[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fcdQqeWLHLvDV4aRgjAmu82PIgcJE2BLg67bxE4m40gs":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":30,"research_verified":31,"research_rounds_completed":32,"research_plan":33,"research_summary":9,"research_vulnerable_code":9,"research_fix_diff":9,"research_exploit_outline":9,"research_model_used":34,"research_started_at":35,"research_completed_at":36,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":31,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":31,"source_links":37},"CVE-2026-45442","the-ultimate-video-player-for-wordpress-by-presto-player-missing-authorization","The Ultimate Video Player For WordPress – by Presto Player \u003C= 4.1.3 - Missing Authorization","The The Ultimate Video Player For WordPress – by Presto Player plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in versions up to, and including, 4.1.3. This makes it possible for unauthenticated attackers to perform an unauthorized action.","presto-player",null,"\u003C=4.1.3","4.1.4","medium",5.3,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:N\u002FUI:N\u002FS:U\u002FC:N\u002FI:L\u002FA:N","Missing Authorization","2026-05-19 00:00:00","2026-05-19 13:30:22",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002Fbb51676b-4b5b-4cac-934b-b8b12af9dc81?source=api-prod",1,[22,23,24,25,26,27,28,29],"dist\u002Fblocks.asset.php","dist\u002Fblocks.js","dist\u002Fcomponents\u002Fstats.json","inc\u002FModels\u002FReusableVideo.php","inc\u002FServices\u002FAdminNotices.php","inc\u002FServices\u002FShortcodes.php","inc\u002Flib\u002Fbsf-analytics\u002Fchangelog.txt","inc\u002Flib\u002Fbsf-analytics\u002Fclass-bsf-analytics-events.php","researched",false,3,"# Exploitation Research Plan - CVE-2026-45442\n\n## 1. Vulnerability Summary\nThe **The Ultimate Video Player For WordPress – by Presto Player** plugin (versions \u003C= 4.1.3) is vulnerable to **Missing Authorization**. The vulnerability exists because the plugin registers an action on the `admin_init` hook that performs a state-changing operation (updating a WordPress option) without sufficient capability checks or nonce verification. This allows unauthenticated attackers to modify site options prefixed with `presto_player_dismissed_notice_`.\n\n## 2. Attack Vector Analysis\n- **Endpoint:** `\u002Fwp-admin\u002Fadmin-post.php`\n- **Hook:** `admin_init`\n- **Action:** `presto_action=dismiss_notices`\n- **Vulnerable Function:** `PrestoPlayer\\Services\\AdminNotices::dismiss()`\n- **Parameter:** `presto_notice` (Used to determine the option key)\n- **Authentication:** None required (Unauthenticated).\n- **Preconditions:** None. `admin-post.php` triggers the `admin_init` hook even for unauthenticated users.\n\n## 3. Code Flow\n1. The plugin's `AdminNotices::register()` function (in `inc\u002FServices\u002FAdminNotices.php`) hooks the `dismiss()` method to `admin_init`.\n2. When a request is made to `\u002Fwp-admin\u002Fadmin-post.php`, WordPress initializes the admin environment and fires the","gemini-3-flash-preview","2026-05-20 17:15:36","2026-05-20 17:16:33",{"type":38,"vulnerable_version":39,"fixed_version":11,"vulnerable_browse":40,"vulnerable_zip":41,"fixed_browse":42,"fixed_zip":43,"all_tags":44},"plugin","4.1.3","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fpresto-player\u002Ftags\u002F4.1.3","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fpresto-player.4.1.3.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fpresto-player\u002Ftags\u002F4.1.4","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fpresto-player.4.1.4.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fpresto-player\u002Ftags"]