[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$f96QvtuVC0mIqTaitahpdtYeEnHpbHeZPU-awObXQl-M":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":9,"severity":11,"cvss_score":12,"cvss_vector":13,"vuln_type":14,"published_date":15,"updated_date":16,"references":17,"days_to_patch":9,"patch_diff_files":19,"patch_trac_url":9,"research_status":20,"research_verified":21,"research_rounds_completed":22,"research_plan":23,"research_summary":9,"research_vulnerable_code":9,"research_fix_diff":9,"research_exploit_outline":9,"research_model_used":24,"research_started_at":25,"research_completed_at":26,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":21,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":21,"source_links":27},"CVE-2026-1085","true-ranker-cross-site-request-forgery-to-unauthorized-true-ranker-disconnection","True Ranker \u003C= 2.2.9 - Cross-Site Request Forgery to Unauthorized True Ranker Disconnection","The True Ranker plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.2.9. This is due to missing nonce validation on the seolocalrank-signout action. This makes it possible for unauthenticated attackers to disconnect the administrator's True Ranker account via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.","seo-local-rank",null,"\u003C=2.2.9","medium",4.3,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:N\u002FUI:R\u002FS:U\u002FC:N\u002FI:L\u002FA:N","Cross-Site Request Forgery (CSRF)","2026-03-06 18:49:00","2026-04-15 17:41:36",[18],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002Fdb27ae52-1362-4acb-9410-49ad041770f6?source=api-prod",[],"researched",false,3,"This research plan outlines the methodology for exploiting a Cross-Site Request Forgery (CSRF) vulnerability in the True Ranker plugin for WordPress.\n\n## 1. Vulnerability Summary\nThe True Ranker plugin (\u003C= 2.2.9) contains a CSRF vulnerability in its account disconnection logic. The plugin registers or monitors an action named `seolocalrank-signout` but fails to implement WordPress nonce verification (`check_admin_referer` or `wp_verify_nonce`). Consequently, an attacker can craft a malicious request that, when executed by an authenticated administrator, silently disconnects the site from the True Ranker service, potentially disrupting SEO monitoring and data synchronization.\n\n## 2. Attack Vector Analysis\n*   **Vulnerable Action:** `seolocalrank-signout`\n*   **Endpoint:** `wp-admin\u002Fadmin.php` or `wp-admin\u002Fadmin-post.php` (depending on registration)\n*   **HTTP Method:** Likely `GET` (common for sign-out links) or `POST`.\n*   **Authentication:** Requires a victim with Administrator privileges.\n*   **Preconditions:** The True Ranker plugin must be active and \"connected\" (i.e., an API key or token must be stored in the database).\n\n## 3. Code Flow (Inferred)\n1.  **Registration:** The plugin likely hooks into `admin_init` or `admin_menu` to listen for specific parameters, or uses the `admin_post_` hook.\n2.  **Trigger:** A request is sent to WordPress with the parameter `action=seolocalrank-signout`.\n3.  **Vulnerable Handler:** \n    *   The handler function (e.g., `trueranker_signout_handler`) checks if the user is an admin using `current_user_can('manage_options')`.\n    *   **Crucially**, it misses a call to `check_admin_referer('seolocalrank-signout')`.\n4.  **Sink:** The function proceeds to clear the connection data, typically by calling `delete_option()` for keys like `trueranker_api_key` or `trueranker_token` (inferred).\n5.  **Redirection:** The user is redirected back to the plugin settings page.\n\n## 4. Nonce Acquisition Strategy\nThis vulnerability specifically involves **missing nonce validation**. Therefore, no nonce is required to successfully trigger the disconnection. The exploit works by omitting the nonce parameter entirely or providing an arbitrary one.\n\n## 5. Exploitation Strategy\n\n### Step 1: Identify the Connection State\nFirst, we must determine which option stores the \"connected\" state. Based on the plugin slug `seo-local-rank`, we will check for options related to `trueranker` or `seolocalrank`.\n\n### Step 2: Craft the CSRF Request\nWe will simulate a CSRF attack where an admin's session is used to hit the vulnerable endpoint.\n\n**Request Configuration:**\n*   **Tool:** `http_request`\n*   **URL:** `http:\u002F\u002Flocalhost:8080\u002Fwp-admin\u002Fadmin.php?action=seolocalrank-signout` (Primary candidate) or `http:\u002F\u002Flocalhost:8080\u002Fwp-admin\u002Fadmin-post.php?action=seolocalrank-signout` (Secondary candidate).\n*   **Method:** `GET`\n*   **Headers:** Standard admin headers (handled by the agent's session).\n\n### Step 3: Execution Plan\n1.  Verify the plugin is \"connected\" by setting a dummy API key in the database via WP-CLI.\n2.  Navigate to the WordPress admin dashboard as an administrator.\n3.  Execute the `http_request` representing the CSRF payload.\n4.  Observe the response (usually a 302 redirect).\n5.  Verify the dummy API key has been deleted from the database.\n\n## 6. Test Data Setup\nTo test the vulnerability, the environment must be prepared as follows:\n\n1.  **Install Plugin:** Ensure True Ranker \u003C= 2.2.9 is installed and active.\n2.  **Simulate Connection:**\n    ```bash\n    # Identify the correct option name (likely trueranker_api_key or similar)\n    # For PoC, we will search for the option or set a known one based on source analysis\n    wp option update trueranker_api_key \"test_vulnerability_token_12345\"\n    ```\n3.  **Create Admin Session:** The automated agent must be logged in as a user with `manage_options` capabilities.\n\n## 7. Expected Results\n*   **Response:** The HTTP request should return a `302 Found` redirecting back to the plugin's main settings page (`admin.php?page=seo-local-rank`).\n*   **Side Effect:** The WordPress option holding the API key\u002Ftoken will be deleted.\n*   **UI Change:** If the admin navigates to the True Ranker settings page, they should see a \"Login\" or \"Connect\" prompt instead of a connected dashboard.\n\n## 8. Verification Steps\nAfter sending the exploit request, run the following WP-CLI command to confirm the account was disconnected:\n\n```bash\n# Check if the option still exists\nwp option get trueranker_api_key\n```\n**Success Criteria:** The command returns an error indicating the option does not exist, or returns an empty value, confirming the `delete_option` call was triggered without a nonce check.\n\n## 9. Alternative Approaches\nIf the `GET` request to `admin.php` fails, try:\n1.  **POST Request:** Some handlers only respond to POST.\n    ```javascript\n    \u002F\u002F Using http_request tool with:\n    method: \"POST\",\n    body: \"action=seolocalrank-signout\"\n    headers: { \"Content-Type\": \"application\u002Fx-www-form-urlencoded\" }\n    ```\n2.  **Different Endpoint:** Check if the action is handled via `admin-ajax.php` without a nonce check, although the description specifically points to a sign-out action which is usually a page-level redirect.\n3.  **Parameter Search:** If `seolocalrank-signout` is not the direct action, look for the \"Sign Out\" button in the plugin UI using `browser_navigate` and inspect the URL parameters it uses.","gemini-3-flash-preview","2026-04-18 05:27:57","2026-04-18 05:28:13",{"type":28,"vulnerable_version":9,"fixed_version":9,"vulnerable_browse":9,"vulnerable_zip":9,"fixed_browse":9,"fixed_zip":9,"all_tags":29},"plugin","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fseo-local-rank\u002Ftags"]