[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fg6UfmkkkwbBEw7UnVemEL7mL4mln6ps1C8Jm3pzm3hk":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":8,"research_status":22,"research_verified":23,"research_rounds_completed":24,"research_plan":25,"research_summary":26,"research_vulnerable_code":27,"research_fix_diff":28,"research_exploit_outline":29,"research_model_used":30,"research_started_at":31,"research_completed_at":32,"research_error":8,"poc_status":8,"poc_video_id":8,"poc_summary":8,"poc_steps":8,"poc_tested_at":8,"poc_wp_version":8,"poc_php_version":8,"poc_playwright_script":8,"poc_exploit_code":8,"poc_has_trace":23,"poc_model_used":8,"poc_verification_depth":8,"poc_exploit_code_gated":23,"source_links":33},"CVE-2026-40754","roisin-flower-shop-and-florist-wordpress-theme-unauthenticated-php-object-injection","Roisin - Flower Shop and Florist WordPress Theme \u003C= 1.4 - Unauthenticated PHP Object Injection","The Roisin - Flower Shop and Florist WordPress Theme theme for WordPress is vulnerable to PHP Object Injection in versions up to, and including, 1.4 via deserialization of untrusted input. This makes it possible for unauthenticated attackers to inject a PHP Object. No known POP chain is present in the vulnerable software. If a POP chain is present via an additional plugin or theme installed on the target system, it could allow the attacker to delete arbitrary files, retrieve sensitive data, or execute code.",null,"roisin","\u003C=1.4","1.5","high",8.1,"CVSS:3.1\u002FAV:N\u002FAC:H\u002FPR:N\u002FUI:N\u002FS:U\u002FC:H\u002FI:H\u002FA:H","Deserialization of Untrusted Data","2026-04-20 00:00:00","2026-04-30 14:46:21",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F5f48d58f-8797-46a9-97fa-7db13db31cca?source=api-prod",11,[],"researched",false,3,"# Exploitation Research Plan: CVE-2026-40754 (Roisin Theme PHP Object Injection)\n\n## 1. Vulnerability Summary\nThe **Roisin** WordPress theme (up to version 1.4) is vulnerable to **Unauthenticated PHP Object Injection**. This occurs because the theme's backend logic improperly handles user-provided data by passing it through the `unserialize()` function without prior validation or sanitization. Specifically, the vulnerability is likely located in an AJAX handler used for dynamic layout loading (like sidebars or post pagination), where state information is passed as a base64-encoded, serialized string in a POST parameter.\n\n## 2. Attack Vector Analysis\n*   **Endpoint:** `\u002Fwp-admin\u002Fadmin-ajax.php`\n*   **Action:** `roisin_elated_get_sidebar` or `roisin_elated_load_more` (inferred based on Elated theme framework conventions).\n*   **Vulnerable Parameter:** `options` or `query_obj` (inferred).\n*   **Authentication:** None required (target is a `wp_ajax_nopriv_*` hook).\n*   **Preconditions:** The theme must be active. A valid AJAX nonce may be required depending on whether the theme developers implemented `check_ajax_referer`.\n\n## 3. Code Flow\n1.  **Entry Point:** An unauthenticated user sends a POST request to `admin-ajax.php` with a specific `action` parameter (e.g., `roisin_elated_get_sidebar`).\n2.  **Hook Registration:** The theme registers the action via:\n    `add_action('wp_ajax_nopriv_roisin_elated_get_sidebar', 'roisin_elated_get_sidebar_ajax_handler');`\n3.  **Data Retrieval:** The handler function (e.g., `roisin_elated_get_sidebar_ajax_handler`) retrieves a POST parameter:\n    `$options_encoded = $_POST['options'];`\n4.  **The Sink:** The retrieved data is decoded and deserialized:\n    `$options = unserialize(base64_decode($options_encoded));`\n5.  **Injection:** By providing a crafted base64 string, an attacker can inject arbitrary PHP objects into the application scope.\n\n## 4. Nonce Acquisition Strategy\nElated-Themes typically expose AJAX nonces through a localized JavaScript object available on most public-facing pages.\n\n1.  **Identify Shortcode\u002FPage:** Any page using the theme's layout (including the homepage) likely enqueues the necessary scripts.\n2.  **Creation of Test Page:**\n    ```bash\n    wp post create --post_type=page --post_status=publish --post_title=\"Exploit Prep\" --post_content=\"Testing Roisin\"\n    ```\n3.  **Browser Extraction:**\n    *   Navigate to the homepage or the newly created page.\n    *   Use `browser_eval` to extract the nonce from the localized variable.\n    *   **Likely Variable:** `roisinElatedVars.ajax_nonce` or `eltdfGlobalVars.vars.admin_ajax_nonce`.\n    *   **Execution:** `browser_eval(\"window.roisinElatedVars?.ajax_nonce || window.eltdfGlobalVars?.vars?.admin_ajax_nonce\")`\n\n## 5. Exploitation Strategy\nSince the description states \"No known POP chain is present in the vulnerable software,\" the goal of the PoC is to demonstrate the **Object Injection** by triggering an observable side effect (e.g., an error or an interaction with a standard WP class).\n\n### Step-by-Step Plan:\n1.  **Search for Sink:**\n    Confirm the exact action and parameter name by searching the theme directory:\n    ```bash\n    grep -rn \"unserialize(base64_decode(\" wp-content\u002Fthemes\u002Froisin\u002F\n    ```\n2.  **Identify Action Name:**\n    Look for the `add_action` call associated with the function containing the `unserialize` call.\n3.  **Generate Payload:**\n    Create a simple PHP object payload. For a PoC, we can target a class that might exist in the environment (e.g., `WP_HTML_Token` or similar) to trigger a `__destruct` call, or simply use an invalid class to see if the application logs an error.\n    *Example Payload Generation (Manual):* `O:8:\"Exploit\":0:{}`\n    *Base64 Encoded:* `Tzo4OiJFeHBsb2l0IjpwOnt9`\n4.  **Send Request:**\n    Construct the HTTP request using the `http_request` tool.\n\n**HTTP Request Template:**\n*   **Method:** POST\n*   **URL:** `http:\u002F\u002F[TARGET]\u002Fwp-admin\u002Fadmin-ajax.php`\n*   **Headers:** `Content-Type: application\u002Fx-www-form-urlencoded`\n*   **Body:**\n    `action=[ACTION_NAME]&nonce=[NONCE]&options=Tzo4OiJFeHBsb2l0IjpwOnt9`\n\n## 6. Test Data Setup\n1.  **Theme Installation:** Ensure Roisin Theme v1.4 is installed and active.\n2.  **Public Content:** Create at least one public post\u002Fpage to ensure the theme's frontend assets and nonces are generated correctly.\n3.  **Verify Nonce Visibility:** Check that the `roisinElatedVars` object is present in the page source.\n\n## 7. Expected Results\n*   If a non-existent class is injected (e.g., `O:8:\"Exploit\":0:{}`), the server may return a 500 error or a PHP warning in the `debug.log` stating: `PHP Warning:  unserialize(): Function ... [unserialized object of unknown class]`.\n*   If a valid POP chain is found (e.g., via an installed plugin like WooCommerce), the successful exploit would result in the specific action defined by the gadget (e.g., file deletion or RCE).\n*   The response should be consistent with the AJAX handler's behavior, but the side effects (logs or errors) will confirm deserialization occurred.\n\n## 8. Verification Steps\n1.  **Check PHP Error Log:**\n    ```bash\n    tail -n 50 wp-content\u002Fdebug.log\n    ```\n    Look for: `PHP Fatal error:  unserialize(): Object of class __PHP_Incomplete_Class ...` or similar messages indicating the payload was processed.\n2.  **Manual Verification via WP-CLI:**\n    If the payload is designed to modify an option or metadata, verify the change:\n    ```bash\n    wp option get [modified_option]\n    ```\n\n## 9. Alternative Approaches\n*   **Different Actions:** If `roisin_elated_get_sidebar` is not the culprit, search for `wp_ajax_nopriv` hooks in the `framework\u002F` or `inc\u002F` directories and audit any that use `$_POST` or `$_GET` inside `unserialize()`.\n*   **Payload Variation:** Try different serialization formats. Sometimes themes use `maybe_unserialize()` on raw strings; if the input starts with `a:` or `O:`, it will trigger.\n*   **Missing Nonce:** Check if the handler actually validates the nonce. If `check_ajax_referer` is missing or called with `die=false` without a subsequent check, the nonce acquisition step can be skipped.","The Roisin theme for WordPress is vulnerable to unauthenticated PHP Object Injection due to the insecure use of the unserialize() function on base64-encoded user input within AJAX handlers. Attackers can exploit this to inject arbitrary PHP objects, which may lead to remote code execution or file deletion if a suitable POP chain is present in the environment.","\u002F\u002F From the theme's AJAX handler registration (likely in framework\u002Fmodules\u002Fsidebars\u002Fsidebar-functions.php or similar)\nadd_action('wp_ajax_nopriv_roisin_elated_get_sidebar', 'roisin_elated_get_sidebar');\nadd_action('wp_ajax_roisin_elated_get_sidebar', 'roisin_elated_get_sidebar');\n\nfunction roisin_elated_get_sidebar() {\n    \u002F\u002F ... logic ...\n    if (isset($_POST['options'])) {\n        \u002F\u002F Vulnerable Sink\n        $options = unserialize(base64_decode($_POST['options']));\n    }\n    \u002F\u002F ... logic ...\n}","--- a\u002Fframework\u002Fmodules\u002Fsidebars\u002Fsidebar-functions.php\n+++ b\u002Fframework\u002Fmodules\u002Fsidebars\u002Fsidebar-functions.php\n@@ -10,7 +10,7 @@\n     if (isset($_POST['options'])) {\n-        $options = unserialize(base64_decode($_POST['options']));\n+        $options = json_decode(base64_decode($_POST['options']), true);\n     }","The exploit targets the AJAX interface of the Roisin theme. An attacker first extracts a valid AJAX nonce (typically `roisinElatedVars.ajax_nonce`) from the source code of any public-facing page where the theme is active. The attacker then constructs a POST request to `\u002Fwp-admin\u002Fadmin-ajax.php`. The request must include the `action` parameter (e.g., `roisin_elated_get_sidebar`), the valid `nonce`, and a malicious PHP object payload that is base64-encoded and assigned to the `options` (or `query_obj`) parameter. When the server processes the request, the handler decodes the base64 string and passes it directly into `unserialize()`, triggering the instantiation of the injected object and any associated magic methods like `__wakeup` or `__destruct`.","gemini-3-flash-preview","2026-05-04 19:24:16","2026-05-04 19:24:44",{"type":34,"vulnerable_version":35,"fixed_version":11,"vulnerable_browse":36,"vulnerable_zip":8,"fixed_browse":37,"fixed_zip":8,"all_tags":38},"theme","1.4","https:\u002F\u002Fthemes.trac.wordpress.org\u002Fbrowser\u002Froisin\u002F1.4","https:\u002F\u002Fthemes.trac.wordpress.org\u002Fbrowser\u002Froisin\u002F1.5","https:\u002F\u002Fthemes.trac.wordpress.org\u002Fbrowser\u002Froisin"]