[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$f23Nxrd6AKPxZXrTOXcL9c8R_OfTzrOoZiUrGYElPGM4":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":22,"research_verified":23,"research_rounds_completed":24,"research_plan":25,"research_summary":26,"research_vulnerable_code":9,"research_fix_diff":9,"research_exploit_outline":27,"research_model_used":28,"research_started_at":29,"research_completed_at":30,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":23,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":23,"source_links":31},"CVE-2026-49774","rd-station-authenticated-contributor-remote-code-execution","RD Station \u003C= 5.6.0 - Authenticated (Contributor+) Remote Code Execution","The RD Station plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 5.6.0. This makes it possible for authenticated attackers, with Contributor-level access and above, to execute code on the server.","integracao-rd-station",null,"\u003C=5.6.0","5.7.0","high",8.8,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:L\u002FUI:N\u002FS:U\u002FC:H\u002FI:H\u002FA:H","Improper Control of Generation of Code ('Code Injection')","2026-06-04 00:00:00","2026-06-10 17:46:41",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002Fef1d1ae6-3019-4e48-911e-5f805f8089ca?source=api-prod",7,[],"researched",false,3,"# Exploitation Research Plan: CVE-2026-49774 (RD Station RCE)\n\n## 1. Vulnerability Summary\nThe RD Station plugin (`integracao-rd-station`) for WordPress is vulnerable to **Authenticated Remote Code Execution (RCE)** in versions up to and including 5.6.0. The vulnerability is classified as **Code Injection (CWE-94)**. It occurs because the plugin allows users with Contributor-level permissions or higher to modify settings—specifically those that store script blocks or integration parameters—without adequate capability checks or input sanitization. These settings are subsequently evaluated or included in a way that executes PHP code.\n\n## 2. Attack Vector Analysis\n*   **Endpoint:** `wp-admin\u002Fadmin-ajax.php`\n*   **AJAX Action:** `rd_station_save_settings` (inferred) or `rd_save_tracking_codes` (inferred).\n*   **Vulnerable Parameter:** `rd_header_scripts` (inferred) or `tracking_code_content` (inferred).\n*   **Authentication:** Authenticated (Contributor-level or higher).\n*   **Preconditions:** The plugin must be active. The attacker must have a valid session cookie for a Contributor user.\n\n## 3. Code Flow (Inferred)\n1.  **Entry Point:** The plugin registers an AJAX handler for authenticated users using `add_action( 'wp_ajax_rd_save_settings', '...' )`.\n2.  **Capability Gap:** The handler function likely uses `is_user_logged_in()` or checks for a low-level capability like `edit_posts` (which Contributors have), instead of the robust `manage_options` capability required for site-wide settings.\n3.  **Data Processing:** The handler takes input from `$_POST['settings']` or a similar parameter. It does not strip PHP tags or sanitize for executable code.\n4.  **Storage:** The input is saved to the database via `update_option( 'rd_station_settings', ... )`.\n5.  **Sink (The RCE):** A separate function, hooked to `wp_head` or `init`, retrieves this option. If the plugin uses a method like `eval()` on the stored content, or writes the content to a `.php` file in the `wp-content\u002Fuploads` directory that is later included, RCE is achieved.\n\n## 4. Nonce Acquisition Strategy\nThe RD Station plugin typically localizes security tokens for its admin interface. To obtain a valid nonce as a Contributor:\n\n1.  **Identify the Script Handle:** Look for where the plugin enqueues its admin scripts (e.g., using `wp_enqueue_script` in an `admin_enqueue_scripts` hook).\n2.  **Find the Localized Variable:** The plugin likely uses `wp_localize_script()` to pass a nonce to the frontend.\n3.  **Extraction Steps:**\n    *   Log in as the Contributor user.\n    *   Navigate to the WordPress Dashboard (`\u002Fwp-admin\u002Findex.php`).\n    *   Use `browser_eval` to search for the nonce in the global `window` object. \n    *   **Inferred Variable:** `window.RDStationSettings?.nonce` or `window.rd_token?.save_nonce`.\n\n```javascript\n\u002F\u002F Example extraction logic for the agent\nconst nonce = browser_eval(\"window.rd_station_admin_data?.nonce || window.rd_station_data?.nonce\");\n```\n\n## 5. Exploitation Strategy\nThe goal is to update the plugin settings with a PHP payload that will be executed by the server.\n\n1.  **Authentication:** Obtain session cookies for a Contributor user.\n2.  **Request Construction:**\n    *   **Method:** `POST`\n    *   **URL:** `https:\u002F\u002F\u003Ctarget>\u002Fwp-admin\u002Fadmin-ajax.php`\n    *   **Headers:** `Content-Type: application\u002Fx-www-form-urlencoded`\n    *   **Body Parameters:**\n        *   `action`: `rd_station_save_settings` (inferred)\n        *   `_wpnonce`: `[EXTRACTED_NONCE]`\n        *   `rd_scripts_payload`: `\u003C?php system('id'); die(); ?>` (The exact parameter name must be verified via the plugin's `admin\u002F` directory source).\n3.  **Triggering:** Navigate to the site's homepage or any public page. If the code is injected into a \"Header Scripts\" setting, the payload will execute when `wp_head()` is called.\n\n## 6. Test Data Setup\n1.  **User Creation:** \n    ```bash\n    wp user create attacker attacker@example.com --role=contributor --user_pass=password123\n    ```\n2.  **Plugin Setup:** Ensure `integracao-rd-station` version 5.6.0 is installed and activated.\n3.  **Page Creation:** (If a specific shortcode is needed to trigger script loading):\n    ```bash\n    wp post create --post_type=page --post_status=publish --post_content='[rd_station_form id=\"123\"]' --post_title='RD Trigger'\n    ```\n\n## 7. Expected Results\n*   **Success Indicator:** The HTTP response from the trigger page should contain the output of the `id` command (e.g., `uid=33(www-data) gid=33(www-data) groups=33(www-data)`).\n*   **HTTP Status:** The AJAX save request should return a `200 OK` or a JSON success message `{\"success\":true}`.\n\n## 8. Verification Steps\n1.  **Database Check:** Verify if the malicious payload was stored in the options table:\n    ```bash\n    wp option get rd_station_settings\n    ```\n2.  **Log Check:** If the payload used `error_log()`, check the WordPress debug log:\n    ```bash\n    tail -n 20 wp-content\u002Fdebug.log\n    ```\n\n## 9. Alternative Approaches\n*   **Direct Option Manipulation:** If the AJAX handler is not the entry point, check for `admin_init` hooks that process `$_POST` data without nonce or capability checks.\n*   **REST API:** Check if the plugin registers any routes via `register_rest_route`. If the `permission_callback` returns `true` or only checks for `edit_posts`, the exploit can be ported to a REST API request:\n    *   `POST \u002Fwp-json\u002Frdstation\u002Fv1\u002Fsettings`\n*   **Shortcode Injection:** If the RCE is via a shortcode attribute being passed to `eval()`, attempt to use a Contributor's ability to create posts to execute the shortcode:\n    *   `[rd_shortcode param=\"; system('id');\"]` (if the plugin improperly handles attributes).","The RD Station plugin for WordPress (up to and including version 5.6.0) is vulnerable to Remote Code Execution via Code Injection. This vulnerability allows authenticated users with Contributor-level access or higher to save arbitrary PHP code into plugin settings, which is subsequently executed by the server.","To exploit this vulnerability, an authenticated user with Contributor-level permissions must obtain a valid security nonce, typically extracted from localized scripts in the WordPress admin dashboard. The attacker then sends a POST request to the WordPress AJAX endpoint (wp-admin\u002Fadmin-ajax.php) targeting a settings-saving action (such as rd_station_save_settings). The payload includes malicious PHP code within configuration parameters (e.g., rd_header_scripts or tracking_code_content). Once stored in the database, the injected code is triggered and executed when a user visits a site page that renders the plugin's header scripts or tracking components.","gemini-3-flash-preview","2026-06-26 04:35:14","2026-06-26 04:36:14",{"type":32,"vulnerable_version":33,"fixed_version":9,"vulnerable_browse":34,"vulnerable_zip":35,"fixed_browse":9,"fixed_zip":9,"all_tags":36},"plugin","5.6.0","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fintegracao-rd-station\u002Ftags\u002F5.6.0","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fintegracao-rd-station.5.6.0.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fintegracao-rd-station\u002Ftags"]