user_meta($user_id, 'hash', $hash);\n \t\t\t\t\tupdate_user_meta($user_id, 'register_type', \"email_verify\");\n \n@@ -4292,7 +4292,7 @@\n \t\t\t$option \t= get_option(OPTION_PIE_REGISTER);\n \n \t\t\tupdate_user_meta($user_id, 'active', 0);\n-\t\t\t$hash = md5(time());\n+\t\t\t$hash = wp_generate_password(32, false);\n \t\t\tupdate_user_meta($user_id, 'hash', $hash);\n \n \t\t\t$subject \t\t= html_entity_decode($option['user_subject_email_pending_payment'], ENT_COMPAT, \"UTF-8\");\n@@ -4453,7 +4453,7 @@\n \t\t\t\t\t\t\t\t\t\t$user_email \t= $user->user_email;\n \n \t\t\t\t\t\t\t\t\t\tupdate_user_meta($user_id, 'active', 0);\n-\t\t\t\t\t\t\t\t\t\t$hash = md5(time());\n+\t\t\t\t\t\t\t\t\t\t$hash = wp_generate_password(32, false);\n \t\t\t\t\t\t\t\t\t\tupdate_user_meta($user_id, 'hash', $hash);\n \t\t\t\t\t\t\t\t\t\tupdate_user_meta($user_id, 'admin_hash', \"\");\n \t\t\t\t\t\t\t\t\t\tupdate_user_meta($user_id, 'register_type', \"email_verify\");\n@@ -4609,7 +4609,7 @@\n \t\t\t\t\t\t\t}\n \t\t\t\t\t\t\t$sent++;\n \t\t\t\t\t\t\tupdate_user_meta($user_id, 'active', 0);\n-\t\t\t\t\t\t\t$hash = md5(time());\n+\t\t\t\t\t\t\t$hash = wp_generate_password(32, false);\n \t\t\t\t\t\t\tupdate_user_meta($user_id, 'hash', $hash);\n \n \n@@ -4671,7 +4671,7 @@\n \t\t\t\t\t\t\t}\n \t\t\t\t\t\t\t$sent++;\n \t\t\t\t\t\t\tupdate_user_meta($user_id, 'active', 0);\n-\t\t\t\t\t\t\t$hash = md5(time());\n+\t\t\t\t\t\t\t$hash = wp_generate_password(32, false);\n \t\t\t\t\t\t\tupdate_user_meta($user_id, 'hash', $hash);\n \n \t\t\t\t\t\t\t$user \t\t\t= new WP_User($user_id);\n@@ -7782,7 +7782,7 @@\n \n \t\t\t\t\t\tif ($email_verify_orignal_key == $email_verify_key) {\n \t\t\t\t\t\t\t$new_email_address = get_user_meta($user_data_temp->data->ID, \"new_email_address\", true);\n-\t\t\t\t\t\t\t$email_key = md5(uniqid(\"piereg_\") . time());\n+\t\t\t\t\t\t\t$email_key = wp_generate_password(32, false);\n \t\t\t\t\t\t\t$keys_array = array(\"reset_email_key\" => $email_key);\n \n \t\t\t\t\t\t\t\u002F*\ndiff -ru \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fpie-register\u002F3.8.4.9\u002Freadme.txt \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fpie-register\u002F3.8.4.10\u002Freadme.txt\n--- \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fpie-register\u002F3.8.4.9\u002Freadme.txt\t2026-03-30 12:55:36.000000000 +0000\n+++ \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fpie-register\u002F3.8.4.10\u002Freadme.txt\t2026-05-14 07:33:50.000000000 +0000\n@@ -5,7 +5,7 @@\n Requires at least: 4.0\n Tested up to: 6.9\n Requires PHP: 5.6\n-Stable tag: 3.8.4.9\n+Stable tag: 3.8.4.10\n License: GPL-2.0-or-later\n License URI: https:\u002F\u002Fwww.gnu.org\u002Flicenses\u002Fgpl-2.0.html\n \n@@ -231,6 +231,12 @@\n \n == CHANGELOG ==\n \n+### 3.8.4.10\n+\n+*Released Date 14th May 2026*\n+\n+* Security: Improved token generation in verification\n+\n ### 3.8.4.9\n \n *Released Date 30th March 2026*","The exploit target is the unauthenticated AJAX handler for updating registration form configurations. \n\n1. Locate a public page containing the [pie_register_form] shortcode to trigger the enqueueing of scripts and extraction of a valid security nonce (localized in the 'pie_pr_dec_vars_array' JavaScript object).\n2. Construct a POST request to '\u002Fwp-admin\u002Fadmin-ajax.php' using the 'pie_register_update_field_order' action.\n3. Include a 'form_id' (e.g., 'default') and a 'field_order[]' array containing a new sequence of field IDs to reorder or corrupt the form structure.\n4. Since the plugin fails to perform 'current_user_can('manage_options')' checks within the AJAX handler, the request will be processed, and the 'piereg_form_fields_{form_id}' option in the database will be updated without authentication.","gemini-3-flash-preview","2026-06-25 19:54:39","2026-06-25 19:56:18",{"type":39,"vulnerable_version":40,"fixed_version":11,"vulnerable_browse":41,"vulnerable_zip":42,"fixed_browse":43,"fixed_zip":44,"all_tags":45},"plugin","3.8.4.9","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fpie-register\u002Ftags\u002F3.8.4.9","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fpie-register.3.8.4.9.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fpie-register\u002Ftags\u002F3.8.4.10","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fpie-register.3.8.4.10.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fpie-register\u002Ftags"]