[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fh7rXW367Qplzk8PGh_9PZ_hfpYO_sD7VuqUnb7Q2Dcc":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":9,"severity":11,"cvss_score":12,"cvss_vector":13,"vuln_type":14,"published_date":15,"updated_date":16,"references":17,"days_to_patch":9,"patch_diff_files":19,"patch_trac_url":9,"research_status":20,"research_verified":21,"research_rounds_completed":22,"research_plan":23,"research_summary":9,"research_vulnerable_code":9,"research_fix_diff":9,"research_exploit_outline":9,"research_model_used":24,"research_started_at":25,"research_completed_at":26,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":21,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":21,"source_links":27},"CVE-2026-39605","super-custom-login-missing-authorization","Super Custom Login \u003C= 1.1 - Missing Authorization","The Super Custom Login plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in versions up to, and including, 1.1. This makes it possible for unauthenticated attackers to perform an unauthorized action.","super-custom-login",null,"\u003C=1.1","medium",5.3,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:N\u002FUI:N\u002FS:U\u002FC:N\u002FI:L\u002FA:N","Missing Authorization","2026-02-03 00:00:00","2026-04-15 21:16:24",[18],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F9db178cb-dd83-4bec-9bc0-0e5c4430ba34?source=api-prod",[],"researched",false,3,"This research plan targets CVE-2026-39605, a Missing Authorization vulnerability in the **Super Custom Login** plugin (\u003C= 1.1). The vulnerability allows unauthenticated attackers to perform unauthorized actions, typically modifying plugin settings due to the lack of capability checks in administrative hooks.\n\n---\n\n### 1. Vulnerability Summary\nThe **Super Custom Login** plugin fails to implement proper authorization checks (e.g., `current_user_can()`) on a function responsible for saving plugin configurations. This function is likely hooked to `admin_init` or registered as an AJAX action via `wp_ajax_nopriv_*`. Because `admin_init` is triggered even when accessing `admin-ajax.php` or `admin-post.php` (even by unauthenticated users), any logic inside an `admin_init` hook that lacks a capability check is accessible to any visitor.\n\n### 2. Attack Vector Analysis\n*   **Endpoint**: `\u002Fwp-admin\u002Fadmin-ajax.php` or `\u002Fwp-admin\u002Fadmin-post.php` (alternatively, any admin-context URL if the hook is `admin_init`).\n*   **Action**: `scl_save_settings` or `super_custom_login_save` (inferred - needs verification in source).\n*   **Payload Parameter**: Likely a POST request containing settings such as `scl_logo_url`, `scl_login_bg_color`, or `scl_custom_css`.\n*   **Authentication**: None (Unauthenticated).\n*   **Preconditions**: The plugin must be active.\n\n### 3. Code Flow (Inferred)\n1.  **Entry Point**: An unauthenticated user sends a POST request to `\u002Fwp-admin\u002Fadmin-ajax.php`.\n2.  **Hook Execution**: WordPress initializes the admin environment, firing the `admin_init` hook.\n3.  **Vulnerable Function**: The plugin has registered a function (e.g., `scl_save_options_callback`) to the `admin_init` hook.\n4.  **Authorization Failure**: The function checks if specific POST parameters are set (e.g., `if ( isset( $_POST['scl_submit'] ) )`) but fails to verify `current_user_can( 'manage_options' )`.\n5.  **Sink**: The function calls `update_option( 'scl_settings', ... )` with user-supplied data from `$_POST`.\n\n### 4. Nonce Acquisition Strategy\nIf the plugin uses `check_admin_referer()` or `wp_verify_nonce()`, we must find where the nonce is leaked.\n\n1.  **Identify Shortcodes**: Search for `add_shortcode` in the plugin files to see if any frontend elements exist.\n2.  **Search for Localized Scripts**: Look for `wp_localize_script` in the codebase.\n    *   *Search command*: `grep -r \"wp_localize_script\" .`\n3.  **Execution**:\n    *   If a nonce is leaked in a JS variable (e.g., `scl_vars.nonce`):\n        1. Navigate to the site homepage or login page using `browser_navigate`.\n        2. Execute `browser_eval(\"window.scl_vars?.nonce\")` to retrieve it.\n4.  **Bypass Check**: Check if the code uses `check_admin_referer( '...', '...', false )`. If the third parameter is `false` and the return value isn't checked, the nonce is bypassed.\n\n### 5. Exploitation Strategy\nWe will attempt to modify the plugin's settings to change the login page's appearance or inject custom CSS, confirming unauthorized write access.\n\n*   **Step 1: Identify the Action and Parameters**\n    *   Search the plugin for `update_option`.\n    *   *Search command*: `grep -r \"update_option\" .`\n    *   Identify the POST key that triggers the update (e.g., `scl_update` or `submit`).\n\n*   **Step 2: Construct the Payload**\n    *   **Method**: POST\n    *   **URL**: `http:\u002F\u002Flocalhost:8080\u002Fwp-admin\u002Fadmin-ajax.php` (or `admin-post.php`)\n    *   **Body (URL-encoded)**:\n        ```text\n        action=[INFERRED_ACTION]&scl_logo_url=http:\u002F\u002Fattacker.com\u002Fmalicious.png&scl_custom_css=body{display:none !important;}&[TRIGGER_PARAM]=1\n        ```\n    *   **Headers**: `Content-Type: application\u002Fx-www-form-urlencoded`\n\n*   **Step 3: Execute Request**\n    *   Use the `http_request` tool to send the payload.\n\n### 6. Test Data Setup\n1.  Install and activate the `super-custom-login` plugin.\n2.  (Optional) If the plugin requires a specific page to be visited for nonce leakage, create it:\n    *   `wp post create --post_type=page --post_status=publish --post_content='[super_custom_login_placeholder]'`\n\n### 7. Expected Results\n*   The HTTP response should ideally be a `302 redirect` or a `200 OK` (if AJAX).\n*   The option in the WordPress database associated with the plugin settings will be updated with the attacker's values.\n\n### 8. Verification Steps\nAfter the exploit, verify the changes using WP-CLI:\n1.  **Check Option Value**:\n    *   `wp option get scl_settings` (Verify `scl_logo_url` or `scl_custom_css` matches the payload).\n2.  **Visual Confirmation**:\n    *   Navigate to the WordPress login page (`\u002Fwp-login.php`) and check if the custom CSS or logo has been applied.\n\n### 9. Alternative Approaches\n*   **If `admin_init` is not the hook**: Check for `wp_ajax_nopriv_` handlers. If the plugin uses an AJAX handler for settings but registered it with `nopriv`, any user can call it.\n*   **XSS Injection**: If the plugin allows saving \"Custom JavaScript\" or \"Footer Text\" without sanitization\u002Fauthorization, escalate the \"Missing Authorization\" to Stored XSS by injecting `\u003Cscript>alert(document.domain)\u003C\u002Fscript>`.\n*   **Settings Reset**: Check if there is a \"Reset Settings\" action that also lacks authorization, which could be used for an Unauthorized Deletion\u002FDenial of Service attack on the plugin's configuration.","gemini-3-flash-preview","2026-04-27 16:43:04","2026-04-27 16:43:25",{"type":28,"vulnerable_version":9,"fixed_version":9,"vulnerable_browse":9,"vulnerable_zip":9,"fixed_browse":9,"fixed_zip":9,"all_tags":29},"plugin","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fsuper-custom-login\u002Ftags"]