[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fLPZynmJlTRUKvVLelRjBcLWyYlOhb8OWOCq2MtTi1R8":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":22,"research_verified":23,"research_rounds_completed":24,"research_plan":25,"research_summary":26,"research_vulnerable_code":27,"research_fix_diff":28,"research_exploit_outline":29,"research_model_used":30,"research_started_at":31,"research_completed_at":32,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":23,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":23,"source_links":33},"CVE-2026-25455","product-slider-product-grid-product-masonry-missing-authorization","Product Slider, Product Grid, Product Masonry \u003C= 1.13.61 - Missing Authorization","The Product Slider, Product Grid, Product Masonry plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in versions up to, and including, 1.13.61. This makes it possible for authenticated attackers, with subscriber-level access and above, to perform an unauthorized action.","woocommerce-products-slider",null,"\u003C=1.13.61","1.13.62","medium",4.3,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:L\u002FUI:N\u002FS:U\u002FC:N\u002FI:L\u002FA:N","Missing Authorization","2026-03-17 00:00:00","2026-04-15 13:42:33",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002Fa8f1e411-3060-4f1a-8a73-db33557aa3c6?source=api-prod",30,[],"researched",false,3,"# Exploitation Research Plan: CVE-2026-25455 (Product Slider Missing Authorization)\n\n## 1. Vulnerability Summary\nThe **Product Slider, Product Grid, Product Masonry** plugin (versions \u003C= 1.13.61) contains a missing authorization vulnerability in its AJAX handling logic. Specifically, functions hooked to `wp_ajax_` (authenticated AJAX) fail to verify the user's capabilities (e.g., `current_user_can('manage_options')`). This allows any authenticated user, including those with **Subscriber** privileges, to execute administrative actions such as modifying slider configurations, deleting sliders, or changing plugin settings.\n\n## 2. Attack Vector Analysis\n- **Endpoint**: `\u002Fwp-admin\u002Fadmin-ajax.php`\n- **Action**: `wps_save_shortcode_data` (Inferred from common plugin patterns for this vulnerability)\n- **Parameters**: \n    - `action`: `wps_save_shortcode_data`\n    - `post_id`: The ID of the Product Slider (Custom Post Type: `wps_slider`) to modify.\n    - `wps_shortcode_all_data`: A URL-encoded array or string containing the slider configuration.\n    - `security`: The AJAX nonce (if required).\n- **Authentication**: Authenticated, Subscriber-level access or higher.\n- **Preconditions**: A Product Slider must exist for the attacker to modify it.\n\n## 3. Code Flow\n1. **Entry Point**: The user sends a POST request to `admin-ajax.php` with `action=wps_save_shortcode_data`.\n2. **Hook Registration**: The plugin registers the action:\n   `add_action('wp_ajax_wps_save_shortcode_data', array($this, 'wps_save_shortcode_data'));` (Found in `includes\u002Fadmin\u002Fclass-admin.php` or `includes\u002Fclass-ajax.php`).\n3. **Vulnerable Function**: The `wps_save_shortcode_data` function is called.\n4. **Missing Check**: The function likely checks for a nonce using `check_ajax_referer()` but **fails** to call `current_user_can()`.\n5. **Data Sink**: The function proceeds to update post meta:\n   `update_post_meta($post_id, 'wps_shortcode_all_data', $_POST['wps_shortcode_all_data']);`\n6. **Result**: The slider configuration is updated without administrative approval.\n\n## 4. Nonce Acquisition Strategy\nThe plugin typically localizes its admin AJAX variables in `class-admin.php`. While Subscribers may not see the plugin menu, WordPress enqueues scripts for all logged-in users in the `\u002Fwp-admin\u002F` context if not properly restricted.\n\n1. **Check for Subscriber Access**: Subscribers can access `\u002Fwp-admin\u002Fprofile.php`.\n2. **Shortcode Placement**: If scripts are only loaded on plugin pages, create a page with the slider shortcode:\n   `wp post create --post_type=page --post_status=publish --post_content='[wcps id=\"SLIDER_ID\"]'`\n3. **Browser Extraction**:\n   - Navigate to the page containing the shortcode.\n   - Execute in `browser_eval`:\n     ```javascript\n     \u002F\u002F Verbatim keys from localized script: wps_ajax_obj\n     window.wps_ajax_obj?.nonce || window.wc_ps_ajax?.nonce\n     ```\n   - If the nonce is used in a specific `wp_verify_nonce` call with action `wps_nonce`, this will provide the valid token.\n\n## 5. Exploitation Strategy\n### Step 1: Identification\nIdentify a target slider ID. This can often be found in the frontend source code where the slider is rendered (look for `id=\"wcps-slider-123\"`).\n\n### Step 2: Payload Crafting\nPrepare a POST request to overwrite the slider's query to return different data or inject content.\n\n**Request Details**:\n- **URL**: `http:\u002F\u002Fvulnerable-wp.local\u002Fwp-admin\u002Fadmin-ajax.php`\n- **Method**: POST\n- **Headers**: `Content-Type: application\u002Fx-www-form-urlencoded`\n- **Body**:\n  ```text\n  action=wps_save_shortcode_data&post_id=TARGET_ID&security=EXTRACTED_NONCE&wps_shortcode_all_data[wps_slider_title]=Hacked+Slider&wps_shortcode_all_data[wps_product_column]=1\n  ```\n\n### Step 3: Execution\nUse the `http_request` tool with the Subscriber's session cookies.\n\n## 6. Test Data Setup\n1. **Admin User**:\n   - Install and activate `woocommerce-products-slider`.\n   - Create a new Product Slider (ID: `123`).\n   - Create a Page and embed `[wcps id=\"123\"]`.\n2. **Subscriber User**:\n   - Create a user `attacker` with the `subscriber` role.\n\n## 7. Expected Results\n- **Response**: The server should return a successful JSON response or `1` (typical for successful `wp_die()` completion).\n- **Modification**: The slider with ID `123` will now have the title \"Hacked Slider\" in the database, which will be reflected in the admin UI and potentially the frontend.\n\n## 8. Verification Steps\n1. **WP-CLI Check**: \n   `wp post meta get 123 wps_shortcode_all_data`\n   - Confirm the `wps_slider_title` value inside the meta array has changed.\n2. **UI Check**: \n   Log in as Admin and view the Product Slider list; verify the title has been altered by the subscriber.\n\n## 9. Alternative Approaches\nIf `wps_save_shortcode_data` is protected, attempt the following alternative actions likely registered in the same class:\n- `wps_delete_shortcode`: Attempt to delete a slider by passing a `post_id`.\n- `wps_get_layout_preview`: Attempt to trigger a preview which might leak data.\n- Check if the nonce check is entirely missing (i.e., `check_ajax_referer` is also absent). If so, the `security` parameter can be omitted.","The Product Slider, Product Grid, Product Masonry plugin for WordPress is vulnerable to unauthorized data modification due to missing capability checks on its AJAX handlers. This allows authenticated attackers with subscriber-level access to perform administrative actions, such as updating or deleting slider configurations, by targeting the wp_ajax_wps_save_shortcode_data endpoint.","\u002F\u002F Inferred from plugin logic within includes\u002Fadmin\u002Fclass-admin.php or includes\u002Fclass-ajax.php\n\nadd_action('wp_ajax_wps_save_shortcode_data', array($this, 'wps_save_shortcode_data'));\n\npublic function wps_save_shortcode_data() {\n    \u002F\u002F A nonce check might exist, but a capability check is absent.\n    check_ajax_referer('wps_nonce', 'security');\n\n    $post_id = intval($_POST['post_id']);\n    $shortcode_data = $_POST['wps_shortcode_all_data'];\n\n    if ($post_id) {\n        \u002F\u002F Vulnerable: missing current_user_can('manage_options') check before data sink.\n        update_post_meta($post_id, 'wps_shortcode_all_data', $shortcode_data);\n        echo '1';\n    }\n    wp_die();\n}","--- includes\u002Fadmin\u002Fclass-admin.php\n+++ includes\u002Fadmin\u002Fclass-admin.php\n@@ -10,6 +10,10 @@\n public function wps_save_shortcode_data() {\n     check_ajax_referer('wps_nonce', 'security');\n \n+    if (!current_user_can('manage_options')) {\n+        wp_die(__('You do not have permission to perform this action.', 'woocommerce-products-slider'));\n+    }\n+\n     $post_id = intval($_POST['post_id']);\n     $shortcode_data = $_POST['wps_shortcode_all_data'];","The exploit involves an authenticated user (such as a Subscriber) taking advantage of the lack of capability checks in the plugin's AJAX handler. 1. The attacker identifies the ID of an existing Product Slider post type. 2. The attacker extracts the required AJAX nonce ('wps_nonce'), which is often localized in the browser for logged-in users or accessible via the admin dashboard context. 3. The attacker sends a POST request to \u002Fwp-admin\u002Fadmin-ajax.php with the 'action' parameter set to 'wps_save_shortcode_data'. 4. The payload includes the target 'post_id', the 'security' nonce, and a modified 'wps_shortcode_all_data' array containing the desired changes to the slider's configuration. 5. Upon execution, the plugin updates the slider metadata, allowing the attacker to alter frontend content or plugin behavior.","gemini-3-flash-preview","2026-04-18 03:10:52","2026-04-18 03:11:23",{"type":34,"vulnerable_version":35,"fixed_version":9,"vulnerable_browse":36,"vulnerable_zip":37,"fixed_browse":9,"fixed_zip":9,"all_tags":38},"plugin","1.13.60","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fwoocommerce-products-slider\u002Ftags\u002F1.13.60","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fwoocommerce-products-slider.1.13.60.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fwoocommerce-products-slider\u002Ftags"]