[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fJp151guqu04alGN338K7GB961R_uxFNWtNEJz06WJLc":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":29,"research_verified":30,"research_rounds_completed":31,"research_plan":32,"research_summary":9,"research_vulnerable_code":9,"research_fix_diff":9,"research_exploit_outline":9,"research_model_used":33,"research_started_at":34,"research_completed_at":35,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":30,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":30,"source_links":36},"CVE-2026-25344","review-schema-review-structure-data-schema-plugin-authenticated-subscriber-information-exposure","Review Schema – Review & Structure Data Schema Plugin \u003C= 2.2.6 - Authenticated (Subscriber+) Information Exposure","The Review Schema – Review & Structure Data Schema Plugin plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.2.6. This makes it possible for authenticated attackers, with Subscriber-level access and above, to extract sensitive user or configuration data.","review-schema",null,"\u003C=2.2.6","2.2.7","medium",4.3,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:L\u002FUI:N\u002FS:U\u002FC:L\u002FI:N\u002FA:N","Exposure of Sensitive Information to an Unauthorized Actor","2026-03-23 00:00:00","2026-04-02 15:24:34",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F05379fe4-4924-4978-ad3f-a6208eee9d81?source=api-prod",11,[22,23,24,25,26,27,28],"README.txt","app\u002FControllers\u002FAdmin\u002FAdminSettings.php","app\u002FControllers\u002FAdmin\u002FMeta\u002FAddMetaBox.php","app\u002FControllers\u002FAdmin\u002FMeta\u002FMetaOptions.php","app\u002FControllers\u002FAdmin\u002FMeta\u002FSingleMetaOptions.php","app\u002FControllers\u002FAdmin\u002FReviewSettings.php","app\u002FControllers\u002FAjax\u002FAjaxController.php","researched",false,3,"This research plan outlines the technical steps required to exploit **CVE-2026-25344**, a Sensitive Information Exposure vulnerability in the **Review Schema** plugin for WordPress.\n\n### 1. Vulnerability Summary\nThe **Review Schema** plugin (up to version 2.2.6) contains an authenticated information exposure vulnerability. The plugin registers several AJAX actions that fail to implement proper capability checks (e.g., `current_user_can( 'manage_options' )`). Specifically, the `rtrs_get_settings` action allows any authenticated user, including those with **Subscriber-level** permissions, to retrieve sensitive plugin configuration data. This data includes settings stored in the WordPress options table, which may contain reCAPTCHA keys, social media profile links, and internal plugin configurations.\n\n### 2. Attack Vector Analysis\n- **Endpoint**: `\u002Fwp-admin\u002Fadmin-ajax.php`\n- **Action**: `rtrs_get_settings` (Inferred from RadiusTheme patterns and `AjaxController.php` initialization).\n- **HTTP Method**: `POST`\n- **Authentication**: Authenticated (Subscriber-level and above).\n- **Vulnerable Parameters**: \n    - `tab`: Specifies which settings group to retrieve (e.g., `review`, `schema`, `woocommerce`, `media`, `misc`).\n    - `section`: Specifies a subsection within a tab (e.g., `social_profiles` for the `schema` tab).\n- **Nonce Requirement**: Yes, the action requires a nonce (likely with the action string `rtrs-nonce`).\n\n### 3. Code Flow\n1. **Entry Point**: The `AjaxController` (in `app\u002FControllers\u002FAjax\u002FAjaxController.php`) initializes the `Review` AJAX controller.\n2. **Registration**: The `Review` controller (or similar) registers `wp_ajax_rtrs_get_settings`.\n3. **Missing Check**: The handler for `rtrs_get_settings` (likely inside an unprovided `Review.php` or `Migration.php` file) uses logic similar to `AdminSettings::setTabs()` to construct an option name.\n4. **Data Retrieval**: It calls `get_option()` on the constructed option name (e.g., `review_settings`) and returns the JSON-encoded value.\n5. **Sink**: The handler uses `wp_send_json_success()` to output the data to the requester without verifying if the user has administrative privileges.\n\n### 4. Nonce Acquisition Strategy\nRadiusTheme plugins typically localize nonces for AJAX actions. To obtain a valid nonce as a Subscriber:\n\n1. **Shortcode Identification**: The plugin uses shortcodes like `[rtrs-affiliate]` (from `AddMetaBox.php`).\n2. **Page Creation**: Create a public page containing the shortcode. This ensures the plugin's scripts and localized variables are loaded.\n3. **Execution**:\n    - Use `wp post create` to create a page with `[rtrs-affiliate id=\"1\"]`.\n    - Navigate to the page as a Subscriber.\n    - Use `browser_eval` to extract the nonce from the `rtrs_ajax` or `rtrs_admin` object.\n4. **Verbatim Identifiers**:\n    - **JS Variable**: `window.rtrs_ajax","gemini-3-flash-preview","2026-04-18 00:08:20","2026-04-18 00:09:21",{"type":37,"vulnerable_version":38,"fixed_version":11,"vulnerable_browse":39,"vulnerable_zip":40,"fixed_browse":41,"fixed_zip":42,"all_tags":43},"plugin","2.2.6","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Freview-schema\u002Ftags\u002F2.2.6","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Freview-schema.2.2.6.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Freview-schema\u002Ftags\u002F2.2.7","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Freview-schema.2.2.7.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Freview-schema\u002Ftags"]