[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fN_jAVnojpxU881Ns9g8lOBwb9GvB13vylgyvMRl_1nU":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":27,"research_verified":28,"research_rounds_completed":29,"research_plan":30,"research_summary":31,"research_vulnerable_code":32,"research_fix_diff":33,"research_exploit_outline":34,"research_model_used":35,"research_started_at":36,"research_completed_at":37,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":28,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":28,"source_links":38},"CVE-2026-25314","top-table-of-contents-missing-authorization","TOP Table Of Contents \u003C= 1.3.31 - Missing Authorization","The TOP Table Of Contents plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in all versions up to, and including, 1.3.31. This makes it possible for authenticated attackers, with Subscriber-level access and above, to perform an unauthorized action.","top-table-of-contents",null,"\u003C=1.3.31","1.4.0","medium",4.3,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:L\u002FUI:N\u002FS:U\u002FC:N\u002FI:L\u002FA:N","Missing Authorization","2026-01-25 00:00:00","2026-05-04 15:19:48",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F82002a9d-68a5-43fe-b46d-da4bf35b4e81?source=api-prod",100,[22,23,24,25,26],"README.txt","admin\u002Fclass-boomdevs-toc-admin.php","boomdevs-toc.php","includes\u002Fclass-boomdevs-toc-ajax.php","includes\u002Fclass-boomdevs-toc.php","researched",false,3,"# Exploitation Research Plan: CVE-2026-25314 (TOP Table Of Contents)\n\n## 1. Vulnerability Summary\nThe **TOP Table Of Contents** plugin (versions \u003C= 1.3.31) contains a missing authorization vulnerability in its AJAX implementation. Specifically, the function `Boomdevs_Toc_custom_plugin_install` is registered for both authenticated (`wp_ajax_`) and unauthenticated (`wp_ajax_nopriv_`) users but fails to perform any capability checks (e.g., `current_user_can( 'install_plugins' )`). \n\nWhile the function is hardcoded to install a specific plugin (`ai-image-alt-text-generator-for-wp`), the lack of authorization allows any user (Subscriber and potentially unauthenticated users if they can obtain a nonce) to trigger the installation and activation of a plugin on the site, which is a significant unauthorized action.\n\n## 2. Attack Vector Analysis\n- **AJAX Action:** `Boomdevs_Toc_custom_plugin_install`\n- **Endpoint:** `\u002Fwp-admin\u002Fadmin-ajax.php`\n- **Authentication:** Required (Subscriber-level access is sufficient to obtain the nonce).\n- **Nonce Requirement:** Yes. The function uses `check_ajax_referer('Boomdevs_Toc_custom_plugin_install_nonce', 'security')`.\n- **Vulnerable Sink:** The function calls `$upgrader->install(...)` and `activate_plugin(...)` without checking user permissions.\n\n## 3. Code Flow\n1. **Registration:** In `admin\u002Fclass-boomdevs-toc-admin.php`, the AJAX hooks are registered:\n   ```php\n   add_action('wp_ajax_Boomdevs_Toc_custom_plugin_install', [$this, 'Boomdevs_Toc_custom_plugin_install']);\n   add_action('wp_ajax_nopriv_Boomdevs_Toc_custom_plugin_install', [$this, 'Boomdevs_Toc_custom_plugin_install']);\n   ```\n2. **Nonce Generation:** In the same file, `enqueue_scripts()` localizes the nonce for the admin area:\n   ```php\n   wp_localize_script($this->plugin_name, 'Boomdevs_Toc_custom_plugin_install_obj', array(\n       'ajax_url'  => admin_url('admin-ajax.php'),\n       'security' => wp_create_nonce('Boomdevs_Toc_custom_plugin_install_nonce')\n       )\n   );\n   ```\n3. **Vulnerable Function:** The `Boomdevs_Toc_custom_plugin_install` function in `admin\u002Fclass-boomdevs-toc-admin.php` executes:\n   - Validates the nonce via `security` parameter.\n   - Hardcodes `$plugin_slug = 'ai-image-alt-text-generator-for-wp'`.\n   - Uses `Plugin_Upgrader` to download and install from WordPress.org.\n   - Calls `activate_plugin()`.\n\n## 4. Nonce Acquisition Strategy\nThe nonce `Boomdevs_Toc_custom_plugin_install_nonce` is localized in the admin dashboard. Since even a Subscriber user can access `\u002Fwp-admin\u002Fprofile.php`, they can retrieve this nonce.\n\n1. **Login:** Authenticate as a Subscriber-level user.\n2. **Navigate:** Go to `\u002Fwp-admin\u002F`.\n3. **Extract:** Use `browser_eval` to extract the nonce from the global JavaScript object:\n   ```javascript\n   window.Boomdevs_Toc_custom_plugin_install_obj?.security\n   ```\n\n## 5. Exploitation Strategy\n1. **Identify Target:** Ensure the target WordPress instance is running TOP Table Of Contents \u003C= 1.3.31.\n2. **Obtain Nonce:** \n   - Perform a login as a Subscriber.\n   - Use `browser_navigate` to `\u002Fwp-admin\u002F`.\n   - Use `browser_eval` to capture the `security` token from `Boomdevs_Toc_custom_plugin_install_obj`.\n3. **Trigger Installation:** Send an HTTP POST request to the AJAX endpoint.\n   - **URL:** `http:\u002F\u002F[target]\u002Fwp-admin\u002Fadmin-ajax.php`\n   - **Method:** POST\n   - **Headers:** `Content-Type: application\u002Fx-www-form-urlencoded`\n   - **Body:** `action=Boomdevs_Toc_custom_plugin_install&security=[NONCE]`\n4. **Capture Response:** A successful response should be a JSON object: `{\"success\":true,\"data\":{\"message\":\"Plugin installed and activated successfully.\"}}`.\n\n## 6. Test Data Setup\n1. **Plugin:** Install \"TOP Table Of Contents\" version 1.3.31.\n2. **User:** Create a user with the `subscriber` role (e.g., username: `attacker`, password: `password123`).\n3. **Environment Check:** Ensure the plugin `ai-image-alt-text-generator-for-wp` is NOT currently installed.\n\n## 7. Expected Results\n- The AJAX request returns a success message.\n- The `ai-image-alt-text-generator-for-wp` plugin is downloaded into `wp-content\u002Fplugins\u002F`.\n- The `ai-image-alt-text-generator-for-wp` plugin appears as \"Active\" in the WordPress site.\n\n## 8. Verification Steps\n1. **WP-CLI Plugin Check:**\n   ```bash\n   wp plugin list --status=active\n   ```\n   Confirm `ai-image-alt-text-generator-for-wp` is in the list.\n2. **WP-CLI File Check:**\n   ```bash\n   ls -d wp-content\u002Fplugins\u002Fai-image-alt-text-generator-for-wp\u002F\n   ```\n   Confirm the directory exists.\n\n## 9. Alternative Approaches\nIf the Subscriber user cannot access `\u002Fwp-admin\u002F` due to a site-wide lockdown (though standard WP allows profile access):\n1. **Shortcode Extraction:** Check if the plugin enqueues the same script on the frontend when a TOC is present. Create a page with `[boomdevs-toc]` and try to extract `Boomdevs_Toc_custom_plugin_install_obj` from the frontend.\n2. **Unauthenticated Check:** Since `wp_ajax_nopriv` is registered, if an unauthenticated user can find *any* page where `enqueue_scripts` is called (or if the nonce is leaked via another vulnerability), they could trigger the install without logging in. Check the `public\u002Fclass-boomdevs-toc-public.php` (not fully provided, but inferred) to see if scripts are shared.","The TOP Table Of Contents plugin for WordPress is vulnerable to unauthorized access because its AJAX handlers for plugin installation and layout imports lack capability checks. This allows authenticated users with subscriber-level permissions to trigger the installation and activation of a specific third-party plugin or modify site layout configurations.","\u002F\u002F admin\u002Fclass-boomdevs-toc-admin.php lines 54-55\nadd_action('wp_ajax_Boomdevs_Toc_custom_plugin_install', [$this, 'Boomdevs_Toc_custom_plugin_install']);\nadd_action( 'wp_ajax_nopriv_Boomdevs_Toc_custom_plugin_install', [$this, 'Boomdevs_Toc_custom_plugin_install'] );\n\n\u002F\u002F admin\u002Fclass-boomdevs-toc-admin.php lines 156-184\npublic function Boomdevs_Toc_custom_plugin_install() {\n\n    check_ajax_referer('Boomdevs_Toc_custom_plugin_install_nonce', 'security');\n\n    $plugin_slug = 'ai-image-alt-text-generator-for-wp';\n    $plugin_file = 'ai-image-alt-text-generator-for-wp\u002Fboomdevs-ai-image-alt-text-generator.php';\n\n    \u002F\u002F Include necessary WordPress files for plugin installation and activation\n    require_once ABSPATH . 'wp-admin\u002Fincludes\u002Fplugin.php';\n    require_once ABSPATH . 'wp-admin\u002Fincludes\u002Fclass-wp-upgrader.php';\n\n    \u002F\u002F Install the plugin\n    $upgrader = new Plugin_Upgrader();\n    $installed = $upgrader->install(\"https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002F{$plugin_slug}.latest-stable.zip\");\n\n    if (is_wp_error($installed)) {\n        wp_send_json_error(array('message' => $installed->get_error_message()));\n    }\n\n    \u002F\u002F Activate the plugin\n    $activated = activate_plugin($plugin_file);\n\n    if (is_wp_error($activated)) {\n        wp_send_json_error(array('message' => $activated->get_error_message()));\n    }\n\n    wp_send_json_success(array('message' => 'Plugin installed and activated successfully.'));\n}\n\n---\n\n\u002F\u002F includes\u002Fclass-boomdevs-toc-ajax.php line 16\npublic function get_premade_layout() {\n    \n    check_ajax_referer( 'layout_content', 'nonce' );\n\n    $default_available_skins_data = [\n    \u002F\u002F ... (truncated)","diff -ru \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Ftop-table-of-contents\u002F1.3.31\u002Fadmin\u002Fclass-boomdevs-toc-admin.php \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Ftop-table-of-contents\u002F1.4.0\u002Fadmin\u002Fclass-boomdevs-toc-admin.php\n--- \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Ftop-table-of-contents\u002F1.3.31\u002Fadmin\u002Fclass-boomdevs-toc-admin.php\t2025-11-04 12:38:16.000000000 +0000\n+++ \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Ftop-table-of-contents\u002F1.4.0\u002Fadmin\u002Fclass-boomdevs-toc-admin.php\t2026-01-22 12:20:42.000000000 +0000\n@@ -52,7 +52,6 @@\n         $this->plugin_name = $plugin_name;\n         $this->version     = $version;\n         add_action('wp_ajax_Boomdevs_Toc_custom_plugin_install', [$this, 'Boomdevs_Toc_custom_plugin_install']);\n-        add_action( 'wp_ajax_nopriv_Boomdevs_Toc_custom_plugin_install', [$this, 'Boomdevs_Toc_custom_plugin_install'] );\n \n     }\n \n@@ -158,6 +157,10 @@\n \n     public function Boomdevs_Toc_custom_plugin_install() {\n \n+        if ( ! current_user_can( 'install_plugins' ) ) {\n+            wp_send_json_error( array( 'message' => __( 'You do not have permission to install plugins.', 'boomdevs-toc' ) ), 403 );\n+        }\n+\n         check_ajax_referer('Boomdevs_Toc_custom_plugin_install_nonce', 'security');\n     \n         $plugin_slug = 'ai-image-alt-text-generator-for-wp';\ndiff -ru \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Ftop-table-of-contents\u002F1.3.31\u002Fincludes\u002Fclass-boomdevs-toc-ajax.php \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Ftop-table-of-contents\u002F1.4.0\u002Fincludes\u002Fclass-boomdevs-toc-ajax.php\n--- \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Ftop-table-of-contents\u002F1.3.31\u002Fincludes\u002Fclass-boomdevs-toc-ajax.php\t2025-11-04 12:38:16.000000000 +0000\n+++ \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Ftop-table-of-contents\u002F1.4.0\u002Fincludes\u002Fclass-boomdevs-toc-ajax.php\t2026-01-22 12:20:42.000000000 +0000\n@@ -15,6 +15,10 @@\n      *\u002F\n     public function get_premade_layout() {\n         \n+        if ( ! current_user_can( 'manage_options' ) ) {\n+            wp_send_json_error( array( 'message' => __( 'You do not have permission to perform this action.', 'boomdevs-toc' ) ), 403 );\n+        }\n+\n         check_ajax_referer( 'layout_content', 'nonce' );\n \n         $default_available_skins_data = [\ndiff -ru \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Ftop-table-of-contents\u002F1.3.31\u002Fincludes\u002Fclass-boomdevs-toc.php \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Ftop-table-of-contents\u002F1.4.0\u002Fincludes\u002Fclass-boomdevs-toc.php\n--- \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Ftop-table-of-contents\u002F1.3.31\u002Fincludes\u002Fclass-boomdevs-toc.php\t2025-11-04 12:38:16.000000000 +0000\n+++ \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Ftop-table-of-contents\u002F1.4.0\u002Fincludes\u002Fclass-boomdevs-toc.php\t2026-01-22 12:20:42.000000000 +0000\n@@ -254,7 +254,6 @@\n     private function register_ajax_hooks() {\n \n         $plugin_ajax = new Boomdevs_Toc_Ajax();\n-        $this->loader->add_action('wp_ajax_nopriv_get_premade_layout', $plugin_ajax, 'get_premade_layout');\n         $this->loader->add_action('wp_ajax_get_premade_layout', $plugin_ajax, 'get_premade_layout');\n     }","To exploit this vulnerability, an attacker first authenticates as a Subscriber user and navigates to the WordPress dashboard (e.g., \u002Fwp-admin\u002Fprofile.php). By inspecting the global JavaScript object 'Boomdevs_Toc_custom_plugin_install_obj' localized on the page, the attacker retrieves the 'security' nonce. The attacker then sends an HTTP POST request to the '\u002Fwp-admin\u002Fadmin-ajax.php' endpoint with the 'action' parameter set to 'Boomdevs_Toc_custom_plugin_install' and the 'security' parameter set to the captured nonce. Because the server-side function lacks a capability check (e.g., current_user_can('install_plugins')), it will proceed to download and activate the hardcoded 'ai-image-alt-text-generator-for-wp' plugin from the WordPress repository.","gemini-3-flash-preview","2026-05-05 00:36:41","2026-05-05 00:37:01",{"type":39,"vulnerable_version":40,"fixed_version":11,"vulnerable_browse":41,"vulnerable_zip":42,"fixed_browse":43,"fixed_zip":44,"all_tags":45},"plugin","1.3.31","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Ftop-table-of-contents\u002Ftags\u002F1.3.31","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Ftop-table-of-contents.1.3.31.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Ftop-table-of-contents\u002Ftags\u002F1.4.0","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Ftop-table-of-contents.1.4.0.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Ftop-table-of-contents\u002Ftags"]