[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fINvvWWbv5Rbv6mcGFmxsTDLTBDYY_lA9eS80YeHx310":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":22,"research_verified":23,"research_rounds_completed":24,"research_plan":25,"research_summary":26,"research_vulnerable_code":9,"research_fix_diff":9,"research_exploit_outline":27,"research_model_used":28,"research_started_at":29,"research_completed_at":30,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":23,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":23,"source_links":31},"CVE-2026-24545","qr-redirector-missing-authorization","QR Redirector \u003C= 2.0.3 - Missing Authorization","The QR Redirector plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in versions up to, and including, 2.0.3. This makes it possible for authenticated attackers, with subscriber-level access and above, to perform an unauthorized action.","qr-redirector",null,"\u003C=2.0.3","2.0.4","medium",4.3,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:L\u002FUI:N\u002FS:U\u002FC:N\u002FI:L\u002FA:N","Missing Authorization","2026-05-25 00:00:00","2026-05-26 19:13:26",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002Ffafcea5a-1f84-4342-8959-312e3938e4d3?source=api-prod",2,[],"researched",false,3,"This research plan focuses on **CVE-2026-24545**, a Missing Authorization vulnerability in the **QR Redirector** plugin for WordPress.\n\n### 1. Vulnerability Summary\nThe **QR Redirector** plugin (\u003C= 2.0.3) fails to implement proper capability checks (e.g., `current_user_can()`) in one or more of its AJAX handler functions. While these functions are registered via the `wp_ajax_` hook (restricting access to authenticated users), they lack secondary authorization logic to ensure only administrators or users with the `manage_options` capability can execute them. This allows a user with **Subscriber** level permissions to perform administrative actions such as creating, modifying, or deleting redirects.\n\n### 2. Attack Vector Analysis\n*   **Endpoint:** `\u002Fwp-admin\u002Fadmin-ajax.php`\n*   **Method:** `POST`\n*   **Vulnerable Action:** `qrr_save_redirect` (inferred) or `qrr_delete_redirect` (inferred).\n*   **Authentication:** Required (Subscriber or higher).\n*   **Payload Parameter:** `action`, `nonce` (if checked), and data parameters (e.g., `redirect_url`, `post_id`).\n*   **Preconditions:** An authenticated Subscriber-level account is required. The plugin must be active.\n\n### 3. Code Flow (Inferred)\n1.  **Entry Point:** An authenticated user sends a request to `admin-ajax.php` with the `action` parameter set to the vulnerable hook (likely prefixed with `qrr_`).\n2.  **Hook Registration:** The plugin registers the action:\n    `add_action( 'wp_ajax_qrr_save_redirect', 'qrr_save_redirect_callback' );` (inferred).\n3.  **Vulnerable Function:** The callback function (e.g., `qrr_save_redirect_callback`) executes.\n4.  **Missing Check:** The function likely calls `check_ajax_referer()` to verify a CSRF nonce but fails to call `current_user_can( 'manage_options' )`.\n5.  **Sink:** The function proceeds to update the database (e.g., `update_post_meta` or `$wpdb->update`) based on the user-supplied `$_POST` data.\n\n### 4. Nonce Acquisition Strategy\nIf the plugin enforces a nonce check via `check_ajax_referer`, the nonce must be retrieved from the admin dashboard or a page where the plugin enqueues its scripts.\n\n1.  **Identify Localized Script:** Search the plugin source for `wp_localize_script`. Look for the variable name containing the nonce (e.g., `qrr_vars`, `qrr_settings`).\n2.  **Shortcode\u002FPage Setup:** If the nonce is only loaded on specific pages (like the redirect management page), identify the shortcode or admin menu slug.\n3.  **Extraction Script:**\n    *   Navigate to the WordPress dashboard as a Subscriber.\n    *   Execute the following in the browser console:\n        `browser_eval(\"window.qrr_vars?.nonce || window.qrr_obj?.ajax_nonce\")` (inferred identifiers).\n4.  **Bypass Check:** If the code uses `check_ajax_referer( 'qrr_action', 'nonce', false )` and fails to check the return value, the nonce can be any value.\n\n### 5. Exploitation Strategy\nThis plan aims to modify an existing redirect or create a new one as a Subscriber.\n\n**Step 1: Authenticate as Subscriber**\nPerform a login request using `http_request` to obtain session cookies.\n\n**Step 2: Obtain the Nonce**\nNavigate to the plugin's settings or a page containing its interface to extract the nonce.\n\n**Step 3: Trigger the Vulnerable Action**\nSend a POST request to `admin-ajax.php` to modify a redirect.\n\n*   **URL:** `http:\u002F\u002F[target]\u002Fwp-admin\u002Fadmin-ajax.php`\n*   **Method:** `POST`\n*   **Headers:** `Content-Type: application\u002Fx-www-form-urlencoded`\n*   **Body:**\n    ```\n    action=qrr_save_redirect&nonce=[NONCE]&id=[TARGET_POST_ID]&redirect_url=http:\u002F\u002Fattacker.com\n    ```\n    *(Note: Parameter names like `id` and `redirect_url` are inferred based on plugin functionality and should be verified via `grep` in the environment.)*\n\n### 6. Test Data Setup\n1.  **Install Plugin:** Ensure QR Redirector v2.0.3 is installed and active.\n2.  **Create Target Redirect:** As an **Admin**, create a redirect (e.g., \"Google\" -> `https:\u002F\u002Fgoogle.com`). Note the Post ID of this redirect.\n3.  **Create Attacker User:** Create a user with the **Subscriber** role.\n\n### 7. Expected Results\n*   **Response:** The server should return a successful JSON response (e.g., `{\"success\":true}`) or a `1` (typical for successful WordPress AJAX).\n*   **Impact:** The redirect URL associated with the target ID should be changed to the attacker-controlled URL (`http:\u002F\u002Fattacker.com`).\n\n### 8. Verification Steps\nAfter the exploitation attempt, verify the change using WP-CLI:\n```bash\n# Check the post meta for the redirected URL\nwp post meta list [TARGET_POST_ID]\n\n# Or verify via a direct database query if stored in a custom table\nwp db query \"SELECT * FROM wp_posts WHERE post_type='qr_redirect' AND ID=[TARGET_POST_ID]\"\n```\n\n### 9. Alternative Approaches\nIf `qrr_save_redirect` is not the correct action:\n1.  **Identify all AJAX hooks:**\n    `grep -r \"wp_ajax_\" wp-content\u002Fplugins\u002Fqr-redirector\u002F`\n2.  **Check for \"Delete\" actions:**\n    Attempt to delete an admin-created redirect using an action like `qrr_delete_redirect`.\n3.  **Check for Settings Update:**\n    Look for actions that update global plugin settings (e.g., `qrr_update_settings`) which often lack authorization.","The QR Redirector plugin for WordPress (\u003C= 2.0.3) lacks a capability check in its AJAX handler functions, which are registered via the wp_ajax_ hook. This vulnerability allows authenticated users with subscriber-level permissions or higher to perform unauthorized administrative actions, such as creating, modifying, or deleting redirects.","1. Authenticate as a Subscriber-level user.\n2. Locate the security nonce used by the plugin, typically found by inspecting localized scripts (e.g., qrr_vars or qrr_settings) in the WordPress dashboard.\n3. Send a POST request to \u002Fwp-admin\u002Fadmin-ajax.php with the 'action' parameter set to the vulnerable callback (e.g., qrr_save_redirect).\n4. Include the retrieved nonce and the desired payload parameters (e.g., id=[TARGET_POST_ID] and redirect_url=http:\u002F\u002Fattacker.com).\n5. The server will process the request and update the redirect in the database because it fails to call current_user_can('manage_options') to verify permissions.","gemini-3-flash-preview","2026-06-04 21:24:01","2026-06-04 21:24:46",{"type":32,"vulnerable_version":9,"fixed_version":9,"vulnerable_browse":9,"vulnerable_zip":9,"fixed_browse":9,"fixed_zip":9,"all_tags":33},"plugin","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fqr-redirector\u002Ftags"]