[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fVrAZnwnIfkGzfNxyRMT01MKJdQxWKD0kvoan7xkVDI0":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":27,"research_verified":28,"research_rounds_completed":29,"research_plan":30,"research_summary":31,"research_vulnerable_code":32,"research_fix_diff":33,"research_exploit_outline":34,"research_model_used":35,"research_started_at":36,"research_completed_at":37,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":28,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":28,"source_links":38},"CVE-2026-32428","popup-like-box-missing-authorization","Popup Like box \u003C= 3.7.7 - Missing Authorization","The Popup Like box plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in versions up to, and including, 3.7.7. This makes it possible for unauthenticated attackers to perform an unauthorized action.","ays-facebook-popup-likebox",null,"\u003C=3.7.7","3.7.8","medium",5.3,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:N\u002FUI:N\u002FS:U\u002FC:N\u002FI:L\u002FA:N","Missing Authorization","2026-03-01 00:00:00","2026-04-15 21:02:55",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F5a1b31f4-5594-4179-a88d-11167b58d96c?source=api-prod",46,[22,23,24,25,26],"admin\u002Fclass-ays-facebook-popup-likebox-admin.php","admin\u002Fjs\u002Fadmin.js","ays-facebook-popup-likebox.php","includes\u002Fclass-ays-facebook-popup-likebox.php","readme.txt","researched",false,3,"# Exploitation Research Plan - CVE-2026-32428\n\n## 1. Vulnerability Summary\nThe **Popup Like box – Page Plugin** (versions \u003C= 3.7.7) contains a \"Missing Authorization\" vulnerability. Specifically, the plugin registers AJAX handlers for both authenticated and unauthenticated users (`wp_ajax_` and `wp_ajax_nopriv_`) without implementing capability checks or nonce verification in the handler functions. \n\nThe most critical entry point is the `deactivate_plugin_option_fb` action, which is intended to handle data cleanup when the plugin is deactivated or uninstalled. An unauthenticated attacker can trigger this action to delete the plugin's configuration and database tables, leading to a loss of data and functional disruption (Denial of Service of the plugin's features).\n\n## 2. Attack Vector Analysis\n- **Endpoint**: `\u002Fwp-admin\u002Fadmin-ajax.php`\n- **Action**: `deactivate_plugin_option_fb`\n- **Parameter**: `upgrade_plugin` (boolean-ish string)\n- **Authentication**: None (Unauthenticated)\n- **Preconditions**: The plugin must be active.\n\n## 3. Code Flow\n1.  **Registration**: In `includes\u002Fclass-ays-facebook-popup-likebox.php`, the `define_admin_hooks()` method registers the AJAX actions:\n    ```php\n    $this->loader->add_action( 'wp_ajax_deactivate_plugin_option_fb', $plugin_admin, 'deactivate_plugin_option');\n    $this->loader->add_action( 'wp_ajax_nopriv_deactivate_plugin_option_fb', $plugin_admin , 'deactivate_plugin_option');\n    ```\n2.  **Trigger**: An attacker sends a POST request to `admin-ajax.php` with `action=deactivate_plugin_option_fb`.\n3.  **Execution**: The request is routed to `Ays_Facebook_Popup_Likebox_Admin::deactivate_plugin_option`.\n4.  **Logic (Inferred)**: Based on `admin\u002Fjs\u002Fadmin.js`, the function reads the `upgrade_plugin` POST parameter. If set to `false`, it proceeds to \"Uninstall\" the data. The script states: *\"Uninstall: Your data will be deleted completely.\"* This likely involves calling `delete_option()` or `DROP TABLE` on the plugin's custom tables.\n\n## 4. Nonce Acquisition Strategy\nAccording to the source code and the vulnerability type, **no nonce is required**.\n\n- **Verification**: In `admin\u002Fclass-ays-facebook-popup-likebox-admin.php`, the localization for the script handling this AJAX (`fb_likebox_ajax`) only includes the `ajax_url`:\n  ```php\n  wp_localize_script($this->plugin_name . '-admin', 'fb_likebox_ajax', array('ajax_url' => admin_url('admin-ajax.php')));\n  ```\n- No nonce is generated or passed to the `admin.js` script. \n- The `admin.js` file confirms this by sending only `action` and `upgrade_plugin` in the data object.\n\n## 5. Exploitation Strategy\nThe goal is to trigger the permanent deletion of plugin data.\n\n### Step 1: Trigger Data Deletion\nSend a POST request to the AJAX endpoint.\n\n- **URL**: `http:\u002F\u002FTARGET_URL\u002Fwp-admin\u002Fadmin-ajax.php`\n- **Method**: `POST`\n- **Headers**:\n    - `Content-Type: application\u002Fx-www-form-urlencoded`\n- **Body**:\n    ```text\n    action=deactivate_plugin_option_fb&upgrade_plugin=false\n    ```\n\n## 6. Test Data Setup\n1.  **Install and Activate**: Ensure `ays-facebook-popup-likebox` version 3.7.7 is installed and active.\n2.  **Verify Initial State**:\n    - Check for the existence of the plugin's main settings option:\n      `wp option get ays_fb_likebox_settings` (or similar, based on `ays-facebook-popup-likebox` settings naming convention).\n    - Check for database tables:\n      `wp db query \"SHOW TABLES LIKE '%ays_fpl%';\"`\n3.  **Create a Sample Likebox**: Create at least one likebox via the admin UI or CLI to ensure there is data to be deleted.\n\n## 7. Expected Results\n- The AJAX request should return a `200 OK` status (and likely a JSON response or `0`\u002F`1`).\n- The plugin's configuration options in the `wp_options` table will be deleted.\n- The plugin's custom database tables (e.g., those containing likebox definitions) will be dropped or emptied.\n\n## 8. Verification Steps\nAfter performing the exploit, verify the impact using WP-CLI:\n\n1.  **Check Options**:\n    `wp option get ays_fb_likebox_settings`\n    *Expected Result*: Error: \"Could not find the option with key...\"\n2.  **Check Tables**:\n    `wp db query \"SHOW TABLES LIKE '%ays_fpl%';\"`\n    *Expected Result*: Empty result (tables are gone).\n3.  **Check Frontend**:\n    Navigate to a page where a Likebox was previously displayed.\n    *Expected Result*: The Likebox no longer appears.\n\n## 9. Alternative Approaches\n### Secondary Target: Dismiss Banner\nThe action `ays_fpl_dismiss_button` is also registered via `nopriv` and likely lacks authorization.\n- **Action**: `ays_fpl_dismiss_button`\n- **Body**: `action=ays_fpl_dismiss_button`\n- **Impact**: While less severe, this allows an unauthenticated user to dismiss admin notices for the site administrator, interfering with the administrative interface.\n\n### Reverse Logic: Upgrade Flag\nTry setting `upgrade_plugin=true`. If the plugin code is poorly structured, even the \"Upgrade\" branch might modify options or state in an unauthorized way, though `upgrade_plugin=false` (Uninstall) is the primary path for confirming \"Missing Authorization\" causing impact.","The Popup Like box plugin for WordPress allows unauthenticated attackers to modify plugin settings due to a missing authorization check and missing nonce verification on the 'deactivate_plugin_option_fb' AJAX action. By manipulating the 'ays_fb_upgrade_plugin' option, an attacker can influence the plugin's behavior during deactivation, potentially leading to the complete deletion of plugin data and tables when an administrator subsequently deactivates the plugin.","\u002F\u002F includes\u002Fclass-ays-facebook-popup-likebox.php (registration of AJAX handlers for unauthenticated users)\n$this->loader->add_action( 'wp_ajax_deactivate_plugin_option_fb', $plugin_admin, 'deactivate_plugin_option');\n$this->loader->add_action( 'wp_ajax_nopriv_deactivate_plugin_option_fb', $plugin_admin , 'deactivate_plugin_option');\n\n---\n\n\u002F\u002F admin\u002Fclass-ays-facebook-popup-likebox-admin.php (vulnerable handler function)\npublic function deactivate_plugin_option(){\n    error_reporting(0);\n    $request_value = $_REQUEST['upgrade_plugin'];\n    $upgrade_option = get_option('ays_fb_upgrade_plugin','');\n    if($upgrade_option === ''){\n        add_option('ays_fb_upgrade_plugin',$request_value);\n    }else{\n        update_option('ays_fb_upgrade_plugin',$request_value);\n    }\n    echo json_encode(array('option'=>get_option('ays_fb_upgrade_plugin','')));\n    wp_die();\n}","diff -ru \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fays-facebook-popup-likebox\u002F3.7.7\u002Fadmin\u002Fclass-ays-facebook-popup-likebox-admin.php \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fays-facebook-popup-likebox\u002F3.7.8\u002Fadmin\u002Fclass-ays-facebook-popup-likebox-admin.php\n--- \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fays-facebook-popup-likebox\u002F3.7.7\u002Fadmin\u002Fclass-ays-facebook-popup-likebox-admin.php\t2025-04-30 11:41:30.000000000 +0000\n+++ \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fays-facebook-popup-likebox\u002F3.7.8\u002Fadmin\u002Fclass-ays-facebook-popup-likebox-admin.php\t2026-02-18 08:15:24.000000000 +0000\n@@ -211,10 +211,15 @@\n         \u002F*\n         *  Documentation : https:\u002F\u002Fcodex.wordpress.org\u002FPlugin_API\u002FFilter_Reference\u002Fplugin_action_links_(plugin_file_name)\n         *\u002F\n+\n+        $ays_fb_ajax_deactivate_plugin_nonce = wp_create_nonce( 'ays-facebook-popup-likebox-ajax-deactivate-plugin-nonce' );\n+\n         $settings_link = array( \n             '\u003Ca href=\"' . admin_url( 'options-general.php?page=' . $this->plugin_name ) . '\">' . __('Settings', $this->plugin_name) . '\u003C\u002Fa>',\n             '\u003Ca href=\"https:\u002F\u002Fplugins.ays-demo.com\u002Fpopup-likebox-free-demo\u002F\" target=\"_blank\">' . __('Demo', $this->plugin_name) . '\u003C\u002Fa>',\n             '\u003Ca href=\"https:\u002F\u002Fays-pro.com\u002Fwordpress\u002Ffacebook-popup-likebox\" target=\"_blank\" style=\"color:red; font-weight: bold;\">' . __('Buy Now', $this->plugin_name) . '\u003C\u002Fa>',\n+            \n+            '\u003Cinput type=\"hidden\" id=\"ays_fb_ajax_deactivate_plugin_nonce\" name=\"ays_fb_ajax_deactivate_plugin_nonce\" value=\"' . $ays_fb_ajax_deactivate_plugin_nonce .'\">',\n         );\n         return array_merge(  $settings_link, $links );\n \n@@ -251,17 +256,44 @@\n \t\t$this->fblikebox_obj = new FB_Popup_Likebox_List_Table($this->plugin_name);\n \t}\n \n-\tpublic function deactivate_plugin_option(){\n-        error_reporting(0);\n-        $request_value = $_REQUEST['upgrade_plugin'];\n-        $upgrade_option = get_option('ays_fb_upgrade_plugin','');\n-        if($upgrade_option === ''){\n-            add_option('ays_fb_upgrade_plugin',$request_value);\n-        }else{\n-            update_option('ays_fb_upgrade_plugin',$request_value);\n+    public function deactivate_plugin_option_fb(){\n+\n+        \u002F\u002F Run a security check.\n+        check_ajax_referer( 'ays-facebook-popup-likebox-ajax-deactivate-plugin-nonce', sanitize_key( $_REQUEST['_ajax_nonce'] ) );\n+\n+        \u002F\u002F Check for permissions.\n+        if ( ! current_user_can( 'manage_options' ) ) {\n+            ob_end_clean();\n+            $ob_get_clean = ob_get_clean();\n+            echo json_encode(array(\n+                'option' => ''\n+            ));\n+            wp_die();\n         }\n-        echo json_encode(array('option'=>get_option('ays_fb_upgrade_plugin','')));\n-        wp_die();\n+\n+        if( is_user_logged_in() ) {\n+            $request_value = esc_sql( sanitize_text_field( $_REQUEST['upgrade_plugin'] ) );\n+            $upgrade_option = get_option('ays_fb_upgrade_plugin','');\n+            if($upgrade_option === ''){\n+                add_option('ays_fb_upgrade_plugin',$request_value);\n+            }else{\n+                update_option('ays_fb_upgrade_plugin',$request_value);\n+            }\n+            ob_end_clean();\n+            $ob_get_clean = ob_get_clean();\n+            echo json_encode(array(\n+                'option' => get_option('ays_fb_upgrade_plugin', '')\n+            ));\n+            wp_die();\n+        } else {\n+            ob_end_clean();\n+            $ob_get_clean = ob_get_clean();\n+            echo json_encode(array(\n+                'option' => ''\n+            ));\n+            wp_die();\n+        }\n+\n     }","To exploit this vulnerability, an unauthenticated attacker sends a POST request to the WordPress AJAX endpoint (\u002Fwp-admin\u002Fadmin-ajax.php) with the action parameter set to 'deactivate_plugin_option_fb'. The payload includes the 'upgrade_plugin' parameter set to 'false'. Because the plugin fails to check for user capabilities or a security nonce, it will update the 'ays_fb_upgrade_plugin' option in the database. If this option is set to 'false', the plugin's deactivation logic will proceed to drop database tables and delete settings the next time an administrator deactivates the plugin, causing permanent data loss.","gemini-3-flash-preview","2026-04-18 22:17:28","2026-04-18 22:17:51",{"type":39,"vulnerable_version":40,"fixed_version":11,"vulnerable_browse":41,"vulnerable_zip":42,"fixed_browse":43,"fixed_zip":44,"all_tags":45},"plugin","3.7.7","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fays-facebook-popup-likebox\u002Ftags\u002F3.7.7","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fays-facebook-popup-likebox.3.7.7.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fays-facebook-popup-likebox\u002Ftags\u002F3.7.8","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fays-facebook-popup-likebox.3.7.8.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fays-facebook-popup-likebox\u002Ftags"]