[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fX2M5dIa1HIb9jn2CjTTs_cACEwc2pcboJYRgpWN2rmM":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":29,"research_verified":30,"research_rounds_completed":31,"research_plan":32,"research_summary":9,"research_vulnerable_code":9,"research_fix_diff":9,"research_exploit_outline":9,"research_model_used":33,"research_started_at":34,"research_completed_at":35,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":30,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":30,"source_links":36},"CVE-2026-9067","schema-structured-data-for-wp-amp-unauthenticated-arbitrary-media-upload","Schema & Structured Data for WP & AMP \u003C 1.60 - Unauthenticated Arbitrary Media Upload","The Schema & Structured Data for WP & AMP plugin for WordPress is vulnerable to arbitrary file uploads due to missing access control in all versions up to 1.60 (exclusive). This makes it possible for unauthenticated attackers to upload media files on the affected site's server.","schema-and-structured-data-for-wp",null,"\u003C1.60","1.60","medium",5.3,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:N\u002FUI:N\u002FS:U\u002FC:N\u002FI:L\u002FA:N","Missing Authorization","2026-06-11 00:00:00","2026-06-18 13:15:44",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002Fe1ebd1f8-cd33-4531-8e23-5c1029931fb4?source=api-prod",8,[22,23,24,25,26,27,28],"admin_section\u002Fsettings.php","admin_section\u002Fstructure-admin.php","modules\u002Freviews\u002Fclass-saswp-review-feature-frontend.php","output\u002Ffunction.php","output\u002Foutput.php","readme.txt","structured-data-for-wp.php","researched",false,3,"# Exploitation Research Plan - CVE-2026-9067\n\n## 1. Vulnerability Summary\nThe **Schema & Structured Data for WP & AMP** plugin (versions \u003C 1.60) contains an unauthenticated arbitrary media upload vulnerability. The vulnerability exists in the Review module, specifically within the AJAX handlers for image and video uploads. While the plugin registers these actions for unauthenticated users (`wp_ajax_nopriv_`), it fails to implement sufficient authorization checks (e.g., `current_user_can`) or strict file type validation within the handling functions, allowing any visitor to upload media files to the server.\n\n## 2. Attack Vector Analysis\n- **Endpoint:** `\u002Fwp-admin\u002Fadmin-ajax.php`\n- **Actions:** \n    - `saswp_rf_form_image_upload` (for images)\n    - `saswp_rf_form_video_upload` (for videos)\n- **Method:** POST (multipart\u002Fform-data)\n- **Authentication:** None (Unauthenticated)\n- **Payload Parameter:** `file` (containing the media payload)\n- **Nonce Parameter:** `saswp_security_nonce` (required for verification)\n\n## 3. Code Flow\n1. **Entry Point:** The plugin registers AJAX hooks in `modules\u002Freviews\u002Fclass-saswp-review-feature-frontend.php`:\n   ```php\n   add_action( 'wp_ajax_saswp_rf_form_image_upload', [$this, 'saswp_image_upload'] );\n   add_action( 'wp_ajax_nopriv_saswp_rf_form_image_upload', [$this, 'saswp_image_upload'] );\n   ```\n2. **Execution:** When a POST request is sent to `admin-ajax.php` with `action=saswp_rf_form_image_upload`, WordPress executes the `saswp_image_upload` method.\n3. **Nonce Verification:** The function typically verifies a nonce passed in the `saswp_security_nonce` parameter against the action `saswp_rf_nonce`.\n4. **Vulnerable Sink (Inferred):** The function likely uses `wp_handle_upload()` or `media_handle_upload()` to process the `$_FILES['file']` array. Because there is no check for user capabilities (like `upload_files`), any unauthenticated user who possesses a valid frontend nonce can trigger the upload.\n\n## 4. Nonce Acquisition Strategy\nThe nonce is generated for unauthenticated users (UID 0) and localized into the frontend scripts when the Review feature is active on a page.\n\n1. **Shortcode Identification:** The Review feature is usually active on posts where comments are enabled and the \"Review\" schema type is applied, or via the `[saswp-reviews]` shortcode.\n2. **Page Creation:** Use WP-CLI to ensure a target page exists with the necessary environment:\n   `wp post create --post_type=post --post_title=\"Review Page\" --post_status=publish --post_content=\"[saswp-reviews]\" --comment_status=open`\n3. **Browser Navigation:** Navigate to the newly created post.\n4. **Nonce Extraction:** The plugin localizes data into a JavaScript object. Based on the file `modules\u002Freviews\u002Fclass-saswp-review-feature-frontend.php`, the localized variable name is likely `saswp_rf_data` (inferred from the script handle `saswp-rf-script`).\n   - Use `browser_eval`: `window.saswp_rf_data?.nonce`\n\n## 5. Exploitation Strategy\n1. **Target Identification:** Confirm the plugin version is \u003C 1.60 and the Review module is enabled in the plugin settings.\n2. **Nonce Retrieval:**\n   - Create a post with the `[saswp-reviews]` shortcode.\n   - Navigate to the post and extract the nonce using `browser_eval`.\n3. **File Upload:**\n   - Prepare a benign image file (e.g., `exploit.png`).\n   - Use the `http_request` tool to send a multipart POST request.\n   ```http\n   POST \u002Fwp-admin\u002Fadmin-ajax.php HTTP\u002F1.1\n   Content-Type: multipart\u002Fform-data; boundary=----WebKitFormBoundaryABC123\n   \n   ------WebKitFormBoundaryABC123\n   Content-Disposition: form-data; name=\"action\"\n   \n   saswp_rf_form_image_upload\n   ------WebKitFormBoundaryABC123\n   Content-Disposition: form-data; name=\"saswp_security_nonce\"\n   \n   [EXTRACTED_NONCE]\n   ------WebKitFormBoundaryABC123\n   Content-Disposition: form-data; name=\"file\"; filename=\"exploit.png\"\n   Content-Type: image\u002Fpng\n   \n   [BINARY_DATA]\n   ------WebKitFormBoundaryABC123--\n   ```\n\n## 6. Test Data Setup\n1. **Enable Review Feature:** Ensure the \"Review\" feature and \"Stars Rating\" are enabled in the plugin's Global Settings.\n   - `wp option update sd_data '{\"saswp-reviews-en\":\"1\", \"saswp-rf-page-settings-pros-cons-limit\":\"3\"}' --format=json` (Structure may vary).\n2. **Create Target Post:**\n   - `wp post create --post_type=post --post_status=publish --post_title=\"Exploit Test\" --post_content=\"[saswp-reviews]\"`\n\n## 7. Expected Results\n- The server should return a JSON response containing the attachment ID or the URL of the uploaded file (e.g., `{\"status\":\"1\",\"url\":\"...\u002Fuploads\u002Fsaswp-reviews\u002Fexploit.png\"}`).\n- The file should be accessible at the returned URL.\n\n## 8. Verification Steps\n1. **Check Filesystem:** Verify the file exists in the uploads directory:\n   - `ls -R \u002Fvar\u002Fwww\u002Fhtml\u002Fwp-content\u002Fuploads\u002F | grep exploit.png`\n2. **Check Media Library:** Query the WordPress database for the new attachment:\n   - `wp post list --post_type=attachment --posts_per_page=5`\n\n## 9. Alternative Approaches\n- **Video Upload:** If image upload is restricted, attempt the same process using `action=saswp_rf_form_video_upload` with a small `.mp4` file.\n- **Direct Nonce Search:** If `saswp_rf_data` is not found, search the page source for any hidden input fields named `saswp_security_nonce` or script tags containing `nonce`.\n- **Extension Bypass:** If the \"Arbitrary\" nature allows it, attempt to upload files with double extensions (e.g., `exploit.php.jpg`) or disallowed types like `.svg` to check for XSS or potential RCE if the server configuration is weak.","gemini-3-flash-preview","2026-06-26 01:12:31","2026-06-26 01:13:34",{"type":37,"vulnerable_version":38,"fixed_version":11,"vulnerable_browse":39,"vulnerable_zip":40,"fixed_browse":41,"fixed_zip":42,"all_tags":43},"plugin","1.59","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fschema-and-structured-data-for-wp\u002Ftags\u002F1.59","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fschema-and-structured-data-for-wp.1.59.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fschema-and-structured-data-for-wp\u002Ftags\u002F1.60","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fschema-and-structured-data-for-wp.1.60.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fschema-and-structured-data-for-wp\u002Ftags"]