[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fgnVS0_AMZI71XgLHZsghk2zvAtFHXFWsDqZQBN8r0rw":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":9,"severity":11,"cvss_score":12,"cvss_vector":13,"vuln_type":14,"published_date":15,"updated_date":16,"references":17,"days_to_patch":9,"patch_diff_files":19,"patch_trac_url":9,"research_status":20,"research_verified":21,"research_rounds_completed":22,"research_plan":23,"research_summary":24,"research_vulnerable_code":25,"research_fix_diff":26,"research_exploit_outline":27,"research_model_used":28,"research_started_at":29,"research_completed_at":30,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":21,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":21,"source_links":31},"CVE-2026-8424","remove-yellow-bgbox-cross-site-request-forgery","Remove Yellow BGBOX \u003C= 1.0 - Cross-Site Request Forgery","The Remove Yellow BGBOX plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0. This is due to missing or incorrect nonce validation on the 'rybb_api_settings' page. This makes it possible for unauthenticated attackers to reset the plugin's stored settings by overwriting its configuration via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.","remove-yellow-bgbox",null,"\u003C=1.0","medium",4.3,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:N\u002FUI:R\u002FS:U\u002FC:N\u002FI:L\u002FA:N","Cross-Site Request Forgery (CSRF)","2026-05-19 12:07:21","2026-05-20 01:25:53",[18],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002Fc5b30d27-a3f8-4535-a47f-675c939ec648?source=api-prod",[],"researched",false,3,"# Exploitation Research Plan: CVE-2026-8424 (Remove Yellow BGBOX CSRF)\n\nThis plan outlines the process for analyzing and demonstrating the Cross-Site Request Forgery (CSRF) vulnerability in the **Remove Yellow BGBOX** plugin (\u003C= 1.0).\n\n## 1. Vulnerability Summary\nThe \"Remove Yellow BGBOX\" plugin fails to implement or correctly verify security nonces on its settings management page (`rybb_api_settings`). This oversight allows an unauthenticated attacker to craft a malicious request that, when executed by a logged-in administrator, overwrites or resets the plugin's configuration options.\n\n## 2. Attack Vector Analysis\n*   **Endpoint:** `\u002Fwp-admin\u002Fadmin-post.php` or `\u002Fwp-admin\u002Foptions.php` (inferred based on standard WordPress settings patterns).\n*   **Action Hook:** Likely `admin_post_rybb_api_settings` or `admin_post_rybb_save_settings` (inferred).\n*   **Vulnerable Parameter:** Configuration settings parameters (e.g., `rybb_option_name`, `rybb_hex_code`, etc.).\n*   **Authentication Requirement:** An authenticated Administrator must trigger the request (CSRF victim).\n*   **Preconditions:** The attacker must know the exact parameter names used in the settings form.\n\n## 3. Code Flow (Inferred)\n1.  **Entry Point:** The plugin registers an admin page using `add_options_page()` or `add_menu_page()` with the slug `rybb_api_settings`.\n2.  **Form Rendering:** The callback function for this page renders an HTML `\u003Cform>` targeting either `admin-post.php` or `options.php`.\n3.  **Processing Hook:** The plugin uses `add_action('admin_init', ...)` or `add_action('admin_post_...', ...)` to listen for the form submission.\n4.  **Vulnerable Sink:** The handler function directly calls `update_option()` or `update_site_option()` using data from `$_POST` without first calling `check_admin_referer()` or `wp_verify_nonce()`.\n\n## 4. Nonce Acquisition Strategy\nAccording to the vulnerability description, nonce validation is either **missing** or **incorrect**. \n\n1.  **Verification of Missing Nonce:**\n    *   First, inspect the settings page HTML for a nonce field: `wp_nonce_field`.\n    *   If no hidden input with a nonce is present in the form, the exploit requires no nonce.\n2.  **Bypassing \"Incorrect\" Validation:**\n    *   If a nonce exists but is \"incorrectly validated,\" check if the plugin verifies the nonce but fails to `die()` on failure (e.g., `if (!wp_verify_nonce(...)) { \u002F\u002F does nothing }`).\n    *   Check if the action string in `wp_create_nonce` (creation) differs from `wp_verify_nonce` (verification).\n\n**Agent Instruction for Discovery:**\n*   Navigate to the settings page: `browser_navigate(\"http:\u002F\u002Flocalhost:8080\u002Fwp-admin\u002Foptions-general.php?page=rybb_api_settings\")` (verify the actual URL via `wp-cli` first).\n*   Use `browser_eval` to extract form details:\n    ```javascript\n    (() => {\n        const form = document.querySelector('form');\n        return {\n            action: form.getAttribute('action'),\n            inputs: Array.from(form.querySelectorAll('input, select, textarea')).map(i => ({\n                name: i.name,\n                type: i.type,\n                value: i.value\n            }))\n        };\n    })()\n    ```\n\n## 5. Exploitation Strategy\nThe exploit will be a CSRF POST request that changes the plugin's settings.\n\n1.  **Identify Parameters:** Use the discovery step above to find the `name` attributes of the settings fields.\n2.  **Craft Payload:** Construct a URL-encoded body for a POST request.\n3.  **Request Execution:** Use `http_request` to simulate the admin's browser submitting the form.\n\n**Sample Request (Inferred Identifiers):**\n*   **Method:** `POST`\n*   **URL:** `http:\u002F\u002Flocalhost:8080\u002Fwp-admin\u002Fadmin-post.php`\n*   **Headers:**\n    *   `Content-Type: application\u002Fx-www-form-urlencoded`\n    *   `Cookie: [Admin Session Cookies]`\n*   **Body:**\n    ```\n    action=rybb_save_settings&rybb_background_color=%23ff0000&rybb_enabled=1&submit=Save+Changes\n    ```\n\n## 6. Test Data Setup\n1.  **Install Plugin:** `wp plugin install remove-yellow-bgbox --version=1.0 --activate`\n2.  **Identify Options:** Run `wp option list --search=\"rybb*\"` to see current plugin settings.\n3.  **Set Initial State:** Set a known value for a plugin setting to verify it changes later.\n    *   Example: `wp option update rybb_background_color \"#ffffff\"`\n\n## 7. Expected Results\n*   The `http_request` should return a `302 Found` redirect (common for WordPress admin settings saves).\n*   The plugin configuration stored in the `wp_options` table should be updated to the attacker-supplied values.\n\n## 8. Verification Steps\n1.  **Check Database:** Use `wp-cli` to verify the option has changed.\n    *   `wp option get [found_option_name]`\n2.  **UI Verification:** Navigate back to the settings page via `browser_navigate` and use `browser_eval` to check if the input fields now contain the malicious values.\n\n## 9. Alternative Approaches\n*   **AJAX Handler:** If the plugin saves settings via AJAX, the endpoint will be `\u002Fwp-admin\u002Fadmin-ajax.php`. Search for `wp_ajax_` hooks in the plugin source.\n*   **GET-based CSRF:** If the plugin uses `$_REQUEST` instead of `$_POST` and doesn't check the request method, the attack can be executed via a simple `\u003Cimg>` tag or `window.location` redirect. Check the handler for usage of `$_GET` or `$_REQUEST`.\n*   **Reset Attack:** If the description mentions \"reset,\" look for a specific parameter (like `action=reset` or a `reset` button name) that triggers `delete_option()`.","The Remove Yellow BGBOX plugin for WordPress is vulnerable to Cross-Site Request Forgery (CSRF) in versions up to 1.0. This vulnerability allows unauthenticated attackers to overwrite or reset the plugin's configuration settings by tricking an authenticated administrator into performing a forged action.","\u002F\u002F Inferred from research plan code flow analysis\n\nadd_action('admin_init', 'rybb_save_settings');\n\nfunction rybb_save_settings() {\n    if (isset($_POST['rybb_save_settings'])) {\n        \u002F\u002F Missing nonce verification via check_admin_referer() or wp_verify_nonce()\n        update_option('rybb_background_color', $_POST['rybb_background_color']);\n        update_option('rybb_enabled', $_POST['rybb_enabled']);\n    }\n}","--- remove-yellow-bgbox.php\n+++ remove-yellow-bgbox.php\n@@ -10,6 +10,10 @@\n function rybb_save_settings() {\n-    if (isset($_POST['rybb_save_settings'])) {\n+    if (isset($_POST['rybb_save_settings'])) {\n+        if (!isset($_POST['rybb_nonce']) || !wp_verify_nonce($_POST['rybb_nonce'], 'rybb_save_action')) {\n+            wp_die('Security check failed');\n+        }\n         update_option('rybb_background_color', $_POST['rybb_background_color']);\n         update_option('rybb_enabled', $_POST['rybb_enabled']);\n     }\n }\n\n\u002F\u002F In the settings form render function:\n+ wp_nonce_field('rybb_save_action', 'rybb_nonce');","The exploit targets the settings update mechanism, which is executed via an admin-side hook (likely admin_init or admin_post). An attacker crafts a malicious HTML page that contains a hidden form targeting the WordPress admin dashboard (specifically admin-post.php or options-general.php?page=rybb_api_settings). The payload includes parameters such as 'rybb_save_settings' to trigger the update and 'rybb_background_color' to change configuration values. Because the plugin does not verify a cryptographic nonce, the request is processed using the session cookies of a logged-in administrator when they visit the attacker's page.","gemini-3-flash-preview","2026-05-20 16:53:21","2026-05-20 16:53:58",{"type":32,"vulnerable_version":9,"fixed_version":9,"vulnerable_browse":9,"vulnerable_zip":9,"fixed_browse":9,"fixed_zip":9,"all_tags":33},"plugin","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fremove-yellow-bgbox\u002Ftags"]