[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fxUaTO484WLa3MxQkIo-jMJSBAGMw2m4Z1baWbvzPol8":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":9,"severity":11,"cvss_score":12,"cvss_vector":13,"vuln_type":14,"published_date":15,"updated_date":16,"references":17,"days_to_patch":9,"patch_diff_files":19,"patch_trac_url":9,"research_status":20,"research_verified":21,"research_rounds_completed":22,"research_plan":23,"research_summary":24,"research_vulnerable_code":9,"research_fix_diff":9,"research_exploit_outline":25,"research_model_used":26,"research_started_at":27,"research_completed_at":28,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":21,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":21,"source_links":29},"CVE-2026-27344","scientific-and-interactive-blocks-inseri-core-missing-authorization","Scientific and Interactive Blocks – inseri core \u003C= 1.0.5 - Missing Authorization","The Scientific and Interactive Blocks – inseri core plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in versions up to, and including, 1.0.5. This makes it possible for unauthenticated attackers to perform an unauthorized action.","inseri-core",null,"\u003C=1.0.5","medium",5.3,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:N\u002FUI:N\u002FS:U\u002FC:N\u002FI:L\u002FA:N","Missing Authorization","2026-02-25 00:00:00","2026-03-05 14:41:31",[18],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002Faf2645cc-aa96-45b4-8f22-16d02224cb3b?source=api-prod",[],"researched",false,3,"This research plan outlines the steps to identify and exploit the Missing Authorization vulnerability (CVE-2026-27344) in the **Scientific and Interactive Blocks – inseri core** plugin.\n\n---\n\n### 1. Vulnerability Summary\nThe **Scientific and Interactive Blocks – inseri core** plugin (up to version 1.0.5) fails to implement proper authorization checks (e.g., `current_user_can()`) on one or more of its AJAX or REST API handlers. Specifically, functions registered under `wp_ajax_nopriv_*` or REST routes with permissive `permission_callback` values allow unauthenticated attackers to perform actions intended for administrators or editors, such as creating, modifying, or deleting interactive blocks\u002Fitems.\n\n### 2. Attack Vector Analysis\n*   **Endpoint:** `\u002Fwp-admin\u002Fadmin-ajax.php` (AJAX) or `\u002Fwp-json\u002Finseri-core\u002Fv1\u002F...` (REST API).\n*   **Vulnerable Action (Inferred):** Likely an action related to \"saving\" or \"updating\" block data. Based on the plugin structure, candidate actions include `inseri_core_save_item`, `inseri_core_create_item`, or a REST route like `POST \u002Fwp-json\u002Finseri-core\u002Fv1\u002Fitems`.\n*   **Payload Parameters:** `item_id` (int), `content` (string\u002FJSON), and potentially a `nonce`.\n*   **Preconditions:** The plugin must be active. If a nonce is required, a page containing an `inseri` block must be accessible to extract the nonce.\n\n### 3. Code Flow (Inferred)\n1.  **Entry Point:** An unauthenticated user sends a POST request to `admin-ajax.php` with `action=[ACTION_NAME]`.\n2.  **Hook Registration:** The plugin registers the action: \n    `add_action( 'wp_ajax_nopriv_[ACTION_NAME]', 'handle_unauthorized_action' );` \n    (or fails to provide a `permission_callback` in a REST route).\n3.  **Vulnerable Function:** The handler function `handle_unauthorized_action` executes.\n4.  **Authorization Failure:** The function lacks a `current_user_can('edit_posts')` or `current_user_can('manage_options')` check.\n5.  **Sink:** The function proceeds to call `wp_update_post()`, `update_post_meta()`, or a direct `$wpdb` query to modify site content.\n\n### 4. Nonce Acquisition Strategy\nIf the handler uses `check_ajax_referer` or `wp_verify_nonce`, the nonce is likely localized for the frontend editor or interactive blocks.\n\n1.  **Identify Shortcode:** Locate the primary shortcode (likely `[inseri-item]`) or the block registration in the source.\n2.  **Create Trigger Page:** Use WP-CLI to create a page containing the block:\n    ```bash\n    wp post create --post_type=page --post_status=publish --post_title=\"Exploit Page\" --post_content='\u003C!-- wp:inseri-core\u002Fitem {\"id\":1} \u002F-->'\n    ```\n3.  **Extract Nonce:** Use `browser_navigate` to visit the page and `browser_eval` to extract the localized nonce.\n    *   **Candidate JS Variables:** `window.inseri_core_vars?.nonce` or `window.inseri_core_data?.ajax_nonce`.\n    *   **Action String:** Check the source for `wp_create_nonce('...')` to identify the correct action key.\n\n### 5. Exploitation Strategy\nThis plan assumes the vulnerability allows unauthorized modification of an \"inseri item\" (a custom post type or meta entry).\n\n**Step 1: Discovery**\nSearch the plugin directory to find the specific vulnerable action:\n```bash\ngrep -rn \"wp_ajax_nopriv\" .\ngrep -rn \"register_rest_route\" . -A 5\n```\nIdentify handlers that perform write operations (update, delete, save).\n\n**Step 2: Nonce Extraction (If Required)**\nIf a nonce is found in the discovery step (e.g., `check_ajax_referer( 'inseri_core_nonce' ... )`):\n1.  Navigate to the page created in the \"Test Data Setup\".\n2.  Execute: `browser_eval(\"window.inseri_core_vars.nonce\")`.\n\n**Step 3: Execution of Unauthorized Action**\nSend a crafted HTTP request to modify a block's content:\n*   **Method:** `POST`\n*   **URL:** `http:\u002F\u002Flocalhost:8080\u002Fwp-admin\u002Fadmin-ajax.php`\n*   **Headers:** `Content-Type: application\u002Fx-www-form-urlencoded`\n*   **Body:** \n    ```text\n    action=[DISCOVERED_ACTION]&nonce=[EXTRACTED_NONCE]&id=[TARGET_ID]&content=\u003Ch1>Vulnerable\u003C\u002Fh1>\u003Cscript>alert(1)\u003C\u002Fscript>\n    ```\n\n### 6. Test Data Setup\n1.  **Activate Plugin:** `wp plugin activate inseri-core`.\n2.  **Create Target Content:** If the plugin uses a custom post type for items, create one:\n    ```bash\n    wp post create --post_type=inseri_item --post_title=\"Target Block\" --post_content=\"Original Scientific Data\" --post_status=publish\n    ```\n3.  **Identify Target ID:** Note the ID of the created post (e.g., `123`).\n\n### 7. Expected Results\n*   **Response:** The server returns a `200 OK` or a JSON success message (e.g., `{\"success\":true}`).\n*   **Impact:** The content of the \"Scientific Block\" (Post ID 123) is modified to include the attacker's payload (e.g., XSS or defacement).\n\n### 8. Verification Steps\n1.  **Check Post Content:** Use WP-CLI to verify the modification:\n    ```bash\n    wp post get [TARGET_ID] --field=post_content\n    ```\n2.  **Verify UI Change:** Navigate to the page where the block is embedded and check for the injected payload.\n\n### 9. Alternative Approaches\n*   **REST API Route:** If an AJAX handler isn't found, check for REST routes at `POST \u002Fwp-json\u002Finseri-core\u002Fv1\u002Fitems`. Test the `permission_callback`. If it returns `__return_true` or is missing, the route is publicly accessible.\n*   **Settings Modification:** Check if the plugin registers `wp_ajax_nopriv_inseri_core_save_settings`. If so, try to change plugin-wide configurations or inject malicious scripts into global headers\u002Ffooters if the plugin provides such features.","The Scientific and Interactive Blocks – inseri core plugin for WordPress (up to version 1.0.5) fails to perform proper authorization checks in its AJAX or REST API handlers. This vulnerability allows unauthenticated attackers to perform sensitive actions, such as creating or modifying interactive blocks, by targeting functions registered without capability checks.","1. Locate a vulnerable AJAX action (e.g., associated with saving blocks) registered with 'wp_ajax_nopriv_*' or a REST API route (e.g., \u002Fwp-json\u002Finseri-core\u002Fv1\u002Fitems) lacking a strict 'permission_callback'.\n2. If a security nonce is required, visit a page where an inseri block is active and extract the nonce from the localized JavaScript variables (e.g., window.inseri_core_vars.nonce).\n3. Send a POST request to the WordPress AJAX or REST endpoint containing the identified action, the security nonce, the target block ID, and a malicious payload in the 'content' field.\n4. Verify that the block's content has been unauthorizedly updated or that a malicious script (XSS) is now embedded within the block.","gemini-3-flash-preview","2026-04-19 00:26:47","2026-04-19 00:27:09",{"type":30,"vulnerable_version":9,"fixed_version":9,"vulnerable_browse":9,"vulnerable_zip":9,"fixed_browse":9,"fixed_zip":9,"all_tags":31},"plugin","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Finseri-core\u002Ftags"]