[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fDTJqfpOFl4qsscL7_PXf6ZMiPe07YgMalLPiXmVCZoI":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":9,"severity":11,"cvss_score":12,"cvss_vector":13,"vuln_type":14,"published_date":15,"updated_date":16,"references":17,"days_to_patch":9,"patch_diff_files":19,"patch_trac_url":9,"research_status":20,"research_verified":21,"research_rounds_completed":22,"research_plan":23,"research_summary":24,"research_vulnerable_code":25,"research_fix_diff":26,"research_exploit_outline":27,"research_model_used":28,"research_started_at":29,"research_completed_at":30,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":21,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":21,"source_links":31},"CVE-2026-8422","remove-meta-boxes-per-user-role-cross-site-request-forgery-to-settings-update","Remove meta boxes per user role \u003C= 1.01 - Cross-Site Request Forgery to Settings Update","The Remove meta boxes per user role plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.01. This is due to missing or incorrect nonce validation on the 'remove-meta-boxes-per-user-role' page. This makes it possible for unauthenticated attackers to modify or reset the plugin's per-role meta box visibility settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.","remove-meta-boxes-per-user-role",null,"\u003C=1.01","medium",4.3,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:N\u002FUI:R\u002FS:U\u002FC:N\u002FI:L\u002FA:N","Cross-Site Request Forgery (CSRF)","2026-06-01 19:43:09","2026-06-02 07:48:32",[18],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002Fe456b08d-ccb9-40b8-9c36-d4b2f7f7fb91?source=api-prod",[],"researched",false,3,"# Exploitation Research Plan: CVE-2026-8422 (Remove meta boxes per user role)\n\n## 1. Vulnerability Summary\n**CVE-2026-8422** is a Cross-Site Request Forgery (CSRF) vulnerability in the \"Remove meta boxes per user role\" WordPress plugin (versions \u003C= 1.01). The vulnerability exists because the plugin's settings update logic, likely located within the administration menu callback or an `admin_init` hook, fails to implement WordPress nonce verification. This allows an unauthenticated attacker to craft a malicious request that, if executed by a logged-in administrator, modifies or resets the plugin's configuration, potentially disrupting administrative workflows or altering content management interfaces across roles.\n\n## 2. Attack Vector Analysis\n*   **Vulnerable Endpoint**: `\u002Fwp-admin\u002Foptions-general.php?page=remove-meta-boxes-per-user-role` (inferred slug) or a POST request to `\u002Fwp-admin\u002Fadmin-post.php`.\n*   **HTTP Method**: `POST`\n*   **Authentication Requirement**: The request must be executed in the context of a user with `manage_options` capabilities (typically an Administrator).\n*   **Payload Carrying Parameter**: Inferred parameters based on plugin functionality include arrays like `rmb_settings[role][post_type]` or similar structures used to store hidden meta box IDs.\n*   **Preconditions**: \n    1. The plugin must be active.\n    2. An administrator must be tricked into clicking a link or visiting a site that triggers a cross-site POST request to the vulnerable WordPress instance.\n\n## 3. Code Flow (Inferred)\n1.  **Registration**: The plugin registers a settings page using `add_options_page()` or `add_menu_page()` in the `admin_menu` hook.\n2.  **Hooking**: The plugin likely uses `admin_init` or checks `$_POST` inside the menu callback function to process settings.\n3.  **Vulnerable Sink**: The handler checks for the presence of a specific submit parameter (e.g., `isset($_POST['submit'])`) and perhaps validates capabilities using `current_user_can('manage_options')`.\n4.  **Missing Check**: The code **omits** `check_admin_referer()` or `wp_verify_nonce()`.\n5.  **Processing**: The handler iterates through the `$_POST` data and saves it using `update_option('remove_meta_boxes_settings', ...)` (inferred option name).\n\n## 4. Nonce Acquisition Strategy\n**No nonce is required.**\nThe essence of this CSRF vulnerability is the total absence of nonce validation or incorrect implementation (e.g., using a fixed string or failing to check the return value). The exploitation agent should verify this by attempting a request with an intentionally invalid or missing nonce parameter.\n\n## 5. Exploitation Strategy\nThe goal is to demonstrate that settings can be changed without a valid nonce.\n\n### Step 1: Discover Parameters\nNavigate to the settings page and extract the form structure:\n1.  Use `browser_navigate` to `\u002Fwp-admin\u002Foptions-general.php?page=remove-meta-boxes-per-user-role`.\n2.  Use `browser_eval` to extract input names: `Array.from(document.querySelectorAll('input, select')).map(i => i.name)`.\n\n### Step 2: Craft the Payload\nBased on the discovery, construct a `POST` request. \n*Example (Inferred):*\n```json\n{\n  \"action\": \"update\",\n  \"option_page\": \"remove-meta-boxes-per-user-role\",\n  \"rmb_role_administrator[post][authordiv]\": \"1\",\n  \"submit\": \"Save Changes\"\n}\n```\n\n### Step 3: Execute the Exploit\nUse the `http_request` tool to send the forged request while authenticated as an admin.\n\n*   **URL**: `http:\u002F\u002F[target-ip]\u002Fwp-admin\u002Foptions-general.php?page=remove-meta-boxes-per-user-role`\n*   **Method**: `POST`\n*   **Headers**: \n    *   `Content-Type: application\u002Fx-www-form-urlencoded`\n*   **Body**: `rmb_role_administrator%5Bpost%5D%5Bauthordiv%5D=1&submit=Save+Changes` (Note: No `_wpnonce` included).\n\n## 6. Test Data Setup\n1.  **Install Plugin**: `wp plugin install remove-meta-boxes-per-user-role --version=1.01 --activate`\n2.  **Initial Configuration**: \n    *   Log in as admin.\n    *   Navigate to the plugin settings.\n    *   Ensure all boxes are currently *visible* (unchecked).\n3.  **Identify Target Meta Box**: Choose a standard meta box like `authordiv` (Author) or `categorydiv` (Categories) on the `post` post type.\n\n## 7. Expected Results\n*   **Success Indicator**: The HTTP response should be a `302 Redirect` back to the settings page with a success parameter (e.g., `settings-updated=true`) or a `200 OK` showing the updated state.\n*   **UI Change**: When visiting the \"New Post\" page as an administrator, the targeted meta box (e.g., Author) should now be hidden.\n\n## 8. Verification Steps\nAfter sending the `http_request`, verify the change via WP-CLI:\n1.  **Check Option**: `wp option get remove_meta_boxes_settings` (Verify the exact option name using `wp option list --search=\"remove_meta\"` first).\n2.  **Confirm Role Impact**: Check if the serialized data in the database reflects the new hidden status for the chosen role.\n3.  **Manual Check**: `wp post create --post_type=post --post_title=\"Verify Hide\"` and check the edit screen via the browser.\n\n## 9. Alternative Approaches\nIf the plugin uses `admin-post.php` instead of the settings page directly:\n1.  **Grep for Handler**: `grep -r \"admin_post_\" wp-content\u002Fplugins\u002Fremove-meta-boxes-per-user-role\u002F`\n2.  **New Target URL**: Change the `http_request` URL to `\u002Fwp-admin\u002Fadmin-post.php`.\n3.  **Payload Adjustment**: Ensure the `action` parameter matches the registered `admin_post_` hook suffix.","The 'Remove meta boxes per user role' plugin for WordPress is vulnerable to Cross-Site Request Forgery (CSRF) due to a lack of nonce validation in its settings save logic. This allows unauthenticated attackers to modify or reset the visibility of meta boxes for any user role if they can trick an administrator into clicking a malicious link or submitting a forged form.","\u002F\u002F remove-meta-boxes-per-user-role.php (or similar main file)\n\u002F\u002F Likely located within a function hooked to 'admin_init' or the menu callback\n\nfunction rmb_save_settings() {\n    if ( isset( $_POST['submit_rmb_settings'] ) ) {\n        \u002F\u002F MISSING: check_admin_referer( 'rmb_save_nonce', 'rmb_nonce_field' );\n        \n        if ( current_user_can( 'manage_options' ) ) {\n            $settings = $_POST['rmb_settings'];\n            update_option( 'remove_meta_boxes_settings', $settings );\n        }\n    }\n}","--- a\u002Fremove-meta-boxes-per-user-role.php\n+++ b\u002Fremove-meta-boxes-per-user-role.php\n@@ -10,6 +10,10 @@\n \n function rmb_save_settings() {\n     if ( isset( $_POST['submit_rmb_settings'] ) ) {\n+        if ( ! isset( $_POST['rmb_nonce_field'] ) || ! wp_verify_nonce( $_POST['rmb_nonce_field'], 'rmb_save_action' ) ) {\n+            wp_die( 'Security check failed' );\n+        }\n+\n         if ( current_user_can( 'manage_options' ) ) {\n             $settings = $_POST['rmb_settings'];\n             update_option( 'remove_meta_boxes_settings', $settings );\n@@ -25,5 +29,6 @@\n     \u003Cform method=\"post\" action=\"\">\n+        \u003C?php wp_nonce_field( 'rmb_save_action', 'rmb_nonce_field' ); ?>\n         \u003C!-- settings fields here -->\n         \u003Cinput type=\"submit\" name=\"submit_rmb_settings\" value=\"Save Changes\">\n     \u003C\u002Fform>","The exploit targets the plugin's settings update mechanism, which does not verify the origin of requests. An attacker can craft a malicious HTML page containing a form that targets the WordPress administrator settings page (usually `\u002Fwp-admin\u002Foptions-general.php?page=remove-meta-boxes-per-user-role`). The payload includes POST parameters like 'rmb_settings[role][post_type][box_id]' set to '1' to hide specific elements. The attacker then tricks a logged-in Administrator into visiting this malicious page (e.g., via phishing or a comment link). Since the plugin lacks a nonce check, the browser automatically includes the administrator's session cookies, and the settings are updated according to the attacker's payload.","gemini-3-flash-preview","2026-06-04 14:38:28","2026-06-04 14:39:04",{"type":32,"vulnerable_version":9,"fixed_version":9,"vulnerable_browse":9,"vulnerable_zip":9,"fixed_browse":9,"fixed_zip":9,"all_tags":33},"plugin","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fremove-meta-boxes-per-user-role\u002Ftags"]