[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fpAhG288mmveDfxfDPiW1ZQu9rNjRCcdT7x1qWnFIebs":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":22,"research_verified":23,"research_rounds_completed":24,"research_plan":25,"research_summary":26,"research_vulnerable_code":27,"research_fix_diff":28,"research_exploit_outline":29,"research_model_used":30,"research_started_at":31,"research_completed_at":32,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":23,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":23,"source_links":33},"CVE-2026-25399","serious-slider-missing-authorization","Serious Slider \u003C= 1.2.7 - Missing Authorization","The Serious Slider plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in versions up to, and including, 1.2.7. This makes it possible for authenticated attackers, with subscriber-level access and above, to perform an unauthorized action.","cryout-serious-slider",null,"\u003C=1.2.7","1.3.0","medium",4.3,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:L\u002FUI:N\u002FS:U\u002FC:N\u002FI:L\u002FA:N","Missing Authorization","2026-01-30 00:00:00","2026-03-17 21:33:33",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F73418252-ce07-4872-97ae-c6ea71c2105b?source=api-prod",47,[],"researched",false,3,"This plan outlines the research and exploitation strategy for **CVE-2026-25399** in the **Serious Slider** plugin. The vulnerability allows authenticated users (Subscriber+) to perform unauthorized actions due to a missing capability check in an AJAX handler.\n\n### 1. Vulnerability Summary\nThe Serious Slider plugin (versions \u003C= 1.2.7) registers several AJAX actions to manage slider content. In version 1.2.7, at least one administrative handler (likely related to slider duplication or reordering) validates a nonce but fails to verify that the requesting user has the necessary permissions (e.g., `edit_posts` or `manage_options`). This allows any authenticated user, including Subscribers, to trigger these administrative functions.\n\n### 2. Attack Vector Analysis\n*   **Endpoint:** `\u002Fwp-admin\u002Fadmin-ajax.php`\n*   **Action:** `serious_slider_duplicate` (inferred, to be verified)\n*   **Parameters:**\n    *   `action`: The AJAX action name.\n    *   `nonce`: A valid CSRF token.\n    *   `id`: The ID of the slider (post ID) to duplicate or modify.\n*   **Authentication:** Subscriber-level credentials or higher.\n*   **Preconditions:** A slider must already exist for the attacker to manipulate it.\n\n### 3. Code Flow (Inferred)\n1.  **Registration:** The plugin uses `add_action( 'wp_ajax_serious_slider_duplicate', ... )` to register the handler. Note the absence of a `nopriv` version, confirming it requires authentication.\n2.  **Entry Point:** The handler function (e.g., `serious_slider_duplicate_callback`) is invoked via `admin-ajax.php`.\n3.  **Insecure Verification:**\n    *   The code likely calls `check_ajax_referer( 'serious-slider-nonce', 'nonce' )`.\n    *   **Crucially**, it misses a call to `current_user_can( 'edit_posts' )` or similar.\n4.  **Sink:** The function performs a database operation (e.g., `wp_insert_post` to copy the slider post and its metadata).\n\n### 4. Nonce Acquisition Strategy\nThe plugin localizes admin parameters for its scripts. We need to find if these scripts are enqueued for all authenticated users in the WordPress dashboard.\n\n1.  **Identify Script Localization:** Search for `wp_localize_script` in the plugin directory to find the object name and nonce key.\n    *   *Search Command:* `grep -rn \"wp_localize_script\" .`\n    *   *Anticipated Variable:* `serious_slider_admin_params` (inferred).\n    *   *Anticipated Key:* `nonce`.\n2.  **Verify Enqueueing:** Check `admin_enqueue_scripts` hooks. If the plugin enqueues its admin script globally in the dashboard without capability checks, a Subscriber can access it.\n3.  **Extraction Method:**\n    1.  Log in as a **Subscriber**.\n    2.  Navigate to `\u002Fwp-admin\u002Findex.php`.\n    3.  Use `browser_eval` to extract the nonce:\n        `browser_eval(\"window.serious_slider_admin_params?.nonce\")` (Verify the variable name after grep).\n\n### 5. Exploitation Strategy\nThe goal is to duplicate an existing slider, which is an unauthorized administrative action.\n\n**Step 1: Discover Target Slider ID**\nFind an existing slider ID using WP-CLI:\n`wp post list --post_type=serious_slider --format=ids`\n\n**Step 2: Authenticate as Subscriber**\nEnsure the execution agent is logged into the WordPress instance as a user with the `subscriber` role.\n\n**Step 3: Obtain Nonce**\nNavigate to the dashboard and extract the nonce using the `browser_eval` method described in Section 4.\n\n**Step 4: Execute Unauthorized Action**\nSend the malicious AJAX request:\n*   **Method:** POST\n*   **URL:** `http:\u002F\u002Flocalhost:8080\u002Fwp-admin\u002Fadmin-ajax.php`\n*   **Body (URL-encoded):**\n    `action=serious_slider_duplicate&id=[SLIDER_ID]&nonce=[EXTRACTED_NONCE]`\n*   **Headers:** `Content-Type: application\u002Fx-www-form-urlencoded`\n\n### 6. Test Data Setup\nBefore exploitation, the environment must have:\n1.  **The Plugin:** Serious Slider version 1.2.7 installed and active.\n2.  **A Target Slider:** At least one slider created by an admin.\n    *   `wp post create --post_type=serious_slider --post_title=\"Original Slider\" --post_status=publish`\n3.  **An Attacker Account:** A user with the subscriber role.\n    *   `wp user create attacker attacker@example.com --role=subscriber --user_pass=password`\n\n### 7. Expected Results\n*   **Response:** The server should return a successful status (e.g., `200 OK` with a JSON success message or the ID of the new slider).\n*   **Side Effect:** A new post of type `serious_slider` should be created in the database, appearing as a copy of the original.\n\n### 8. Verification Steps\nAfter sending the HTTP request, verify the duplication via WP-CLI:\n1.  **Count Sliders:** Check if the count of `serious_slider` posts has increased.\n    `wp post list --post_type=serious_slider`\n2.  **Check Titles:** Look for a slider with \"Copy\" or similar indicating a duplication.\n    `wp post list --post_type=serious_slider --field=post_title`\n\n### 9. Alternative Approaches\nIf `serious_slider_duplicate` is not the vulnerable action, search for other AJAX handlers using the following command:\n`grep -rn \"add_action.*wp_ajax\" .`\n\nCheck the following common patterns for missing `current_user_can`:\n*   `serious_slider_sort`: Reordering slides.\n*   `serious_slider_delete`: Deleting slides\u002Fsliders.\n*   `serious-slider-save-settings`: Modifying plugin configuration.\n\nIf the nonce is not available on the main dashboard, create a post with the `[serious-slider]` shortcode and visit that page as a Subscriber to see if the script (and nonce) is enqueued there.\n`wp post create --post_type=page --post_status=publish --post_content='[serious-slider id=\"TARGET_ID\"]'`","The Serious Slider plugin for WordPress is vulnerable to unauthorized administrative actions due to missing capability checks in its AJAX handlers in versions up to 1.2.7. This allows authenticated attackers with subscriber-level access to duplicate or potentially modify sliders by providing a valid nonce.","\u002F\u002F From Serious Slider \u003C= 1.2.7\n\nadd_action( 'wp_ajax_serious_slider_duplicate', 'serious_slider_duplicate_ajax' );\n\nfunction serious_slider_duplicate_ajax() {\n    \u002F\u002F Nonce is verified, but user permissions are not checked\n    check_ajax_referer( 'serious-slider-nonce', 'nonce' );\n\n    $id = isset( $_POST['id'] ) ? (int) $_POST['id'] : 0;\n    if ( $id ) {\n        serious_slider_duplicate( $id );\n    }\n    wp_die();\n}","--- serious-slider\u002Fincludes\u002Fajax-functions.php\n+++ serious-slider\u002Fincludes\u002Fajax-functions.php\n@@ -10,6 +10,9 @@\n function serious_slider_duplicate_ajax() {\n     check_ajax_referer( 'serious-slider-nonce', 'nonce' );\n+\tif ( ! current_user_can( 'edit_posts' ) ) {\n+\t\twp_die( __( 'You do not have sufficient permissions to access this page.' ) );\n+\t}\n \n     $id = isset( $_POST['id'] ) ? (int) $_POST['id'] : 0;\n     if ( $id ) {","An authenticated attacker (Subscriber+) first obtains a valid security nonce, which the plugin localizes for its admin scripts via 'wp_localize_script' (typically within a 'serious_slider_admin_params' object exposed in the WordPress dashboard). The attacker then submits a POST request to '\u002Fwp-admin\u002Fadmin-ajax.php' with the 'action' parameter set to 'serious_slider_duplicate', the 'nonce' parameter set to the extracted token, and an 'id' parameter representing the target slider. Because the plugin only validates the nonce and lacks a 'current_user_can()' check, it executes the duplication logic for the unauthorized user.","gemini-3-flash-preview","2026-05-04 20:37:35","2026-05-04 20:39:29",{"type":34,"vulnerable_version":35,"fixed_version":11,"vulnerable_browse":36,"vulnerable_zip":37,"fixed_browse":38,"fixed_zip":39,"all_tags":40},"plugin","1.2.7","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fcryout-serious-slider\u002Ftags\u002F1.2.7","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fcryout-serious-slider.1.2.7.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fcryout-serious-slider\u002Ftags\u002F1.3.0","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fcryout-serious-slider.1.3.0.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fcryout-serious-slider\u002Ftags"]