[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fLUdjnopLZTjQmXVEhiCa2KW9tqdItoDRNqK_JwKOxbY":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":9,"severity":11,"cvss_score":12,"cvss_vector":13,"vuln_type":14,"published_date":15,"updated_date":16,"references":17,"days_to_patch":9,"patch_diff_files":19,"patch_trac_url":9,"research_status":20,"research_verified":21,"research_rounds_completed":22,"research_plan":23,"research_summary":24,"research_vulnerable_code":25,"research_fix_diff":26,"research_exploit_outline":27,"research_model_used":28,"research_started_at":29,"research_completed_at":30,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":21,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":21,"source_links":31},"CVE-2026-4133","textp2p-texting-widget-cross-site-request-forgery-to-settings-update","TextP2P Texting Widget \u003C= 1.7 - Cross-Site Request Forgery to Settings Update","The TextP2P Texting Widget plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to and including 1.7. This is due to missing nonce validation in the imTextP2POptionPage() function which processes settings updates. The form at line 314 does not include a wp_nonce_field(), and the POST handler at line 7 does not call check_admin_referer() or wp_verify_nonce() before processing settings changes. This makes it possible for unauthenticated attackers to update all plugin settings including chat widget titles, messages, API credentials, colors, and reCAPTCHA configuration via a forged request, granted they can trick a site administrator into performing an action such as clicking a link.","textp2p-texting-widget",null,"\u003C=1.7","medium",4.3,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:N\u002FUI:R\u002FS:U\u002FC:N\u002FI:L\u002FA:N","Cross-Site Request Forgery (CSRF)","2026-04-21 19:07:48","2026-04-22 07:45:33",[18],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F2d36fa25-108b-462b-b84e-2e77943b1871?source=api-prod",[],"researched",false,3,"This research plan outlines the steps to exploit the Cross-Site Request Forgery (CSRF) vulnerability in the **TextP2P Texting Widget** plugin (CVE-2026-4133).\n\n### 1. Vulnerability Summary\nThe **TextP2P Texting Widget** plugin for WordPress is vulnerable to CSRF in versions up to and including 1.7. The vulnerability exists in the `imTextP2POptionPage()` function, which serves both as the display for the settings page and the handler for saving those settings. \n\nThe plugin fails to implement any nonce verification. Specifically:\n- The HTML form (around line 314) does not include `wp_nonce_field()`.\n- The processing logic at the start of the function (around line 7) does not call `check_admin_referer()` or `wp_verify_nonce()` before updating plugin options based on `$_POST` data.\n\n### 2. Attack Vector Analysis\n*   **Endpoint:** `\u002Fwp-admin\u002Foptions-general.php?page=textp2p-texting-widget` (inferred slug based on plugin name).\n*   **Vulnerable Action:** POST request to the settings page.\n*   **Vulnerable Parameters:** Plugin settings such as `textp2p_api_key`, `textp2p_widget_title`, `textp2p_widget_message`, `textp2p_widget_color`, and `textp2p_recaptcha_key` (inferred).\n*   **Authentication Level:** Unauthenticated (Attacker) triggers the request through an Authenticated Administrator (Victim).\n*   **Preconditions:** An administrator must be logged into the WordPress dashboard and be tricked into visiting a malicious page or clicking a link that submits a POST request to the target site.\n\n### 3. Code Flow\n1.  **Registration:** The plugin registers an options page via `add_options_page()` or `add_menu_page()` in the admin menu, using `imTextP2POptionPage` as the callback function.\n2.  **Execution:** When a POST request is sent to the options page, WordPress executes `imTextP2POptionPage()`.\n3.  **Vulnerable Logic (Line 7+):**\n    ```php\n    function imTextP2POptionPage() {\n        if (isset($_POST['submit'])) { \u002F\u002F Inferred trigger\n            \u002F\u002F MISSING: check_admin_referer('action_name');\n            update_option('textp2p_api_key', $_POST['textp2p_api_key']); \u002F\u002F Inferred\n            \u002F\u002F ... updates other settings ...\n        }\n        \u002F\u002F ... displays form at Line 314 ...\n        \u002F\u002F MISSING: wp_nonce_field('action_name');\n    }\n    ```\n4.  **Sink:** The user-controlled `$_POST` data is passed directly into `update_option()`.\n\n### 4. Nonce Acquisition Strategy\n**No nonce is required.** The vulnerability is defined by the absolute absence of nonce validation. The attack can be performed as long as the victim administrator has an active session cookie.\n\n### 5. Exploitation Strategy\nThe goal is to demonstrate that an administrator's settings can be changed without their consent. We will simulate the CSRF by making an authenticated POST request as an admin using the `http_request` tool, omitting any nonce.\n\n**Step-by-Step Plan:**\n1.  **Identify Settings Page:** Confirm the settings page URL (usually `wp-admin\u002Foptions-general.php?page=textp2p-texting-widget`).\n2.  **Capture Option Names:** Use `wp option list` to find options related to \"textp2p\" to confirm exact parameter names.\n3.  **Perform CSRF:** Submit a POST request to the settings page with malicious values.\n4.  **Verification:** Use WP-CLI to confirm the database was updated.\n\n**HTTP Request Details:**\n*   **Tool:** `http_request`\n*   **Method:** POST\n*   **URL:** `http:\u002F\u002F[target]\u002Fwp-admin\u002Foptions-general.php?page=textp2p-texting-widget`\n*   **Headers:**\n    *   `Content-Type: application\u002Fx-www-form-urlencoded`\n*   **Body (URL Encoded):**\n    ```\n    textp2p_api_key=EXPLOITED_API_KEY&textp2p_widget_title=Hacked+by+CSRF&submit=Save+Changes\n    ```\n    *(Note: Parameter names like `textp2p_api_key` are inferred and should be verified via `wp option list` or by inspecting the HTML source of the settings page first.)*\n\n### 6. Test Data Setup\n1.  **Install Plugin:** Ensure `textp2p-texting-widget` version \u003C= 1.7 is installed and active.\n2.  **Create Admin:** A standard administrator user must exist (usually created by default in the test environment).\n3.  **Initial State:** Set a legitimate-looking API key using WP-CLI:\n    `wp option update textp2p_api_key \"LEGIT_API_KEY_12345\"`\n\n### 7. Expected Results\n*   The `http_request` should return a `302 Redirect` or a `200 OK` (depending on how the plugin redirects after saving).\n*   The response should NOT contain any error related to \"invalid nonce\" or \"link has expired.\"\n*   The plugin options in the database should be updated to the attacker-supplied values.\n\n### 8. Verification Steps\nAfter the `http_request`, run the following WP-CLI commands:\n1.  Check the API Key:\n    `wp option get textp2p_api_key`\n    *Expected output: `EXPLOITED_API_KEY`*\n2.  Check the Widget Title:\n    `wp option get textp2p_widget_title`\n    *Expected output: `Hacked by CSRF`*\n\n### 9. Alternative Approaches\nIf the plugin uses a different slug or a dedicated AJAX handler:\n1.  **Inspect HTML:** Use `browser_navigate` to the settings page and use `browser_eval(\"document.querySelector('form').action\")` to find the exact target URL.\n2.  **Verify Parameters:** Use `browser_eval` to extract all `input` names from the form:\n    `browser_eval(\"Array.from(document.querySelectorAll('input[name]')).map(i => i.name)\")`\n3.  **AJAX Check:** If the form saves via AJAX, look for `wp_ajax_` hooks in the code and target `admin-ajax.php` instead of the settings page URL. The CVSS description explicitly points to the settings page function (`imTextP2POptionPage`), making the form POST the most likely vector.","The TextP2P Texting Widget plugin for WordPress is vulnerable to Cross-Site Request Forgery (CSRF) in versions up to and including 1.7. This occurs because the plugin's settings page handler, imTextP2POptionPage(), lacks nonce validation, allowing attackers to modify critical settings like API keys and widget configurations by tricking an administrator into making a forged request.","\u002F\u002F File: textp2p-texting-widget.php (approximate)\n\u002F\u002F Line 7: Settings update logic starts without security checks\nfunction imTextP2POptionPage() {\n    if (isset($_POST['submit'])) {\n        update_option('textp2p_api_key', $_POST['textp2p_api_key']);\n        update_option('textp2p_widget_title', $_POST['textp2p_widget_title']);\n        \u002F\u002F ... other options updated without nonce verification ...\n    }\n\n---\n\n\u002F\u002F Line 314: Form display logic lacks wp_nonce_field()\n    ?>\n    \u003Cform method=\"post\" action=\"\">\n        \u003Cinput type=\"text\" name=\"textp2p_api_key\" value=\"\u003C?php echo get_option('textp2p_api_key'); ?>\">\n        \u003Cinput type=\"submit\" name=\"submit\" value=\"Save Changes\">\n    \u003C\u002Fform>\n    \u003C?php\n}","--- textp2p-texting-widget.php\n+++ textp2p-texting-widget.php\n@@ -5,6 +5,9 @@\n function imTextP2POptionPage() {\n-    if (isset($_POST['submit'])) {\n+    if (isset($_POST['submit'])) {\n+        if (!isset($_POST['textp2p_nonce']) || !wp_verify_nonce($_POST['textp2p_nonce'], 'textp2p_save_settings')) {\n+            wp_die('Security check failed');\n+        }\n         update_option('textp2p_api_key', $_POST['textp2p_api_key']);\n@@ -314,6 +317,7 @@\n     \u003Cform method=\"post\" action=\"\">\n+        \u003C?php wp_nonce_field('textp2p_save_settings', 'textp2p_nonce'); ?>\n         \u003Cinput type=\"text\" name=\"textp2p_api_key\" value=\"\u003C?php echo get_option('textp2p_api_key'); ?>\">","The exploit targets the plugin's settings administration page. An attacker identifies the settings page at \u002Fwp-admin\u002Foptions-general.php?page=textp2p-texting-widget. Since the imTextP2POptionPage function does not perform any nonce validation (no check_admin_referer or wp_verify_nonce calls) and the form does not include a hidden nonce field, the attacker can construct a malicious HTML page. This page contains a self-submitting POST form targeting the plugin's settings page with parameters such as 'textp2p_api_key' and 'textp2p_widget_title' set to attacker-controlled values. When an authenticated site administrator visits the attacker's page, the browser automatically sends the POST request with the administrator's active session cookies, resulting in the plugin updating its configuration with the attacker's data.","gemini-3-flash-preview","2026-04-27 13:56:49","2026-04-27 13:57:05",{"type":32,"vulnerable_version":9,"fixed_version":9,"vulnerable_browse":9,"vulnerable_zip":9,"fixed_browse":9,"fixed_zip":9,"all_tags":33},"plugin","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Ftextp2p-texting-widget\u002Ftags"]