[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fR0mbX4PHcVz-aoCELzyGx1Va4pgDoRkXyWllgBm0GmA":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":9,"severity":11,"cvss_score":12,"cvss_vector":13,"vuln_type":14,"published_date":15,"updated_date":16,"references":17,"days_to_patch":9,"patch_diff_files":19,"patch_trac_url":9,"research_status":20,"research_verified":21,"research_rounds_completed":22,"research_plan":23,"research_summary":24,"research_vulnerable_code":9,"research_fix_diff":9,"research_exploit_outline":25,"research_model_used":26,"research_started_at":27,"research_completed_at":28,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":21,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":21,"source_links":29},"CVE-2026-24603","universal-google-adsense-and-ads-manager-missing-authorization","Universal Google Adsense and Ads manager \u003C= 1.1.8 - Missing Authorization","The Universal Google Adsense and Ads manager plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in versions up to, and including, 1.1.8. This makes it possible for unauthenticated attackers to perform an unauthorized action.","universal-google-adsense-and-ads-manager",null,"\u003C=1.1.8","medium",5.3,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:N\u002FUI:N\u002FS:U\u002FC:N\u002FI:L\u002FA:N","Missing Authorization","2026-01-14 08:24:46","2026-02-03 13:44:17",[18],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002Fbd46352a-5428-467d-9456-772ef816efb1?source=api-prod",[],"researched",false,3,"Because the source code for the Universal Google Adsense and Ads manager plugin (version \u003C= 1.1.8) is not provided, this plan relies on the vulnerability description and common patterns found in \"Missing Authorization\" vulnerabilities within WordPress AJAX handlers. The primary goal of the agent is to identify the specific AJAX action that allows modification of plugin settings.\n\n### 1. Vulnerability Summary\nThe Universal Google Adsense and Ads manager plugin for WordPress is vulnerable to **Missing Authorization**. A function reachable via the WordPress AJAX API (`admin-ajax.php`) fails to implement a `current_user_can()` check. This allows unauthenticated attackers to trigger the function and perform unauthorized actions, most likely modifying the plugin's AdSense settings (e.g., changing the AdSense Publisher ID to redirect revenue).\n\n### 2. Attack Vector Analysis\n*   **Endpoint:** `\u002Fwp-admin\u002Fadmin-ajax.php`\n*   **Action:** To be determined via discovery (likely `uga_save_settings`, `uga_update_options`, or similar).\n*   **HTTP Method:** POST\n*   **Authentication:** Unauthenticated (requires a `wp_ajax_nopriv_` hook registration).\n*   **Payload:** URL-encoded parameters representing plugin settings (e.g., `adsense_id=pub-attacker`).\n*   **Preconditions:** The plugin must be active.\n\n### 3. Code Flow (Inferred)\n1.  **Entry Point:** An unauthenticated user sends a POST request to `wp-admin\u002Fadmin-ajax.php` with a specific `action` parameter.\n2.  **Hook Trigger:** WordPress triggers the hook `wp_ajax_nopriv_{action}`.\n3.  **Vulnerable Function:** The callback function associated with the hook is executed.\n4.  **Missing Check:** The callback function lacks a capability check (e.g., `if (!current_user_can('manage_options'))`).\n5.  **Sink:** The function processes the `$_POST` data and calls `update_option()` or `update_site_option()`, overwriting the legitimate AdSense configuration.\n\n### 4. Nonce Acquisition Strategy\nIf the plugin uses `check_ajax_referer()` or `wp_verify_nonce()`, the agent must retrieve a valid nonce.\n1.  **Identify Action:** Search the codebase for `wp_create_nonce` to find the action string.\n2.  **Find Localization:** Search for `wp_localize_script` to see which JavaScript variable holds the nonce.\n    *   *Hypothetical Variable:* `uga_ajax_obj` (inferred)\n    *   *Hypothetical Key:* `nonce` (inferred)\n3.  **Creation of Trigger Page:** Many AdSense plugins only load their scripts on the frontend if a widget or shortcode is present.\n    *   Search for shortcodes: `grep -r \"add_shortcode\" .`\n    *   If a shortcode like `[universal_adsense]` exists, create a page:\n        `wp post create --post_type=page --post_status=publish --post_content='[universal_adsense]'`\n4.  **Extraction:** Navigate to the new page and use `browser_eval` to extract the nonce:\n    `browser_eval(\"window.uga_ajax_obj?.nonce\")`\n\n### 5. Exploitation Strategy\nThe agent should follow these steps:\n\n**Step 1: Discovery**\nIdentify the vulnerable AJAX action and parameters.\n```bash\n# Find AJAX registrations\ngrep -r \"wp_ajax_nopriv_\" .\n\n# Analyze the callback function of the nopriv action\n# Look for update_option calls and missing capability checks\n```\n\n**Step 2: Target Identification (Example)**\nAssuming the action is `uga_save_settings` and it saves an option called `uga_settings`.\n*   **Action:** `uga_save_settings`\n*   **Sensitive Parameters:** `google_adsense_id`, `ads_code_1`, etc.\n\n**Step 3: Execution**\nSubmit the unauthorized update via the `http_request` tool.\n\n*   **URL:** `http:\u002F\u002F\u003Ctarget>\u002Fwp-admin\u002Fadmin-ajax.php`\n*   **Method:** POST\n*   **Headers:** `Content-Type: application\u002Fx-www-form-urlencoded`\n*   **Body:**\n    `action=uga_save_settings&nonce=[NONCE]&google_adsense_id=pub-9999999999999999&ads_code_1=\u003Cscript>alert('XSS')\u003C\u002Fscript>`\n\n### 6. Test Data Setup\n1.  **Install Plugin:** Ensure `universal-google-adsense-and-ads-manager` version 1.1.8 is installed.\n2.  **Initial Config:** Set a legitimate AdSense ID using WP-CLI:\n    `wp option update uga_settings '{\"google_adsense_id\":\"pub-1234567890123456\"}' --format=json` (inferred option name).\n3.  **Public Page:** Create a page with the plugin's shortcode to ensure script localization (if needed for nonce).\n\n### 7. Expected Results\n*   **Response:** The server returns a `200 OK` or a success JSON object (e.g., `{\"success\":true}`).\n*   **Effect:** The plugin settings in the database are updated with the attacker-supplied values.\n\n### 8. Verification Steps\nConfirm the exploit success using WP-CLI:\n```bash\n# Check the value of the plugin's settings option\nwp option get uga_settings --format=json\n```\nIf the `google_adsense_id` matches `pub-9999999999999999`, the exploit is successful.\n\n### 9. Alternative Approaches\n*   **Admin Init Bypass:** If no AJAX actions are found, check if the plugin uses `admin_init` to process settings. Unauthenticated users can trigger `admin_init` by visiting `\u002Fwp-admin\u002Fadmin-ajax.php`.\n    *   Search: `grep -r \"admin_init\" .`\n    *   Check if the function attached to `admin_init` looks for `$_POST['submit']` or similar without a capability check.\n*   **XSS Path:** If the plugin saves raw HTML for ads, verify if the \"Missing Authorization\" allows Persistent XSS by injecting a `\u003Cscript>` tag into the ad code fields.","The Universal Google Adsense and Ads manager plugin for WordPress (\u003C= 1.1.8) is vulnerable to unauthorized settings modification because it fails to perform capability checks on AJAX actions or admin functions. This allow unauthenticated attackers to change the AdSense Publisher ID or inject malicious scripts into ad code by sending a crafted request to the admin-ajax.php endpoint.","The attacker identifies an AJAX action intended for administrative settings (likely registered with a 'wp_ajax_nopriv_' hook) that lacks a 'current_user_can()' check. By sending an unauthenticated POST request to 'wp-admin\u002Fadmin-ajax.php' with the appropriate 'action' parameter and desired setting values (such as 'google_adsense_id' or ad display code), the attacker can overwrite the plugin's configuration in the database. If the plugin uses nonces, the attacker first extracts a valid nonce from the frontend source code of a page where the plugin's scripts are loaded.","gemini-3-flash-preview","2026-05-05 09:35:50","2026-05-05 09:36:12",{"type":30,"vulnerable_version":9,"fixed_version":9,"vulnerable_browse":9,"vulnerable_zip":9,"fixed_browse":9,"fixed_zip":9,"all_tags":31},"plugin","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Funiversal-google-adsense-and-ads-manager\u002Ftags"]