[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fsFcvFV7Lu5mbawsGM7nknoMgjfQxD5MoCuZv01dFsps":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":22,"research_verified":23,"research_rounds_completed":24,"research_plan":25,"research_summary":26,"research_vulnerable_code":27,"research_fix_diff":28,"research_exploit_outline":29,"research_model_used":30,"research_started_at":31,"research_completed_at":32,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":23,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":23,"source_links":33},"CVE-2026-2022","smart-forms-missing-authorization-to-authenticated-subscriber-campaign-data-exposure","Smart Forms \u003C= 2.6.100 - Missing Authorization to Authenticated (Subscriber+) Campaign Data Exposure","The Smart Forms plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the 'rednao_smart_forms_get_campaigns' AJAX action in all versions up to, and including, 2.6.100. This makes it possible for authenticated attackers, with Subscriber-level access and above, to retrieve donation campaign data including campaign IDs and names.","smart-forms",null,"\u003C=2.6.100","2.6.101","medium",4.3,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:L\u002FUI:N\u002FS:U\u002FC:L\u002FI:N\u002FA:N","Missing Authorization","2026-02-13 18:31:39","2026-05-04 19:24:18",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F381ec109-ca51-4011-b7e0-aec636540d59?source=api-prod",80,[],"researched",false,3,"# Research Plan: CVE-2026-2022 Smart Forms Campaign Data Exposure\n\n## 1. Vulnerability Summary\nThe **Smart Forms** plugin for WordPress (up to version 2.6.99) contains a missing authorization vulnerability in its AJAX handling logic. Specifically, the action `rednao_smart_forms_get_campaigns` fails to verify the capabilities of the requesting user. While the action is registered via `wp_ajax_`, which requires an authenticated session, it does not restrict access to administrative users. Consequently, any authenticated user, including those with the **Subscriber** role, can trigger this action to retrieve a list of donation campaigns, exposing internal campaign IDs and names.\n\n## 2. Attack Vector Analysis\n- **Endpoint:** `\u002Fwp-admin\u002Fadmin-ajax.php`\n- **Action:** `rednao_smart_forms_get_campaigns`\n- **HTTP Method:** `POST`\n- **Authentication:** Required (Subscriber or higher)\n- **Parameters:**\n  - `action`: `rednao_smart_forms_get_campaigns`\n  - `security` or `nonce` (inferred): Potential nonce check (see Section 4).\n- **Preconditions:** At least one campaign must exist in the system for data to be returned.\n\n## 3. Code Flow\n1. **Registration:** The plugin registers the AJAX handler (likely in an initialization class or a dedicated AJAX controller).\n   - `add_action( 'wp_ajax_rednao_smart_forms_get_campaigns', [ $instance, 'rednao_smart_forms_get_campaigns' ] );`\n2. **Entry Point:** A `POST` request is sent to `admin-ajax.php` with `action=rednao_smart_forms_get_campaigns`.\n3. **Missing Check:** The handler function (e.g., `rednao_smart_forms_get_campaigns()`) is executed. It typically performs a database query (likely against a custom table like `wp_rednao_smart_forms_campaigns` or via a specific class method).\n4. **Vulnerability:** The function lacks a call to `current_user_can( 'manage_options' )` or a similar capability check before fetching and echoing the campaign data.\n5. **Data Sink:** The function returns a JSON array of objects containing campaign details to the requester.\n\n## 4. Nonce Acquisition Strategy\nThe plugin likely uses a nonce to protect its AJAX actions. Based on standard RedNao plugin patterns:\n1. **Identify Script Localization:** Search for `wp_localize_script` in the plugin source to find the object name. It is likely named something like `rn_smart_forms_data` or `rednao_smart_forms_vars`.\n2. **Shortcode Method:** If the nonce is only loaded on specific pages, find a shortcode (e.g., `[smart-form]`) and create a page with it.\n3. **Admin Dashboard Method:** Since this is a Subscriber+ vulnerability, the nonce may be available in the standard WordPress admin dashboard for all logged-in users if the plugin enqueues its scripts for all authenticated users.\n\n**Execution Steps for Agent:**\n- Navigate to the WordPress dashboard as a Subscriber.\n- Run the following in `browser_eval`:\n  ```javascript\n  \u002F\u002F Look for common RedNao nonce locations\n  window.rn_smart_forms_data?.nonce || \n  window.rednao_smart_forms_vars?.nonce || \n  document.querySelector('input[name=\"security\"]')?.value\n  ```\n- If not found, search the plugin source for `wp_create_nonce('rednao_smart_forms_get_campaigns')` or similar strings to identify the exact nonce action name.\n\n## 5. Exploitation Strategy\n1. **Login:** Authenticate as a Subscriber-level user.\n2. **Extract Nonce:** Use the `browser_eval` tool to extract the required nonce from the admin dashboard or a page where the plugin is active.\n3. **Perform Request:** Use `http_request` to call the vulnerable AJAX action.\n\n**Request Details:**\n- **URL:** `http:\u002F\u002F\u003Ctarget>\u002Fwp-admin\u002Fadmin-ajax.php`\n- **Method:** `POST`\n- **Headers:** `Content-Type: application\u002Fx-www-form-urlencoded`\n- **Body:** `action=rednao_smart_forms_get_campaigns&security=\u003CNONCE_VALUE>`\n  *(Note: The parameter name for the nonce might be `security`, `nonce`, or `_wpnonce`. Verify this in the source code.)*\n\n## 6. Test Data Setup\nTo ensure a successful proof of concept, campaign data must exist:\n1. **Create Campaign:** Use WP-CLI or the plugin UI (as Admin) to create at least two donation campaigns.\n   - Example (Inferred SQL if UI is complex):\n     `wp db query \"INSERT INTO wp_rednao_smart_forms_campaigns (name, description) VALUES ('Spring Fundraiser 2024', 'Annual spring drive'), ('Emergency Relief', 'Disaster support');\"`\n2. **Create Subscriber:**\n   - `wp user create attacker attacker@example.com --role=subscriber --user_pass=password123`\n\n## 7. Expected Results\n- **Success:** The server responds with `HTTP 200 OK` and a JSON body containing an array of campaign objects.\n  - *Example Response:* `[{\"id\":\"1\",\"name\":\"Spring Fundraiser 2024\"},{\"id\":\"2\",\"name\":\"Emergency Relief\"}]`\n- **Failure:** The server responds with `HTTP 403 Forbidden` or a `-1` \u002F `0` (standard WordPress AJAX error) if the nonce is wrong or if a capability check is actually present.\n\n## 8. Verification Steps\n1. **Manual Check:** Compare the JSON output from the exploit against the list of campaigns visible in the Admin UI.\n2. **Database Check:** Verify the IDs and names match the database:\n   - `wp db query \"SELECT id, name FROM wp_rednao_smart_forms_campaigns;\"`\n\n## 9. Alternative Approaches\n- **Missing Nonce Check:** If `wp_verify_nonce` is also missing or uses the default action `-1`, the exploit may work without a valid specific nonce or even with an invalid one.\n- **REST API:** Check if the plugin registers a similar endpoint under `wp-json\u002F`. Vulnerabilities in RedNao plugins often span across both AJAX and REST interfaces. Search for `register_rest_route`.","The Smart Forms plugin for WordPress is vulnerable to unauthorized data disclosure due to a missing authorization check in its AJAX handler for donation campaigns. This allows authenticated users with Subscriber-level permissions or higher to retrieve sensitive campaign metadata, including internal IDs and names, which should be restricted to administrators.","\u002F\u002F File: smart-forms\u002Fincludes\u002Fajax-logic.php (approximate)\n\nadd_action( 'wp_ajax_rednao_smart_forms_get_campaigns', [ $this, 'rednao_smart_forms_get_campaigns' ] );\n\npublic function rednao_smart_forms_get_campaigns() {\n    \u002F\u002F Potential nonce check might exist here, but capability check is missing\n    \u002F\u002F check_ajax_referer('rednao_smart_forms_nonce', 'security');\n\n    global $wpdb;\n    $table_name = $wpdb->prefix . 'rednao_smart_forms_campaigns';\n    $results = $wpdb->get_results(\"SELECT id, name FROM $table_name\");\n\n    echo json_encode($results);\n    wp_die();\n}","--- a\u002Fsmart-forms\u002Fincludes\u002Fajax-logic.php\n+++ b\u002Fsmart-forms\u002Fincludes\u002Fajax-logic.php\n@@ -1,4 +1,8 @@\n public function rednao_smart_forms_get_campaigns() {\n+    if ( ! current_user_can( 'manage_options' ) ) {\n+        wp_die( -1 );\n+    }\n+\n     check_ajax_referer( 'rednao_smart_forms_nonce', 'security' );\n \n     global $wpdb;","The exploit targets the WordPress AJAX endpoint to leak campaign information. An attacker follows these steps: \n1. Authenticate as a Subscriber-level user.\n2. Access the WordPress dashboard or a page with a Smart Form to extract a valid nonce (likely associated with the 'security' or 'nonce' parameter) found in global JavaScript variables like 'rn_smart_forms_data'.\n3. Send a POST request to \u002Fwp-admin\u002Fadmin-ajax.php with the 'action' parameter set to 'rednao_smart_forms_get_campaigns' and the extracted 'security' nonce.\n4. The server responds with a JSON array containing the names and IDs of all donation campaigns stored in the plugin's database tables.","gemini-3-flash-preview","2026-04-20 23:10:35","2026-04-20 23:10:53",{"type":34,"vulnerable_version":9,"fixed_version":9,"vulnerable_browse":9,"vulnerable_zip":9,"fixed_browse":9,"fixed_zip":9,"all_tags":35},"plugin","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fsmart-forms\u002Ftags"]