CVE-2026-42648

Spectra <= 2.19.22 - Missing Authorization

mediumMissing Authorization
4.3
CVSS Score
4.3
CVSS Score
medium
Severity
2.19.23
Patched in
42d
Time to patch

Description

The Spectra plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in versions up to, and including, 2.19.22. This makes it possible for authenticated attackers, with contributor-level access and above, to perform an unauthorized action.

CVSS Vector Breakdown

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
None
Confidentiality
Low
Integrity
None
Availability

Technical Details

Affected versions<=2.19.22
PublishedMarch 27, 2026
Last updatedMay 7, 2026

What Changed in the Fix

Changes introduced in v2.19.23

Loading patch diff...

Source Code

WordPress.org SVN
Research Plan
Unverified

# Exploitation Research Plan: CVE-2026-42648 (Spectra Missing Authorization) ## 1. Vulnerability Summary The Spectra (Ultimate Addons for Gutenberg) plugin versions up to 2.19.22 contain a Missing Authorization vulnerability in its REST API implementation. Specifically, the `UagAdmin\Api\Common_Set…

Show full research plan

Exploitation Research Plan: CVE-2026-42648 (Spectra Missing Authorization)

1. Vulnerability Summary

The Spectra (Ultimate Addons for Gutenberg) plugin versions up to 2.19.22 contain a Missing Authorization vulnerability in its REST API implementation. Specifically, the UagAdmin\Api\Common_Settings class (defined in admin-core/api/common-settings.php) registers routes under the /admin/commonsettings/ base. While the provided source code shows a manage_options check for the READABLE (GET) method, the vulnerability arises because a corresponding EDITABLE (POST) method—used to update global plugin settings—is either missing a permission_callback or utilizes an insufficiently restrictive check (e.g., allowing Contributor-level access). This allows low-privileged users to modify site-wide Spectra settings.

2. Attack Vector Analysis

  • Endpoint: /wp-json/uag/v1/admin/commonsettings/
  • Namespace: uag/v1 (inferred from Spectra's standard API namespace)
  • Base: /admin/commonsettings/
  • Method: POST (or PUT)
  • Authentication: Required (Contributor level or above)
  • Parameter: A JSON object containing Spectra configuration options (e.g., allow_file_generation, font_awesome_5_support, uag_typekit_id).
  • Preconditions: The attacker must be logged in as a Contributor.

3. Code Flow

  1. Registration: The Common_Settings::register_routes() function is called during rest_api_init. It registers the /uag/v1/admin/commonsettings/ endpoint.
  2. Request Arrival: An authenticated Contributor sends a POST request to this endpoint.
  3. Missing Check: In versions <= 2.19.22, the EDITABLE configuration for this route lacks a permission_callback that enforces manage_options. Instead, it either defaults to a lower check (like edit_posts) or uses the class-wide base which may not be correctly applied to write operations.
  4. Update Logic: The request is passed to a callback (likely update_common_settings or similar, inferred as the counterpart to get_common_settings).
  5. Sink: The callback uses Admin_Helper::update_options() or update_option('uag_admin_settings', ...) to persist the new configuration to the database.

4. Nonce Acquisition Strategy

REST API requests in WordPress require a _wpnonce in the X-WP-Nonce header for authenticated sessions.

  1. Tool: browser_navigate and browser_eval.
  2. Steps:
    • Log in as a Contributor user.
    • Navigate to the WordPress Dashboard (/wp-admin/index.php).
    • Use browser_eval to extract the REST nonce from the global wpApiSettings object.
    • JS Command: browser_eval("window.wpApiSettings?.nonce")
  3. Alternative: The nonce can also be found in the HTML source code within the wp-api-fetch or wp-api script localization blocks: var wpApiSettings = {"root":..., "nonce": "XYZ"}.

5. Exploitation Strategy

  1. Identification: Confirm the site is running a vulnerable version of Spectra.
  2. Login: Authenticate as a Contributor.
  3. Nonce Capture: Extract the REST nonce via the browser as described above.
  4. Payload Crafting: Prepare a JSON payload to modify a sensitive global setting. For example, disabling CSS file generation or changing the Typekit ID.
    • Setting to target: allow_file_generation
  5. Execution: Use http_request to send the POST request.
    • URL: http://localhost:8080/wp-json/uag/v1/admin/commonsettings/
    • Headers:
      • Content-Type: application/json
      • X-WP-Nonce: [CAPTURED_NONCE]
    • Body: {"allow_file_generation": "disabled"} (or whatever format the Admin_Helper::get_options() structure expects).
  6. Expected Response: 200 OK with the updated settings object.

6. Test Data Setup

  1. Users:
    • Create an Admin user (to check initial state and verify final state).
    • Create a Contributor user (attacker).
  2. Plugin State:
    • Ensure Spectra is active.
    • Ensure allow_file_generation is currently set to enabled (default).
  3. WP-CLI Setup:
    • wp user create attacker attacker@example.com --role=contributor --user_pass=password
    • wp option get uag_admin_settings (to verify existing structure).

7. Expected Results

  • The REST API should return a success status code (200 OK) and a JSON response containing the modified settings.
  • A Contributor-level user should successfully change a setting that should require manage_options.

8. Verification Steps

  1. Check via CLI:
    • wp option get uag_admin_settings
  2. Behavioral Check:
    • Verify that the setting in the Spectra Dashboard (/wp-admin/admin.php?page=spectra) reflects the change when viewed by an Admin.
    • If allow_file_generation was changed, verify that CSS is no longer being served from the uploads/uag-plugin/ directory but is instead inlined in the <head>.

9. Alternative Approaches

  • Inferred Callback: If the POST route is not at /admin/commonsettings/, look for /admin/settings/ or check the register_routes logic in admin-core/api/Api_Base.php if available.
  • Different Parameters: Try nesting the settings within a settings key in the JSON body: {"settings": {"allow_file_generation": "disabled"}}.
  • Method Spoofing: If POST is blocked, try using X-HTTP-Method-Override: POST with a GET request, or try PUT.

Check if your site is affected.

Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.