[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$f5bdyZLODdY-ToBe1GE6XS_1aBuHLlzurSxUVH6UpO0Y":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":22,"research_verified":23,"research_rounds_completed":24,"research_plan":25,"research_summary":26,"research_vulnerable_code":27,"research_fix_diff":28,"research_exploit_outline":29,"research_model_used":30,"research_started_at":31,"research_completed_at":32,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":23,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":23,"source_links":33},"CVE-2026-25330","publishpress-authors-missing-authorization","PublishPress Authors \u003C= 4.10.1 - Missing Authorization","The Co-Authors, Multiple Authors and Guest Authors in an Author Box with PublishPress Authors plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in all versions up to, and including, 4.10.1. This makes it possible for authenticated attackers, with Contributor-level access and above, to perform an unauthorized action.","publishpress-authors",null,"\u003C=4.10.1","4.11.0","medium",4.3,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:L\u002FUI:N\u002FS:U\u002FC:N\u002FI:L\u002FA:N","Missing Authorization","2026-02-06 00:00:00","2026-05-04 15:42:22",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002Fada8f195-ae5f-4f45-83b4-dd5b89e26ac9?source=api-prod",88,[],"researched",false,3,"# Exploitation Research Plan - CVE-2026-25330\n\n## 1. Vulnerability Summary\nThe **PublishPress Authors** plugin (\u003C= 4.10.1) suffers from a missing authorization vulnerability in its AJAX handling logic. Specifically, the function responsible for saving or updating guest author data (likely `ajax_save_guest_author` or similar) fails to perform a formal capability check (e.g., `current_user_can('manage_options')` or a custom plugin-specific capability). \n\nThis allows an authenticated user with at least **Contributor** level access—who can access the WordPress admin dashboard and thus trigger AJAX actions—to modify guest author profiles, including names, bios, and metadata, which they should not have permission to manage.\n\n## 2. Attack Vector Analysis\n*   **Endpoint:** `\u002Fwp-admin\u002Fadmin-ajax.php`\n*   **Action:** `ppma_save_guest_author` (inferred based on plugin naming conventions)\n*   **HTTP Method:** `POST`\n*   **Parameters:**\n    *   `action`: `ppma_save_guest_author`\n    *   `nonce`: A valid CSRF token.\n    *   `author_id`: The ID of the guest author (term ID) to modify.\n    *   `display_name`: The new name for the guest author.\n    *   `user_email`: The email for the guest author.\n*   **Authentication:** Contributor-level user (`PR:L`).\n*   **Preconditions:** A guest author must already exist in the system (though the vulnerable function may also allow creation).\n\n## 3. Code Flow (Inferred)\n1.  **Entry Point:** The plugin registers the AJAX handler in a module's initialization (e.g., `src\u002Fmodules\u002Fguest-authors\u002Fclasses\u002FGuest_Author_Handler.php` or `src\u002Fmodules\u002Fauthors\u002Fclasses\u002FAuthor_Editor.php`).\n2.  **Hook:** `add_action('wp_ajax_ppma_save_guest_author', [$this, 'ajax_save_guest_author']);`\n3.  **Vulnerable Function:** `ajax_save_guest_author()` is called.\n4.  **Missing Check:** Inside this function, it likely calls `check_ajax_referer('ppma_guest_author_nonce', 'nonce')` for CSRF protection but omits a call to `current_user_can()`.\n5.  **Sink:** The function eventually calls `wp_update_term()` or a wrapper function that modifies the guest author's term data in the `author` taxonomy.\n\n## 4. Nonce Acquisition Strategy\nThe plugin localizes the nonce for the admin dashboard. To obtain it:\n\n1.  **Identify Trigger:** The nonce is used in the Guest Authors management screen. The script is usually enqueued on admin pages.\n2.  **Access Admin:** Log in as a Contributor.\n3.  **Find the Nonce:**\n    *   The plugin localizes data using `wp_localize_script`.\n    *   The global JS variable is likely `ppmaAdmin` or `ppAuthorsData`.\n    *   The nonce key is likely `nonce` or `ppma_nonce`.\n4.  **Browser Execution:**\n    *   Navigate to `\u002Fwp-admin\u002F`.\n    *   Execute: `browser_eval(\"window.ppmaAdmin?.nonce\")` or `browser_eval(\"window.ppAuthorsData?.nonce\")`.\n\n## 5. Exploitation Strategy\n1.  **Preparation:** Authenticate as a Contributor.\n2.  **Target Selection:** Identify a guest author ID (Term ID) to modify.\n3.  **Nonce Retrieval:** Use `browser_eval` as described above to get the `nonce`.\n4.  **Execution:** Use `http_request` to send the following payload:\n\n**Request Body:**\n```http\nPOST \u002Fwp-admin\u002Fadmin-ajax.php HTTP\u002F1.1\nContent-Type: application\u002Fx-www-form-urlencoded\n\naction=ppma_save_guest_author&nonce=[NONCE]&author_id=[ID]&display_name=Hacked+Author&user_email=hacked@example.com\n```\n\n## 6. Test Data Setup\n1.  **Install Plugin:** Ensure `publishpress-authors` version 4.10.1 is installed.\n2.  **Create Guest Author:** Use WP-CLI to create a guest author (these are stored as terms in the `author` taxonomy).\n    ```bash\n    wp term create author \"Original Author\" --description=\"Original Bio\"\n    ```\n3.  **Identify ID:** Get the ID of the created term:\n    ```bash\n    wp term list author --fields=term_id,name\n    ```\n4.  **Create Contributor:**\n    ```bash\n    wp user create attacker attacker@example.com --role=contributor --user_pass=password123\n    ```\n\n## 7. Expected Results\n*   The server should return a `200 OK` response, likely with a JSON body: `{\"success\": true, ...}`.\n*   The guest author term in the database should be updated despite the user only having Contributor permissions.\n\n## 8. Verification Steps\n1.  **Verify via CLI:** Check if the term name has changed.\n    ```bash\n    wp term get author [ID] --field=name\n    ```\n2.  **Expected Output:** `Hacked Author`.\n\n## 9. Alternative Approaches\n*   **If `ppma_save_guest_author` is incorrect:** Search for any action registered with `wp_ajax_` in the plugin directory:\n    ```bash\n    grep -r \"wp_ajax_\" wp-content\u002Fplugins\u002Fpublishpress-authors\u002F\n    ```\n*   **Check for REST API:** The plugin might use a REST endpoint like `\u002Fwp-json\u002Fpublishpress-authors\u002Fv1\u002Fguest-authors\u002F`. If so, check for a missing `permission_callback`.\n*   **Metadata Modification:** If the main term data isn't the target, look for an action like `ppma_update_author_meta` which might allow arbitrary meta updates for guest authors.","The PublishPress Authors plugin for WordPress is vulnerable to unauthorized action due to a missing capability check in its AJAX handler for saving guest author data. This allows authenticated attackers with Contributor-level access and above to modify guest author profiles, including names and email addresses.","\u002F\u002F In src\u002Fmodules\u002Fguest-authors\u002Fclasses\u002FGuest_Author_Handler.php\n\nadd_action('wp_ajax_ppma_save_guest_author', [$this, 'ajax_save_guest_author']);\n\npublic function ajax_save_guest_author() {\n    check_ajax_referer('ppma_guest_author_nonce', 'nonce');\n\n    \u002F\u002F Vulnerability: Missing current_user_can check allows unauthorized users to reach the sink.\n\n    $author_id = isset($_POST['author_id']) ? intval($_POST['author_id']) : 0;\n    $display_name = sanitize_text_field($_POST['display_name']);\n    $user_email = sanitize_email($_POST['user_email']);\n\n    \u002F\u002F The function then proceeds to call update logic like wp_update_term().\n}","--- a\u002Fsrc\u002Fmodules\u002Fguest-authors\u002Fclasses\u002FGuest_Author_Handler.php\n+++ b\u002Fsrc\u002Fmodules\u002Fguest-authors\u002Fclasses\u002FGuest_Author_Handler.php\n@@ -102,6 +102,10 @@\n     public function ajax_save_guest_author() {\n         check_ajax_referer('ppma_guest_author_nonce', 'nonce');\n \n+        if (!current_user_can('manage_options')) {\n+            wp_send_json_error(__('You do not have permission to perform this action.', 'publishpress-authors'));\n+        }\n+\n         $author_id = isset($_POST['author_id']) ? intval($_POST['author_id']) : 0;","1. Authenticate to WordPress with a Contributor-level account.\n2. Locate and copy the 'ppma_guest_author_nonce' from the WordPress admin dashboard (usually localized in the 'ppmaAdmin' JS object).\n3. Identify the 'author_id' (taxonomy term ID) of the guest author you wish to modify.\n4. Send a POST request to \u002Fwp-admin\u002Fadmin-ajax.php with the action 'ppma_save_guest_author', the retrieved nonce, and the parameters 'author_id', 'display_name', and 'user_email'.\n5. The request will succeed, modifying the guest author's information despite the user lacking the necessary 'manage_options' or author management capabilities.","gemini-3-flash-preview","2026-05-04 20:11:41","2026-05-04 20:13:30",{"type":34,"vulnerable_version":35,"fixed_version":11,"vulnerable_browse":36,"vulnerable_zip":37,"fixed_browse":38,"fixed_zip":39,"all_tags":40},"plugin","4.10.1","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fpublishpress-authors\u002Ftags\u002F4.10.1","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fpublishpress-authors.4.10.1.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fpublishpress-authors\u002Ftags\u002F4.11.0","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fpublishpress-authors.4.11.0.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fpublishpress-authors\u002Ftags"]