[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fSgFY3QEqacfNQ3o8a8le4L_WcszhTkU4TbP1Wlwcgj0":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":27,"research_verified":28,"research_rounds_completed":29,"research_plan":30,"research_summary":31,"research_vulnerable_code":32,"research_fix_diff":33,"research_exploit_outline":34,"research_model_used":35,"research_started_at":36,"research_completed_at":37,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":28,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":28,"source_links":38},"CVE-2026-27357","search-analytics-for-wp-missing-authorization","Search Analytics for WP \u003C 1.5.0 - Missing Authorization","The Search Analytics for WP plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in versions up to 1.5.0. This makes it possible for unauthenticated attackers to perform an unauthorized action.","search-analytics",null,"\u003C1.5.0","1.5.0","medium",5.3,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:N\u002FUI:N\u002FS:U\u002FC:N\u002FI:L\u002FA:N","Missing Authorization","2026-05-25 00:00:00","2026-05-26 19:26:31",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F507b03d5-336a-4371-abc9-45b5e04d097b?source=api-prod",2,[22,23,24,25,26],"admin\u002Fadmin.php","admin\u002Fassets\u002Fjs\u002Fchart-controller.js","admin\u002Fincludes\u002Fclass.charts.php","admin\u002Fincludes\u002Fclass.dashboard.php","admin\u002Fincludes\u002Fclass.export-csv.php","researched",false,3,"# Search Analytics for WP \u003C 1.5.0 - Missing Authorization (CVE-2026-27357)\n\nThe Search Analytics for WP plugin is vulnerable to unauthorized access and option manipulation due to missing capability checks in its AJAX handlers. Specifically, the `render_chart_data` and `save_default_chart_settings` functions in `MWTSA_Admin_Charts` verify a nonce but do not check if the user has administrative privileges. Although the provided source only shows `wp_ajax_` registrations (authenticated), the CVE's `PR:N` rating and unauthenticated description imply that either `wp_ajax_nopriv_` hooks are present in the vulnerable versions or the nonce is accessible to unauthenticated users, allowing them to view search statistics or modify global plugin settings.\n\n### 1. Vulnerability Summary\n- **ID**: CVE-2026-27357\n- **Type**: Missing Authorization\n- **Vulnerable Functions**: `MWTSA_Admin_Charts::render_chart_data` and `MWTSA_Admin_Charts::save_default_chart_settings`.\n- **Root Cause**: These functions rely solely on `wp_verify_nonce()` for security. In WordPress, nonces are for CSRF protection, not authorization. Any user (or potentially an unauthenticated one if the nonce is leaked) who can obtain a valid `mwtsa_chart_nonce` can invoke these functions.\n- **Impact**: \n    1. **Information Disclosure**: Unauthenticated\u002F","The Search Analytics for WP plugin for WordPress is vulnerable to unauthorized access and option manipulation due to missing capability checks in its AJAX handlers. This allows authenticated users, regardless of their role, to view search statistics and modify global plugin settings if they can obtain a valid nonce.","\u002F\u002F admin\u002Fincludes\u002Fclass.charts.php\n\npublic function render_chart_data() {\n    $nonce = isset( $_REQUEST['nonce'] ) ? sanitize_text_field( wp_unslash( $_REQUEST['nonce'] ) ) : '';\n\n    if ( empty( $nonce ) || ! wp_verify_nonce( $nonce, $this->nonce_action ) ) {\n        wp_send_json_error( 'Bad Request!' );\n    }\n\n    $ranges = ! empty( $_REQUEST['chart_ranges'] ) ? sanitize_text_field( wp_unslash( $_REQUEST['chart_ranges'] ) ) : '2w';\n\n    \u002F\u002F ... (logic to return search statistics)\n}\n\n---\n\n\u002F\u002F admin\u002Fincludes\u002Fclass.charts.php\n\npublic function save_default_chart_settings() {\n    $nonce = isset( $_REQUEST['nonce'] ) ? sanitize_text_field( wp_unslash( $_REQUEST['nonce'] ) ) : '';\n\n    if ( empty( $nonce ) || ! wp_verify_nonce( $nonce, $this->nonce_action ) ) {\n        wp_send_json_error( 'Bad Request!' );\n    }\n\n    if ( empty( $_POST['line_style'] ) || empty( $_POST['chart_ranges'] ) ) {\n        wp_send_json_error( 'Bad Request!' );\n    }\n\n    \u002F\u002F ... (sanitization logic)\n\n    MWTSA_Options::set_options( array(\n        'chart_default_range'      => $chart_ranges,\n        'chart_default_line_style' => $line_style\n    ) );\n\n    wp_send_json_success();\n}","diff -ru \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fsearch-analytics\u002F1.4.16\u002Fadmin\u002Fincludes\u002Fclass.charts.php \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fsearch-analytics\u002F1.5.0\u002Fadmin\u002Fincludes\u002Fclass.charts.php\n--- \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fsearch-analytics\u002F1.4.16\u002Fadmin\u002Fincludes\u002Fclass.charts.php\t2025-09-17 09:22:18.000000000 +0000\n+++ \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fsearch-analytics\u002F1.5.0\u002Fadmin\u002Fincludes\u002Fclass.charts.php\t2026-05-07 11:04:28.000000000 +0000\n@@ -89,10 +89,7 @@\n \t\t}\n \n \t\tpublic function render_chart_data() {\n-            $nonce = isset( $_REQUEST['nonce'] ) ? sanitize_text_field( wp_unslash( $_REQUEST['nonce'] ) ) : '';\n-\n-\t\t\tif ( empty( $nonce ) || ! wp_verify_nonce( $nonce, $this->nonce_action ) ) {\n-\t\t\t\twp_send_json_error( 'Bad Request!' );\n-\t\t\t}\n+            check_ajax_referer( $this->nonce_action );\n \n \t\t\t$ranges = ! empty( $_REQUEST['chart_ranges'] ) ? sanitize_text_field( wp_unslash( $_REQUEST['chart_ranges'] ) ) : '2w';\n \n@@ -125,11 +122,7 @@\n \t\t}\n \n \t\tpublic function save_default_chart_settings() {\n-\t\t\t$nonce = isset( $_REQUEST['nonce'] ) ? sanitize_text_field( wp_unslash( $_REQUEST['nonce'] ) ) : '';\n-\n-\t\t\tif ( empty( $nonce ) || ! wp_verify_nonce( $nonce, $this->nonce_action ) ) {\n-\t\t\t\twp_send_json_error( 'Bad Request!' );\n-\t\t\t}\n+\t\t\tcheck_ajax_referer( $this->nonce_action );\n \n \t\t\tif ( empty( $_POST['line_style'] ) || empty( $_POST['chart_ranges'] ) ) {\n \t\t\t\twp_send_json_error( 'Bad Request!' );","1. **Identify the Nonce**: The attacker must obtain the `mwtsa_chart_nonce`. This is typically localized in the `mwtsa_chart_obj` JavaScript object on any page where the search analytics dashboard is loaded. If the dashboard is accessible to lower-privileged roles (like Subscribers) due to misconfiguration or if the nonce is leaked globally, it can be harvested.\n2. **Target Endpoint**: Perform an AJAX POST request to `\u002Fwp-admin\u002Fadmin-ajax.php`.\n3. **View Analytics Data**: Send a payload with `action=render_chart_data`, `nonce=[harvested_nonce]`, and `chart_ranges=1m`. The server will return the daily search counts and terms in JSON format, bypassing administrative restrictions.\n4. **Modify Settings**: Send a payload with `action=save_default_chart_settings`, `nonce=[harvested_nonce]`, `line_style=stepped`, and `chart_ranges=2wc`. This will overwrite the global default chart settings in the plugin's configuration options.","gemini-3-flash-preview","2026-06-04 21:06:16","2026-06-04 21:07:41",{"type":39,"vulnerable_version":40,"fixed_version":11,"vulnerable_browse":41,"vulnerable_zip":42,"fixed_browse":43,"fixed_zip":44,"all_tags":45},"plugin","1.4.16","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fsearch-analytics\u002Ftags\u002F1.4.16","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fsearch-analytics.1.4.16.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fsearch-analytics\u002Ftags\u002F1.5.0","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fsearch-analytics.1.5.0.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fsearch-analytics\u002Ftags"]