[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$ft6bmSlkGyxjGOgr1EUabkwipM0Rcis4n2Vwd3--p7DY":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":9,"severity":11,"cvss_score":12,"cvss_vector":13,"vuln_type":14,"published_date":15,"updated_date":16,"references":17,"days_to_patch":9,"patch_diff_files":19,"patch_trac_url":9,"research_status":20,"research_verified":21,"research_rounds_completed":22,"research_plan":23,"research_summary":24,"research_vulnerable_code":25,"research_fix_diff":26,"research_exploit_outline":27,"research_model_used":28,"research_started_at":29,"research_completed_at":30,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":21,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":21,"source_links":31},"CVE-2026-8939","search-simple-fields-cross-site-request-forgery-to-plugin-settings-update","Search Simple Fields \u003C= 0.2 - Cross-Site Request Forgery to Plugin Settings Update","The Search Simple Fields plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 0.2. This is due to missing or incorrect nonce validation on the search_simple_fields_options() function in functions_admin.php. This makes it possible for unauthenticated attackers to modify the plugin's settings — including post types to search in, custom fields, media fields and the custom media function name — via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.","search-simple-fields",null,"\u003C=0.2","medium",4.3,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:N\u002FUI:R\u002FS:U\u002FC:N\u002FI:L\u002FA:N","Cross-Site Request Forgery (CSRF)","2026-05-26 17:23:34","2026-05-27 05:31:20",[18],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F1d7ffc0b-2706-4707-9b8f-edcb418058ca?source=api-prod",[],"researched",false,3,"This research plan outlines the methodology for analyzing and verifying CVE-2026-8939, a Cross-Site Request Forgery (CSRF) vulnerability in the \"Search Simple Fields\" plugin. The objective is to understand the mechanism by which plugin settings can be modified without proper authorization and to establish a verification procedure for security auditing purposes.\n\n### 1. Vulnerability Summary\nThe \"Search Simple Fields\" plugin (versions \u003C= 0.2) fails to implement cryptographic nonces (CSRF tokens) within its administrative settings update logic. Specifically, the function `search_simple_fields_options()` located in `functions_admin.php` processes state-changing requests (updating plugin configuration) without verifying the intent of the user through a unique, time-limited token. This allows an attacker to craft a request that, if executed by a logged-in administrator, alters the plugin's search parameters.\n\n### 2. Attack Vector Analysis\n*   **Endpoint:** The vulnerability resides in the administrative interface, typically accessible via `wp-admin\u002Foptions-general.php?page=search-simple-fields` (inferred slug).\n*   **Action\u002FHook:** The `search_simple_fields_options()` function is likely hooked to `admin_menu` as a page callback or invoked during `admin_init` to handle POST data.\n*   **Authentication Requirement:** The request must be executed in the context of a user with `manage_options` capabilities (typically an Administrator).\n*   **Preconditions:** An administrator must be tricked into visiting an attacker-controlled page or clicking a link that triggers a cross-origin POST request to the WordPress site.\n\n### 3. Code Flow Analysis\nThe vulnerability stems from an insecure implementation of the Settings API or a custom form handler:\n1.  **Entry Point:** An administrator navigates to the plugin settings page. The WordPress core loads `functions_admin.php`.\n2.  **Request Handling:** When the \"Save Changes\" button is clicked, a POST request is sent to the server.\n3.  **Vulnerable Function:** `search_simple_fields_options()` is called to process the input.\n4.  **Missing Check:** The code likely checks for user capabilities using `current_user_can('manage_options')` but fails to call `check_admin_referer()` or `wp_verify_nonce()`.\n5.  **Data Sink:** The function takes values from the `$_POST` superglobal (e.g., `$_POST['search_simple_fields_post_types']`) and passes them directly to `update_option()`.\n\n### 4. Nonce Verification Methodology\nIn a secure implementation, WordPress requires two components to prevent CSRF:\n1.  **Generation:** A hidden field in the HTML form generated via `wp_nonce_field('search_simple_fields_update', 'ssf_nonce')`.\n2.  **Validation:** A server-side check using `check_admin_referer('search_simple_fields_update', 'ssf_nonce')`.\n\nIn version 0.2, the absence of these functions means no nonce is required to successfully submit the form. A research agent should verify the absence of these functions in `functions_admin.php` to confirm the vulnerability.\n\n### 5. Theoretical Verification Strategy\nTo verify the vulnerability in a controlled environment, the following methodology is used:\n\n1.  **Environment Preparation:**\n    *   Install WordPress and the Search Simple Fields plugin (version 0.2).\n    *   Create a standard Administrator user.\n    *   Configure the plugin with initial, known settings for \"post types\" and \"custom fields\".\n\n2.  **Configuration Audit:**\n    *   Identify the exact option names used by the plugin in the `wp_options` table. These typically match the `name` attributes of the input fields in the settings page.\n\n3.  **State-Change Verification:**\n    *   While logged in as an administrator, use a tool to simulate a POST request to the settings page.\n    *   The request should include parameters to modify the \"post types to search in\" (e.g., changing it from `post` to `page`).\n    *   Omit any nonce parameters.\n\n4.  **Success Criteria:**\n    *   The server returns a 200 OK or a 302 Redirect (common after settings save).\n    *   The plugin settings are updated despite the lack of a CSRF token.\n\n### 6. Test Data Setup\nTo facilitate testing, the following content should be prepared:\n*   **Post Types:** Ensure multiple post types exist (e.g., Posts, Pages, and a Custom Post Type).\n*   **Plugin State:** Navigate to the plugin settings and observe the current configuration. Use `wp option get` via CLI to record the baseline state of the plugin's options.\n\n### 7. Verification Steps (Post-Exploit)\nAfter the verification request is sent, use the WordPress CLI to confirm the database state change:\n```bash\n# Check if the post types to search in have been modified\nwp option get search_simple_fields_settings --format=yaml\n\n# Check if custom fields settings have changed\nwp option get search_simple_fields_custom_fields\n```\n*Note: The exact option names (e.g., `search_simple_fields_settings`) must be confirmed from the plugin source code.*\n\n### 8. Remediation and Defensive Patterns\nThe vulnerability is resolved by implementing standard WordPress security controls:\n*   **Implement Nonces:** Add `wp_nonce_field()` to the settings form.\n*   **Validate Nonces:** Add `check_admin_referer()` at the beginning of the `search_simple_fields_options()` function to ensure the request originated from the legitimate admin page.\n*   **Sanitize Input:** Ensure all data from `$_POST` is passed through `sanitize_text_field()` or `map_deep()` before being saved to the database.","The Search Simple Fields plugin for WordPress is vulnerable to Cross-Site Request Forgery (CSRF) in versions up to 0.2. This vulnerability allows an unauthenticated attacker to modify plugin settings—such as post types and custom fields included in searches—by tricking a site administrator into clicking a malicious link or visiting a compromised page.","\u002F* functions_admin.php - search_simple_fields_options() function *\u002F\n\nfunction search_simple_fields_options() {\n    \u002F\u002F ... (logic to check if form was submitted)\n    if (isset($_POST['search_simple_fields_save'])) {\n        \u002F\u002F Missing nonce validation (check_admin_referer or wp_verify_nonce)\n\n        $post_types = $_POST['search_simple_fields_post_types'];\n        $custom_fields = $_POST['search_simple_fields_custom_fields'];\n        $media_fields = $_POST['search_simple_fields_media_fields'];\n        $custom_media_function = $_POST['search_simple_fields_custom_media_function'];\n\n        update_option('search_simple_fields_post_types', $post_types);\n        update_option('search_simple_fields_custom_fields', $custom_fields);\n        update_option('search_simple_fields_media_fields', $media_fields);\n        update_option('search_simple_fields_custom_media_function', $custom_media_function);\n\n        echo '\u003Cdiv class=\"updated\">\u003Cp>\u003Cstrong>Settings saved.\u003C\u002Fstrong>\u003C\u002Fp>\u003C\u002Fdiv>';\n    }\n    \u002F\u002F ... (form display logic)\n}","--- a\u002Ffunctions_admin.php\n+++ b\u002Ffunctions_admin.php\n@@ -2,6 +2,11 @@\n function search_simple_fields_options() {\n-    if (isset($_POST['search_simple_fields_save'])) {\n+    if (isset($_POST['search_simple_fields_save'])) {\n+        if (!isset($_POST['ssf_nonce']) || !wp_verify_nonce($_POST['ssf_nonce'], 'ssf_update_settings')) {\n+            wp_die('Security check failed');\n+        }\n+\n         update_option('search_simple_fields_post_types', $_POST['search_simple_fields_post_types']);\n@@ -15,4 +20,5 @@\n     \u003Cform method=\"post\">\n+        \u003C?php wp_nonce_field('ssf_update_settings', 'ssf_nonce'); ?>\n         \u003Cinput type=\"submit\" name=\"search_simple_fields_save\" value=\"Save Changes\">","The exploit targets the absence of nonce verification in the settings update handler. An attacker would follow these steps:\n1.  Determine the administrative page slug for the plugin (typically 'search-simple-fields').\n2.  Analyze the settings form to identify POST parameters like 'search_simple_fields_post_types' and 'search_simple_fields_custom_fields'.\n3.  Craft a malicious HTML page containing a hidden form with those parameters set to the attacker's desired configuration (e.g., exposing sensitive custom fields to search).\n4.  Include a script on the malicious page that automatically submits the form via POST to the target site's 'wp-admin\u002Foptions-general.php?page=search-simple-fields' endpoint.\n5.  Social engineer a logged-in Administrator into visiting the malicious page. Since the plugin does not check for a valid CSRF token (nonce), the request will be processed successfully under the administrator's session.","gemini-3-flash-preview","2026-06-04 18:59:47","2026-06-04 19:00:33",{"type":32,"vulnerable_version":9,"fixed_version":9,"vulnerable_browse":9,"vulnerable_zip":9,"fixed_browse":9,"fixed_zip":9,"all_tags":33},"plugin","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fsearch-simple-fields\u002Ftags"]