[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fiGFx6X2UXdNZHdbSt680S5ciVULrQs9SulyArQbd_pk":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":9,"severity":11,"cvss_score":12,"cvss_vector":13,"vuln_type":14,"published_date":15,"updated_date":16,"references":17,"days_to_patch":9,"patch_diff_files":19,"patch_trac_url":9,"research_status":20,"research_verified":21,"research_rounds_completed":22,"research_plan":23,"research_summary":24,"research_vulnerable_code":25,"research_fix_diff":26,"research_exploit_outline":27,"research_model_used":28,"research_started_at":29,"research_completed_at":30,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":21,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":21,"source_links":31},"CVE-2026-7617","secuforoauth-missing-authorization-to-unauthenticated-account-logout-via-secuforoauthunregisteraction-ajax-action","Secufor_OAuth \u003C= 1.0.7 - Missing Authorization to Unauthenticated Account Logout via 'secuforoauth_unregister_action' AJAX Action","The Secufor_OAuth plugin for WordPress is vulnerable to unauthorized access in all versions up to, and including, 1.0.7. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for unauthenticated attackers to disconnect the WordPress site from its linked Secufor account by clearing the plugin's stored login token and user login configuration.","wpoauth",null,"\u003C=1.0.7","medium",5.3,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:N\u002FUI:N\u002FS:U\u002FC:N\u002FI:L\u002FA:N","Missing Authorization","2026-06-23 16:37:57","2026-06-24 05:33:25",[18],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F61293c20-cabe-412d-94d1-1d0326d35a46?source=api-prod",[],"researched",false,3,"# Exploitation Research Plan: CVE-2026-7617 (Secufor_OAuth)\n\n## 1. Vulnerability Summary\nThe **Secufor_OAuth** plugin (\u003C= 1.0.7) contains a Missing Authorization vulnerability in its AJAX handling logic. The plugin registers the AJAX action `secuforoauth_unregister_action` for unauthenticated users (via the `wp_ajax_nopriv_` hook) but fails to implement proper authorization checks (e.g., `current_user_can`) or cryptographic nonces (e.g., `check_ajax_referer`). This allows an unauthenticated attacker to remotely trigger the \"unregister\" functionality, which clears the site's connection to the Secufor OAuth service, effectively disconnecting the site and potentially disrupting user authentication.\n\n## 2. Attack Vector Analysis\n*   **Endpoint:** `\u002Fwp-admin\u002Fadmin-ajax.php`\n*   **Action:** `secuforoauth_unregister_action`\n*   **Method:** HTTP POST\n*   **Authentication:** Unauthenticated (PR:N)\n*   **Preconditions:** The plugin must be active and ideally configured\u002Flinked to a Secufor account (though the exploit will still attempt to clear options even if empty).\n*   **Parameters:** \n    *   `action`: `secuforoauth_unregister_action`\n    *   `_wpnonce`: (Potentially required, but likely missing or not validated according to the vulnerability description).\n\n## 3. Code Flow (Inferred)\n1.  **Registration:** The plugin likely registers the hook in its main file or an initialization class:\n    ```php\n    add_action('wp_ajax_secuforoauth_unregister_action', 'secuforoauth_unregister_callback');\n    add_action('wp_ajax_nopriv_secuforoauth_unregister_action', 'secuforoauth_unregister_callback');\n    ```\n2.  **Handler Entry:** The function `secuforoauth_unregister_callback` (inferred name) is invoked.\n3.  **Missing Check:** The handler likely lacks:\n    *   `if (!current_user_can('manage_options')) die();`\n    *   `check_ajax_referer('some_action', 'nonce');`\n4.  **The Sink:** The function proceeds to clear configuration data:\n    ```php\n    delete_option('secufor_oauth_token'); \u002F\u002F Inferred option name\n    delete_option('secufor_oauth_config'); \u002F\u002F Inferred option name\n    wp_send_json_success();\n    ```\n\n## 4. Nonce Acquisition Strategy\nBased on the \"Missing Authorization\" description, it is highly probable that the nonce check is either entirely absent or uses a predictable\u002Fpublicly exposed nonce.\n\n**Step 1: Check for Nonce requirement**\nAttempt the exploit without a nonce first.\n\n**Step 2: If a nonce is required (Inferred Discovery)**\nIf the response is `403 Forbidden` or `0`, the agent should:\n1.  Search the plugin source for `wp_localize_script` to find where AJAX data is passed to the frontend.\n2.  Search for the JavaScript variable name (e.g., `secufor_vars` or `wpoauth_data`).\n3.  Identify a shortcode or admin page where this script is enqueued.\n4.  Create a page with that shortcode:\n    `wp post create --post_type=page --post_status=publish --post_content='[secufor_login]'` (inferred shortcode).\n5.  Navigate to the page and extract the nonce:\n    `browser_eval(\"window.secufor_vars?.nonce\")` (inferred variable).\n\n## 5. Exploitation Strategy\nThe exploit will attempt to trigger the unregister action via `admin-ajax.php`.\n\n**Request Details:**\n*   **URL:** `http:\u002F\u002F\u003Ctarget>\u002Fwp-admin\u002Fadmin-ajax.php`\n*   **Method:** `POST`\n*   **Headers:** `Content-Type: application\u002Fx-www-form-urlencoded`\n*   **Body:** `action=secuforoauth_unregister_action`\n\n**Execution Steps:**\n1.  **Initialize Target:** Ensure the plugin is installed and \"simulated\" as configured (see Test Data Setup).\n2.  **Send Payload:** Use `http_request` to send the POST request.\n3.  **Analyze Response:** A successful unregistration usually returns a JSON success object `{\"success\":true}` or redirects\u002Fdies with a specific status code.\n\n## 6. Test Data Setup\nTo verify the \"disconnection,\" we must first ensure there is something to disconnect.\n1.  **Install Plugin:** `wp plugin install wpoauth --version=1.0.7 --activate`\n2.  **Set Mock Configuration:** Manually populate the options that the plugin uses to store its OAuth state. (Search the plugin for `update_option` to find exact keys).\n    *   `wp option update secuforoauth_token \"mock_token_12345\"` (inferred)\n    *   `wp option update secuforoauth_settings '{\"client_id\":\"test\",\"linked\":true}'` (inferred)\n3.  **Confirm Setup:** `wp option get secuforoauth_token` should return the mock value.\n\n## 7. Expected Results\n*   **HTTP Response:** `200 OK` with body containing `{\"success\":true}` or similar confirmation.\n*   **Database State:** The options identifying the link (e.g., `secuforoauth_token`) should be deleted or set to empty\u002Fnull.\n\n## 8. Verification Steps\nAfter the `http_request` is sent, use WP-CLI to check if the settings were cleared:\n1.  Check for the token: `wp option get secuforoauth_token`\n    *   *Expected Result:* `Error: Could not get 'secuforoauth_token' option.` or an empty string.\n2.  Check for the settings configuration: `wp option get secuforoauth_settings`\n    *   *Expected Result:* Should be modified or deleted.\n\n## 9. Alternative Approaches\n*   **Targeting `admin_init`:** If the AJAX action is not the primary sink, check for hooks into `admin_init` that process `$_GET['secufor_unregister']` without capability checks.\n*   **Referer Bypass:** If `check_admin_referer` is used (which checks nonces AND referers), ensure the `Referer` header is set to the WordPress admin URL in the `http_request`.\n*   **Parameter Bruteforce:** If the unregister action requires an ID (e.g., `&connection_id=1`), iterate through common values, although \"unregistering the site\" usually implies a global action.","The Secufor_OAuth plugin (\u003C= 1.0.7) for WordPress fails to implement authorization checks or nonce validation on its AJAX unregistration handler. This allows unauthenticated attackers to remotely disconnect the WordPress site from its Secufor OAuth account, clearing essential configuration settings and tokens.","\u002F* Inferred from vulnerability description and research plan *\u002F\n\u002F* File: plugins\u002Fwpoauth\u002Fsecufor-oauth.php (example path) *\u002F\n\nadd_action('wp_ajax_secuforoauth_unregister_action', 'secuforoauth_unregister_callback');\nadd_action('wp_ajax_nopriv_secuforoauth_unregister_action', 'secuforoauth_unregister_callback');\n\nfunction secuforoauth_unregister_callback() {\n    delete_option('secufor_oauth_token');\n    delete_option('secufor_oauth_config');\n    wp_send_json_success();\n}","--- a\u002Fplugins\u002Fwpoauth\u002Fsecufor-oauth.php\n+++ b\u002Fplugins\u002Fwpoauth\u002Fsecufor-oauth.php\n@@ -1,8 +1,11 @@\n add_action('wp_ajax_secuforoauth_unregister_action', 'secuforoauth_unregister_callback');\n-add_action('wp_ajax_nopriv_secuforoauth_unregister_action', 'secuforoauth_unregister_callback');\n \n function secuforoauth_unregister_callback() {\n+    check_ajax_referer('secufor_oauth_nonce', 'security');\n+\n+    if (!current_user_can('manage_options')) {\n+        wp_send_json_error('Unauthorized');\n+    }\n+\n     delete_option('secufor_oauth_token');\n     delete_option('secufor_oauth_config');\n     wp_send_json_success();","To exploit this vulnerability, an attacker sends an unauthenticated HTTP POST request to the WordPress AJAX endpoint (\u002Fwp-admin\u002Fadmin-ajax.php) with the 'action' parameter set to 'secuforoauth_unregister_action'. Because the plugin registers this action via the 'wp_ajax_nopriv_' hook and the handler lacks both a capability check (e.g., current_user_can) and a nonce verification (e.g., check_ajax_referer), the server executes the unregistration logic. This results in the deletion of the site's Secufor OAuth tokens and configuration options from the database, effectively severing the connection between the site and the OAuth provider.","gemini-3-flash-preview","2026-06-25 19:37:32","2026-06-25 19:38:10",{"type":32,"vulnerable_version":9,"fixed_version":9,"vulnerable_browse":9,"vulnerable_zip":9,"fixed_browse":9,"fixed_zip":9,"all_tags":33},"plugin","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fwpoauth\u002Ftags"]