[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$faLQnzxh65iGXq7eVfBFk3wk5nhe82Qm5dktWGfRbw54":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":30,"research_verified":31,"research_rounds_completed":32,"research_plan":33,"research_summary":34,"research_vulnerable_code":35,"research_fix_diff":36,"research_exploit_outline":37,"research_model_used":38,"research_started_at":39,"research_completed_at":40,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":31,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":31,"source_links":41},"CVE-2026-48973","svg-support-missing-authorization","SVG Support \u003C= 2.5.14 - Missing Authorization","The SVG Support plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in versions up to, and including, 2.5.14. This makes it possible for authenticated attackers, with contributor-level access and above, to perform an unauthorized action.","svg-support",null,"\u003C=2.5.14","2.5.15","medium",4.3,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:L\u002FUI:N\u002FS:U\u002FC:N\u002FI:L\u002FA:N","Missing Authorization","2026-05-27 00:00:00","2026-06-01 16:10:05",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F07b7c6ed-c3dc-4daa-8921-eeb856e45386?source=api-prod",6,[22,23,24,25,26,27,28,29],"composer.json","functions\u002Fattachment.php","functions\u002Fenqueue.php","functions\u002Ffeatured-image.php","functions\u002Fmime-types.php","readme.txt","svg-support.php","vendor\u002FDOMPurify\u002FDOMPurify.min.js","researched",false,3,"# Exploitation Research Plan - CVE-2026-48973\n\n## 1. Vulnerability Summary\nThe **SVG Support** plugin (\u003C= 2.5.14) contains a **Missing Authorization** vulnerability in its AJAX handler for toggling the \"inline\" status of featured images. The function `bodhi_svgs_featured_image_inline_toggle` performs a generic capability check (`edit_posts`) rather than a specific check against the targeted Post ID (`edit_post`, `$post_id`). \n\nThis allows any authenticated user with the `edit_posts` capability (Contributors and above) to modify the `inline_featured_image` metadata for any post on the site, regardless of ownership.\n\n## 2. Attack Vector Analysis\n- **Endpoint**: `\u002Fwp-admin\u002Fadmin-ajax.php`\n- **Action**: `bodhi_svgs_featured_image_inline_toggle`\n- **Method**: `POST`\n- **Required Capability**: `edit_posts` (Contributor role or higher)\n- **Parameters**:\n    - `action`: `bodhi_svgs_featured_image_inline_toggle`\n    - `nonce`: A valid WordPress nonce for the action `svg-support-featured`\n    - `post_id`: The ID of the target post (e.g., an Administrator's post)\n    - `checked`: The string `'true'` or `'false'` to set the meta value\n\n## 3. Code Flow\nThe vulnerability is located in `functions\u002Ffeatured-image.php`.\n\n1.  **Registration**: The AJAX actions are registered for both logged-in and logged-out users (though the handler itself requires login):\n    ```php\n    add_action('wp_ajax_bodhi_svgs_featured_image_inline_toggle', 'bodhi_svgs_featured_image_inline_toggle');\n    add_action('wp_ajax_nopriv_bodhi_svgs_featured_image_inline_toggle', 'bodhi_svgs_featured_image_inline_toggle');\n    ```\n2.  **The Handler**: `bodhi_svgs_featured_image_inline_toggle()` is called.\n3.  **Nonce Verification**: It checks a nonce against the action `svg-support-featured`.\n4.  **Flawed Authorization**: It checks if the current user can `edit_posts`:\n    ```php\n    if (!current_user_can('edit_posts')) {\n        wp_send_json_error('Insufficient permissions');\n    }\n    ```\n    *Vulnerability*: Since a Contributor possesses the `edit_posts` capability, this check passes even if the `$post_id` belongs to an Administrator.\n5.  **Execution**: The function calls `bodhi_svgs_update_featured_image_meta($post_id, $checked)`, which performs `delete_post_meta` and `add_post_meta` on the target ID without further validation.\n\n## 4. Nonce Acquisition Strategy\nThe nonce for the action `svg-support-featured` is required. Since the specific `wp_localize_script` call is not in the provided snippets (likely in `admin\u002Fadmin-init.php`), we must locate it in the WordPress Admin environment.\n\n1.  **Access Post Edit Screen**: Log in as a Contributor and navigate to the \"New Post\" page (`\u002Fwp-admin\u002Fpost-new.php`).\n2.  **Search for Nonce**: The plugin likely localizes the nonce for its Gutenberg filters or admin scripts. We will use `browser_eval` to search for the nonce in the global `window` object or the page source.\n3.  **Command**: \n    ```javascript\n    \u002F\u002F Potential locations based on plugin naming conventions\n    window.bodhi_svgs_admin_vars?.nonce || \n    window.svg_support_admin?.nonce || \n    document.documentElement.innerHTML.match(\u002F\"nonce\":\"([a-f0-9]{10})\"\u002F)[1]\n    ```\n\n## 5. Exploitation Strategy\n### Step 1: Target Identification\nDetermine the Post ID of a target post owned by an Administrator (e.g., Post ID `1`).\n\n### Step 2: Session Setup\nAuthenticate as a **Contributor**.\n\n### Step 3: Nonce Harvest\nNavigate to `\u002Fwp-admin\u002Fpost-new.php` and extract the nonce for `svg-support-featured`.\n\n### Step 4: Unauthorized Meta Update\nSend an AJAX request to update the Administrator's post.\n\n**Request Details**:\n- **URL**: `http:\u002F\u002Fvulnerable-wp.local\u002Fwp-admin\u002Fadmin-ajax.php`\n- **Method**: `POST`\n- **Headers**: `Content-Type: application\u002Fx-www-form-urlencoded`\n- **Body**:\n  ```text\n  action=bodhi_svgs_featured_image_inline_toggle&nonce=[EXTRACTED_NONCE]&post_id=1&checked=true\n  ```\n\n## 6. Test Data Setup\n1.  **Plugin Configuration**: \n    - Ensure \"Advanced Mode\" is enabled (via WP-CLI or Settings).\n    - `wp option update bodhi_svgs_settings --format=json '{\"advanced_mode\":\"on\"}'` (Note: internal key name inferred, verify via `wp option get`).\n2.  **Users**:\n    - Administrator: `admin_user`\n    - Contributor: `attacker_user`\n3.  **Content**:\n    - Create a post as Administrator: `wp post create --post_author=1 --post_title=\"Admin Post\" --post_status=publish` (Note the ID, e.g., `123`).\n\n## 7. Expected Results\n- The AJAX request should return a JSON success message: `{\"success\":true}`.\n- The `inline_featured_image` metadata for the target Post ID will be updated.\n\n## 8. Verification Steps\nAfter the attack, use WP-CLI to verify the metadata change for the Administrator's post:\n```bash\nwp post meta get 123 inline_featured_image\n# Expected output: 1\n```\n\n## 9. Alternative Approaches\nIf the AJAX nonce is difficult to find, check the **REST API** vector. The plugin registers meta with `auth_callback => '__return_true'`:\n```php\nregister_meta( 'post', 'inline_featured_image', array(\n    'show_in_rest' => true,\n    'single' => true,\n    'type' => 'boolean',\n    'auth_callback' => '__return_true'\n) );\n```\nWhile WordPress core usually prevents a Contributor from updating an Admin's post via `POST \u002Fwp\u002Fv2\u002Fposts\u002F\u003Cid>`, the `__return_true` callback in `register_meta` might allow modification if the plugin provides a custom REST controller or if other filters are present. However, the AJAX `bodhi_svgs_featured_image_inline_toggle` function is the most direct and confirmed vulnerable path.","The SVG Support plugin for WordPress (\u003C= 2.5.14) is vulnerable to unauthorized metadata modification due to a missing specific capability check in its AJAX handler for toggling the 'inline' status of featured images. Authenticated attackers with contributor-level access or higher can modify the 'inline_featured_image' meta for any post on the site, potentially affecting site layout or behavior for arbitrary content.","\u002F\u002F functions\u002Ffeatured-image.php line 134\nfunction bodhi_svgs_featured_image_inline_toggle() {\n    \u002F\u002F Verify nonce and permissions\n    if (!isset($_POST['nonce']) || !wp_verify_nonce(sanitize_text_field(wp_unslash($_POST['nonce'])), 'svg-support-featured')) {\n        wp_send_json_error('Invalid nonce');\n    }\n\n    if (!current_user_can('edit_posts')) {\n        wp_send_json_error('Insufficient permissions');\n    }\n\n    \u002F\u002F Validate and sanitize input\n    if (!isset($_POST['post_id']) || !isset($_POST['checked'])) {\n        wp_send_json_error('Missing parameters');\n    }\n\n    $post_id = intval($_POST['post_id']);\n    $checked = ($_POST['checked'] === 'true');\n\n    \u002F\u002F Update the meta safely\n    bodhi_svgs_update_featured_image_meta($post_id, $checked);\n\n    wp_send_json_success();\n}\n\n\u002F\u002F Hook the AJAX actions for both logged-in and non-logged-in users\nadd_action('wp_ajax_bodhi_svgs_featured_image_inline_toggle', 'bodhi_svgs_featured_image_inline_toggle');\nadd_action('wp_ajax_nopriv_bodhi_svgs_featured_image_inline_toggle', 'bodhi_svgs_featured_image_inline_toggle');","--- \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fsvg-support\u002F2.5.14\u002Ffunctions\u002Ffeatured-image.php\t2025-02-25 08:34:02.000000000 +0000\n+++ \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fsvg-support\u002F2.5.15\u002Ffunctions\u002Ffeatured-image.php\t2026-05-30 07:48:28.000000000 +0000\n@@ -132,15 +132,11 @@\n  * Handle the AJAX request for updating featured image inline status\n  *\u002F\n function bodhi_svgs_featured_image_inline_toggle() {\n-    \u002F\u002F Verify nonce and permissions\n+    \u002F\u002F Verify nonce\n     if (!isset($_POST['nonce']) || !wp_verify_nonce(sanitize_text_field(wp_unslash($_POST['nonce'])), 'svg-support-featured')) {\n         wp_send_json_error('Invalid nonce');\n     }\n \n-    if (!current_user_can('edit_posts')) {\n-        wp_send_json_error('Insufficient permissions');\n-    }\n-\n     \u002F\u002F Validate and sanitize input\n     if (!isset($_POST['post_id']) || !isset($_POST['checked'])) {\n         wp_send_json_error('Missing parameters');\n@@ -149,12 +145,16 @@\n     $post_id = intval($_POST['post_id']);\n     $checked = ($_POST['checked'] === 'true');\n \n+    \u002F\u002F Verify the current user can edit this specific post\n+    if (!current_user_can('edit_post', $post_id)) {\n+        wp_send_json_error('Insufficient permissions');\n+    }\n+\n     \u002F\u002F Update the meta safely\n     bodhi_svgs_update_featured_image_meta($post_id, $checked);\n \n     wp_send_json_success();\n }\n \n-\u002F\u002F Hook the AJAX actions for both logged-in and non-logged-in users\n-add_action('wp_ajax_bodhi_svgs_featured_image_inline_toggle', 'bodhi_svgs_featured_image_inline_toggle');\n-add_action('wp_ajax_nopriv_bodhi_svgs_featured_image_inline_toggle', 'bodhi_svgs_featured_image_inline_toggle');\\\n No newline at end of file\n+\u002F\u002F Hook the AJAX action for logged-in users only\n+add_action('wp_ajax_bodhi_svgs_featured_image_inline_toggle', 'bodhi_svgs_featured_image_inline_toggle');\\\n No newline at end of file","To exploit this vulnerability, an attacker requires a Contributor-level account to pass the initial `edit_posts` capability check. First, the attacker identifies a target Post ID (e.g., an Administrator's post). Next, the attacker harvests a valid AJAX nonce for the 'svg-support-featured' action, which is typically found within the WordPress admin dashboard scripts (like `wp-admin\u002Fpost-new.php`). Finally, the attacker sends a POST request to `\u002Fwp-admin\u002Fadmin-ajax.php` with the action set to `bodhi_svgs_featured_image_inline_toggle`, the target `post_id`, the extracted `nonce`, and a `checked` parameter set to 'true' or 'false'. Because the plugin fails to check if the user can edit the specific post ID, the metadata modification is performed on the target post.","gemini-3-flash-preview","2026-06-04 18:10:15","2026-06-04 18:11:48",{"type":42,"vulnerable_version":43,"fixed_version":11,"vulnerable_browse":44,"vulnerable_zip":45,"fixed_browse":46,"fixed_zip":47,"all_tags":48},"plugin","2.5.14","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fsvg-support\u002Ftags\u002F2.5.14","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fsvg-support.2.5.14.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fsvg-support\u002Ftags\u002F2.5.15","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fsvg-support.2.5.15.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fsvg-support\u002Ftags"]