[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fvA2vLqWls8zYD4vqlgAXHPKJt_6dj-J0Yw_qERq1Wrs":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":28,"research_verified":29,"research_rounds_completed":30,"research_plan":31,"research_summary":32,"research_vulnerable_code":33,"research_fix_diff":34,"research_exploit_outline":35,"research_model_used":36,"research_started_at":37,"research_completed_at":38,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":29,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":29,"source_links":39},"CVE-2026-3143","total-upkeep-missing-authorization-to-unauthenticated-rollback-cancellation","Total Upkeep \u003C= 1.17.1 - Missing Authorization to Unauthenticated Rollback Cancellation","The Total Upkeep – WordPress Backup Plugin plus Restore & Migrate by BoldGrid plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'wp_ajax_cli_cancel' function in all versions up to, and including, 1.17.1. This makes it possible for unauthenticated attackers to cancel a pending rollback, potentially preventing a WordPress installation from automatically reverting a failed update.","boldgrid-backup",null,"\u003C=1.17.1","1.17.2","medium",5.3,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:N\u002FUI:N\u002FS:U\u002FC:N\u002FI:L\u002FA:N","Missing Authorization","2026-04-30 00:00:00","2026-05-01 13:28:45",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002Ff25dcd7e-8fb1-471e-bd22-782409de45c4?source=api-prod",2,[22,23,24,25,26,27],"admin\u002Fclass-boldgrid-backup-admin-auto-rollback.php","admin\u002Fclass-boldgrid-backup-admin-cron.php","boldgrid-backup.php","cli\u002Fclass-site-restore.php","languages\u002Fboldgrid-backup.pot","readme.txt","researched",false,3,"This research plan targets **CVE-2026-3143**, a missing authorization vulnerability in the **Total Upkeep** plugin for WordPress. This vulnerability allows an unauthenticated attacker to cancel a pending site rollback, which is a critical safety feature that automatically restores a site if an update fails.\n\n### 1. Vulnerability Summary\n*   **Vulnerability:** Missing Authorization (Unauthenticated data modification).\n*   **Vulnerable Action:** `cli_cancel`.\n*   **Plugin:** Total Upkeep (slug: `boldgrid-backup`).\n*   **Affected Versions:** \u003C= 1.17.1.\n*   **Fixed Version:** 1.17.2.\n*   **Nature of Flaw:** The plugin registers an AJAX handler (either `wp_ajax_cli_cancel` or `wp_ajax_nopriv_cli_cancel`) that calls a function to delete the `boldgrid_backup_pending_rollback` site option and clear related cron jobs. The handler lacks capability checks (`current_user_can`) and nonce validation, allowing unauthenticated requests to trigger it.\n\n### 2. Attack Vector Analysis\n*   **Endpoint:** `\u002Fwp-admin\u002Fadmin-ajax.php`.\n*   **HTTP Method:** `POST` (standard for AJAX) or `GET`.\n*   **Action Parameter:** `action=cli_cancel`.\n*   **Authentication:** Not required (Unauthenticated).\n*   **Preconditions:** A \"pending rollback\" must exist for the exploit to have a measurable impact (i.e., the `boldgrid_backup_pending_rollback` site option must be set).\n\n### 3. Code Flow\n1.  **Entry Point:** An HTTP request hits `admin-ajax.php?action=cli_cancel`.\n2.  **Hook Trigger:** WordPress fires the `wp_ajax_nopriv_cli_cancel` (or `wp_ajax_cli_cancel`) hook.\n3.  **Handler Execution:** The plugin's registered handler function (likely in an admin core class, calling `Boldgrid_Backup_Admin_Auto_Rollback::cancel`) is executed.\n4.  **Vulnerable Method:** `Boldgrid_Backup_Admin_Auto_Rollback::cancel()` (in `admin\u002Fclass-boldgrid-backup-admin-auto-rollback.php`):\n    *   It calls `$this->core->cron->delete_cron_entries( 'restore' )` to stop the scheduled rollback.\n    *   It calls `$this->core->settings->delete_rollback_option()` to delete the `boldgrid_backup_pending_rollback` site option.\n5.  **Sink:** `delete_site_option( 'boldgrid_backup_pending_rollback' )`.\n\n### 4. Nonce Acquisition Strategy\nThe vulnerability description (\"Missing Authorization\") and the severity (Medium, Unauthenticated) strongly suggest that **no nonce is validated** for this specific action. \n\n*   **Verification:** If the exploit fails with a `403` or `-1` response, check for nonce usage in the plugin files by searching for `check_ajax_referer` or `wp_verify_nonce` near the `cli_cancel` action registration.\n*   **Localization:** If a nonce *is* required, it would likely be localized in `boldgrid-backup-admin-backup-now.js` under a variable name like `boldgrid_backup_admin_backup_now` (inferred from the script handle `boldgrid-backup-admin-backup-now` in `enqueue_backup_scripts`).\n\n### 5. Exploitation Strategy\nThe goal is to prove that an unauthenticated user can delete the `boldgrid_backup_pending_rollback` option.\n\n**Step 1: Setup \"Pending Rollback\" State**\nAn attacker can't easily trigger a real failed update, so we will simulate the state by manually creating the site option.\n*   **Command:** `wp site option update boldgrid_backup_pending_rollback '{\"filepath\":\"\u002Ftmp\u002Fdummy-backup.zip\",\"deadline\":9999999999}' --format=json`\n\n**Step 2: Send the Exploit Request**\n*   **Tool:** `http_request`\n*   **Method:** `POST`\n*   **URL:** `{{base_url}}\u002Fwp-admin\u002Fadmin-ajax.php`\n*   **Headers:** `Content-Type: application\u002Fx-www-form-urlencoded`\n*   **Body:** `action=cli_cancel`\n\n**Step 3: Verification**\nConfirm that the site option has been deleted.\n\n### 6. Test Data Setup\n1.  **Plugin Installation:** Install Total Upkeep version 1.17.1.\n2.  **Configuration:** Enable the plugin.\n3.  **Data Creation:** Populate the rollback option to provide a target for deletion.\n    ```bash\n    wp site option update boldgrid_backup_pending_rollback '{\"filepath\":\"\u002Ftmp\u002Fpoc.zip\",\"mode\":\"backup\"}' --format=json\n    ```\n4.  **Verification of Setup:**\n    ```bash\n    wp site option get boldgrid_backup_pending_rollback\n    ```\n\n### 7. Expected Results\n*   **Successful Request:** The server returns a `200 OK` response (likely with `0`, `1`, or an empty response, as many AJAX handlers don't return specific data).\n*   **System Impact:** The site option `boldgrid_backup_pending_rollback` is removed from the database.\n*   **Cron Impact:** Any crons with the hook containing `restore` are removed (viewable via `wp cron event list`).\n\n### 8. Verification Steps\n1.  **Database Check:**\n    ```bash\n    wp site option get boldgrid_backup_pending_rollback\n    ```\n    *Expectation:* The command should return an error or empty result (Option does not exist).\n2.  **Cron Check:**\n    ```bash\n    wp cron event list | grep restore\n    ```\n    *Expectation:* No entries should be found.\n\n### 9. Alternative Approaches\nIf `cli_cancel` does not respond to unauthenticated requests, check if the plugin registers a REST API endpoint for the same purpose:\n*   Search for `register_rest_route` in the plugin directory.\n*   Look for routes containing `rollback` or `cancel`.\n*   If a REST endpoint exists, check its `permission_callback` for `__return_true` or missing capability checks.\n\nIf the action name is slightly different, use grep to find the registration:\n```bash\ngrep -r \"wp_ajax_.*cancel\" .\n```\nVerify if `wp_ajax_nopriv_` is present for that action.","Total Upkeep (\u003C= 1.17.1) contains a missing authorization vulnerability in its rollback cancellation mechanism. An unauthenticated attacker can cancel a pending site rollback by sending a request to the unprivileged AJAX handler, potentially preventing the site from automatically reverting to a stable state after a failed update.","\u002F\u002F admin\u002Fclass-boldgrid-backup-admin-auto-rollback.php line 1205\n\tpublic function wp_ajax_cli_cancel() {\n\t\t$backup_id_match = ! empty( $_GET['backup_id'] ) && $this->core->get_backup_identifier() === sanitize_key( $_GET['backup_id'] ); \u002F\u002F phpcs:ignore WordPress.CSRF.NonceVerification.NoNonceVerification\n\n\t\tif ( $backup_id_match ) {\n\t\t\t$this->cancel();\n\t\t\twp_send_json_success( __( 'Rollback canceled', 'boldgrid-backup' ) );\n\t\t} else {\n\t\t\twp_send_json_error( __( 'Error: Backup ID match failed', 'boldgrid-backup' ) );\n\t\t}\n\t}","diff -ru \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fboldgrid-backup\u002F1.17.1\u002Fadmin\u002Fclass-boldgrid-backup-admin-auto-rollback.php \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fboldgrid-backup\u002F1.17.2\u002Fadmin\u002Fclass-boldgrid-backup-admin-auto-rollback.php\n--- \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fboldgrid-backup\u002F1.17.1\u002Fadmin\u002Fclass-boldgrid-backup-admin-auto-rollback.php\t2021-07-22 18:44:38.000000000 +0000\n+++ \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fboldgrid-backup\u002F1.17.2\u002Fadmin\u002Fclass-boldgrid-backup-admin-auto-rollback.php\t2026-03-11 16:28:56.000000000 +0000\n@@ -205,6 +205,9 @@\n \n \t\t\u002F\u002F Remove WP option boldgrid_backup_pending_rollback.\n \t\t$this->core->settings->delete_rollback_option();\n+\n+\t\t\u002F\u002F Remove the one-time CLI cancel secret.\n+\t\tdelete_site_option( 'boldgrid_backup_cli_cancel_secret' );\n \t}\n \n \t\u002F**\n@@ -1194,16 +1197,23 @@\n \t\u002F**\n \t * Callback function for canceling a pending rollback from the cli process.\n \t *\n-\t * This admin-ajax call is unprovileged, so that the CLI script can make the call.\n-\t * The only validation that we use is the backup identifier.\n-\t * Nobody will be trying to cancel rollbacks (with a 15-minute window) anyways.\n+\t * This admin-ajax call is unprivileged, so that the CLI script can make the call.\n+\t * Validation requires both the backup identifier and a one-time random secret that\n+\t * was generated when the restore cron job was scheduled.\n \t *\n \t * @since 1.10.7\n \t *\u002F\n \tpublic function wp_ajax_cli_cancel() {\n-\t\t$backup_id_match = ! empty( $_GET['backup_id'] ) && $this->core->get_backup_identifier() === sanitize_key( $_GET['backup_id'] ); \u002F\u002F phpcs:ignore WordPress.CSRF.NonceVerification.NoNonceVerification\n+\t\t\u002F\u002F phpcs:ignore WordPress.CSRF.NonceVerification.Recommended\n+\t\t$backup_id_match = ! empty( $_GET['backup_id'] ) && $this->core->get_backup_identifier() === sanitize_key( $_GET['backup_id'] );\n+\n+\t\t$stored_secret  = get_site_option( 'boldgrid_backup_cli_cancel_secret', '' );\n \n-\t\tif ( $backup_id_match ) {\n+\t\t\u002F\u002F phpcs:ignore WordPress.CSRF.NonceVerification.Recommended\n+\t\t$secret_match = ! empty( $stored_secret ) && ! empty( $_GET['cli_cancel_secret'] ) &&\n+\t\t\thash_equals( $stored_secret, sanitize_text_field( wp_unslash( $_GET['cli_cancel_secret'] ) ) );\n+\t\t\n+\t\tif ( $backup_id_match && $secret_match ) {\n \t\t\t$this->cancel();\n \t\t\twp_send_json_success( __( 'Rollback canceled', 'boldgrid-backup' ) );\n \t\t} else {","To exploit this vulnerability, an attacker targets the unprivileged AJAX action used for CLI-initiated rollback cancellations. \n\n1. Target Endpoint: The standard WordPress AJAX endpoint `\u002Fwp-admin\u002Fadmin-ajax.php`.\n2. Payload: The request must include the `action` parameter set to either `cli_cancel` or `boldgrid_cli_cancel_rollback` (depending on the internal mapping) and a valid `backup_id` parameter.\n3. Identifying Backup ID: The `backup_id` is an identifier generated by the plugin for the site, often discoverable or deterministic (e.g., based on hashes of site metadata).\n4. Execution: By sending a GET or POST request with these parameters, an unauthenticated user triggers the `Boldgrid_Backup_Admin_Auto_Rollback::cancel()` method.\n5. Impact: This method deletes the `boldgrid_backup_pending_rollback` site option and clears any scheduled restoration cron jobs. This effectively neutralizes the safety net that would have automatically restored the site if a current update process failed, leaving the site in a broken state if the update does not complete successfully.","gemini-3-flash-preview","2026-05-04 17:45:00","2026-05-04 17:45:32",{"type":40,"vulnerable_version":41,"fixed_version":11,"vulnerable_browse":42,"vulnerable_zip":43,"fixed_browse":44,"fixed_zip":45,"all_tags":46},"plugin","1.17.1","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fboldgrid-backup\u002Ftags\u002F1.17.1","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fboldgrid-backup.1.17.1.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fboldgrid-backup\u002Ftags\u002F1.17.2","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fboldgrid-backup.1.17.2.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fboldgrid-backup\u002Ftags"]