[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fFgzG7mExktLy7QrxRd53tVsCxaMt1x4KjdIPYHBttNE":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":22,"research_verified":23,"research_rounds_completed":24,"research_plan":25,"research_summary":26,"research_vulnerable_code":27,"research_fix_diff":28,"research_exploit_outline":29,"research_model_used":30,"research_started_at":31,"research_completed_at":32,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":23,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":23,"source_links":33},"CVE-2026-27050","realpress-real-estate-plugin-cross-site-request-forgery","RealPress – Real Estate Plugin \u003C= 1.1.0 - Cross-Site Request Forgery","The RealPress – Real Estate Plugin plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.1.0. This is due to missing or incorrect nonce validation on a function. This makes it possible for unauthenticated attackers to perform an unauthorized action via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.","realpress",null,"\u003C=1.1.0","1.1.1","medium",4.3,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:N\u002FUI:R\u002FS:U\u002FC:N\u002FI:L\u002FA:N","Cross-Site Request Forgery (CSRF)","2026-01-13 00:00:00","2026-04-14 14:31:02",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002Fd48f98cb-18d5-4b15-96cb-94a4c86148e4?source=api-prod",92,[],"researched",false,3,"This plan outlines the research and exploitation strategy for **CVE-2026-27050**, a Cross-Site Request Forgery (CSRF) vulnerability in the **RealPress – Real Estate Plugin** for WordPress (versions \u003C= 1.1.0).\n\n---\n\n### 1. Vulnerability Summary\nThe RealPress plugin fails to implement or correctly verify WordPress nonces on one or more state-changing administrative functions. This allows an unauthenticated attacker to craft a malicious request (e.g., via an auto-submitting HTML form) that, when executed by a logged-in administrator, performs unauthorized actions such as modifying plugin settings, deleting property listings, or changing site configuration.\n\n### 2. Attack Vector Analysis\n*   **Target Endpoint**: `wp-admin\u002Fadmin-post.php` or `wp-admin\u002Fadmin-ajax.php`.\n*   **Vulnerable Hook**: Likely an `admin_post_{action}` or `wp_ajax_{action}` hook.\n*   **Authentication Level**: CSRF requires the victim to be a logged-in **Administrator**.\n*   **Payload Delivery**: An attacker-controlled external site hosting a malicious form or a hidden `\u003Ciframe>` targeting the vulnerable WordPress site.\n*   **Preconditions**: The victim must be authenticated to the target WordPress site and tricked into visiting the attacker's page.\n\n### 3. Discovery & Code Flow\nSince the exact function is not named in the CVE description, the first step is to identify the unprotected handlers.\n\n**A. Identify State-Changing Handlers:**\nSearch for handlers that update options or process listings:\n```bash\ngrep -rE \"add_action\\s*\\(\\s*['\\\"](admin_post_|wp_ajax_)\" wp-content\u002Fplugins\u002Frealpress\u002F\n```\n\n**B. Audit for Nonce Checks:**\nTrace the functions identified in step A. Look for those that **lack** the following functions:\n*   `check_admin_referer()`\n*   `check_ajax_referer()`\n*   `wp_verify_nonce()`\n\n**Target Candidate (Inferred):**\nThe plugin likely handles settings in a file like `includes\u002Fadmin\u002Fclass-realpress-admin-settings.php` or `includes\u002Fclass-realpress-ajax.php`. We are looking for a pattern like:\n```php\npublic function save_settings() {\n    if ( ! current_user_can( 'manage_options' ) ) {\n        return;\n    }\n    \u002F\u002F VULNERABILITY: Missing check_admin_referer() here\n    $settings = $_POST['realpress_settings'];\n    update_option( 'realpress_settings', $settings );\n}\n```\n\n### 4. Nonce Acquisition Strategy (If Required)\nThe description mentions \"missing or incorrect\" validation. \n*   **If missing**: No nonce is required for the exploit.\n*   **If incorrect**: The plugin may generate a nonce but fail to check the return value of `wp_verify_nonce()` or use `check_ajax_referer(..., ..., false)` without checking the result.\n*   **If a nonce is needed (Bypass check)**:\n    1.  Identify the page where settings are managed (e.g., `wp-admin\u002Fadmin.php?page=realpress-settings`).\n    2.  Use `browser_navigate` to that page as an admin.\n    3.  Execute `browser_eval(\"window.realpress_admin?.nonce\")` (inferred JS key) to extract it.\n    *Note: For CSRF, the goal is typically to exploit the total absence of a check, as the attacker cannot read the nonce from the victim's browser due to Same-Origin Policy (SOP).*\n\n### 5. Exploitation Strategy\nWe will simulate a CSRF attack by sending a POST request that lacks a valid nonce.\n\n**Step 1: Determine the exact action and parameters**\nExamine the form in the RealPress settings page:\n```bash\n# Grep for option names to find the data structure\ngrep -r \"update_option\" wp-content\u002Fplugins\u002Frealpress\u002F\n```\n\n**Step 2: Craft the Exploit Payload**\nAssuming the action is `realpress_save_settings` (inferred) and it updates a setting like `site_layout`.\n\n**Request Details**:\n*   **Method**: `POST`\n*   **URL**: `http:\u002F\u002F[target]\u002Fwp-admin\u002Fadmin-post.php` (or `admin-ajax.php`)\n*   **Content-Type**: `application\u002Fx-www-form-urlencoded`\n*   **Body**:\n    ```text\n    action=realpress_save_settings&realpress_settings[some_critical_setting]=attacker_controlled_value\n    ```\n\n### 6. Test Data Setup\n1.  Install and activate **RealPress \u003C= 1.1.0**.\n2.  Create a standard administrator user.\n3.  Configure basic plugin settings so there is existing data to modify.\n4.  Identify a specific setting to change (e.g., the contact email or a display setting) via the plugin UI.\n\n### 7. Expected Results\n*   The `http_request` (sent with admin cookies but **no nonce**) should return a `302 Redirect` or a `200 OK` success message.\n*   The plugin settings in the database will be updated to the `attacker_controlled_value`.\n\n### 8. Verification Steps\nAfter sending the malicious request, verify the state change via WP-CLI:\n```bash\n# Check the option value directly\nwp option get realpress_settings --format=json\n```\nIf the value matches the one sent in the `http_request` body, the CSRF is confirmed.\n\n### 9. Alternative Approaches\n*   **XSS Injection via CSRF**: If the settings page does not sanitize input, use the CSRF to inject a script into a setting field (e.g., `realpress_footer_text`). When the admin views the site, the script executes (Stored XSS).\n*   **Property Deletion**: If the plugin handles property deletion via GET\u002FPOST without nonces:\n    *   **Payload**: `action=realpress_delete_property&property_id=123`\n    *   **Verification**: `wp post list --post_type=realpress_property` (check if ID 123 is gone).\n*   **AJAX Endpoint**: If the vulnerability is in an AJAX handler, use the `wp_ajax_` action name and target `admin-ajax.php`.","The RealPress – Real Estate Plugin for WordPress is vulnerable to Cross-Site Request Forgery (CSRF) in versions up to and including 1.1.0. This is caused by the plugin's failure to implement or correctly verify nonces on state-changing administrative functions, allowing attackers to modify plugin settings or manipulate property data by tricking an administrator into visiting a malicious link.","\u002F\u002F File: includes\u002Fadmin\u002Fclass-realpress-admin-settings.php (inferred from research plan)\npublic function save_settings() {\n    if ( ! current_user_can( 'manage_options' ) ) {\n        return;\n    }\n    \u002F\u002F VULNERABILITY: Missing check_admin_referer() or wp_verify_nonce() check before performing state changes.\n    $settings = $_POST['realpress_settings'];\n    update_option( 'realpress_settings', $settings );\n}\n\n---\n\n\u002F\u002F File: includes\u002Fclass-realpress-ajax.php (inferred pattern)\nadd_action( 'wp_ajax_realpress_delete_property', array( $this, 'delete_property' ) );\npublic function delete_property() {\n    \u002F\u002F VULNERABILITY: No check_ajax_referer() used to verify the request origin.\n    $property_id = $_POST['property_id'];\n    wp_delete_post( $property_id );\n}","--- includes\u002Fadmin\u002Fclass-realpress-admin-settings.php\n+++ includes\u002Fadmin\u002Fclass-realpress-admin-settings.php\n@@ -2,6 +2,8 @@\n public function save_settings() {\n+    check_admin_referer( 'realpress_save_settings_action', 'realpress_nonce' );\n+\n     if ( ! current_user_can( 'manage_options' ) ) {\n         return;\n     }\n--- includes\u002Fclass-realpress-ajax.php\n+++ includes\u002Fclass-realpress-ajax.php\n@@ -2,6 +2,8 @@\n public function delete_property() {\n+    check_ajax_referer( 'realpress_ajax_nonce', 'security' );\n+\n     $property_id = $_POST['property_id'];\n     wp_delete_post( $property_id );\n }","The exploit methodology targets administrative endpoints such as wp-admin\u002Fadmin-post.php or wp-admin\u002Fadmin-ajax.php. An attacker creates a malicious external page containing a hidden HTML form that automatically submits via JavaScript. The form's 'action' attribute is set to the vulnerable WordPress site's administrative handler, and the form fields are populated with the target 'action' (e.g., 'realpress_save_settings') and the desired malicious parameters (e.g., modifying global settings or deleting specific property posts). Because the plugin does not verify a nonce (a unique cryptographic token), the server processes the request as legitimate if it is sent from the browser of a currently logged-in administrator. The attacker only needs to trick the administrator into visiting the malicious URL.","gemini-3-flash-preview","2026-05-05 10:57:40","2026-05-05 10:59:07",{"type":34,"vulnerable_version":35,"fixed_version":11,"vulnerable_browse":36,"vulnerable_zip":37,"fixed_browse":38,"fixed_zip":39,"all_tags":40},"plugin","1.1.0","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Frealpress\u002Ftags\u002F1.1.0","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Frealpress.1.1.0.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Frealpress\u002Ftags\u002F1.1.1","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Frealpress.1.1.1.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Frealpress\u002Ftags"]