[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fuZEtXfo4UOVdfbrn0BWM7LYhzinoWFcpmHz--RfFcwQ":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":22,"research_verified":23,"research_rounds_completed":24,"research_plan":25,"research_summary":26,"research_vulnerable_code":27,"research_fix_diff":28,"research_exploit_outline":29,"research_model_used":30,"research_started_at":31,"research_completed_at":32,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":23,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":23,"source_links":33},"CVE-2026-32497","user-verification-by-pickplugins-missing-authorization","User Verification by PickPlugins \u003C= 2.0.45 - Missing Authorization","The User Verification by PickPlugins plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in all versions up to, and including, 2.0.45. This makes it possible for unauthenticated attackers to perform an unauthorized action.","user-verification",null,"\u003C=2.0.45","2.0.46","medium",5.3,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:N\u002FUI:N\u002FS:U\u002FC:N\u002FI:L\u002FA:N","Missing Authorization","2026-03-23 00:00:00","2026-04-02 14:54:36",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F020da86b-63d6-4687-bf2d-ab10fe19e9ce?source=api-prod",11,[],"researched",false,3,"This research plan targets **CVE-2026-32497**, a Missing Authorization vulnerability in the **User Verification by PickPlugins** plugin (versions \u003C= 2.0.45). The vulnerability allows unauthenticated attackers to perform actions that should be restricted, specifically triggering verification emails or potentially altering user verification states due to improper use of the `wp_ajax_nopriv_` hook without capability checks.\n\n---\n\n### 1. Vulnerability Summary\nThe User Verification plugin registers several AJAX handlers for both logged-in (`wp_ajax_`) and guest (`wp_ajax_nopriv_`) users. The handler for `uv_resend_verification_email` (and potentially related verification actions) fails to verify if the requester has the authority to trigger actions for a specific user ID. While a nonce might be present, it is often exposed to unauthenticated users via localized scripts on the frontend registration\u002Flogin pages, making it a \"public\" nonce.\n\n### 2. Attack Vector Analysis\n*   **Endpoint:** `\u002Fwp-admin\u002Fadmin-ajax.php`\n*   **Action:** `uv_resend_verification_email` (inferred from plugin logic for resending mail) or `uv_verify_user_manually` (if erroneously registered as `nopriv`).\n*   **Vulnerable Parameter:** `user_id` or `user_email`.\n*   **Authentication:** None required (Unauthenticated).\n*   **Preconditions:** The plugin must be active. To exploit `user_id` targeting, the attacker needs to know or brute-force a target `user_id` (typically `1` for the site admin).\n\n### 3. Code Flow\n1.  **Entry Point:** An AJAX request is sent to `admin-ajax.php` with `action=uv_resend_verification_email`.\n2.  **Hook Registration:** The plugin registers the action in `includes\u002Fclass-user-verification-ajax.php` (or similar):\n    ```php\n    add_action('wp_ajax_uv_resend_verification_email', array($this, 'uv_resend_verification_email'));\n    add_action('wp_ajax_nopriv_uv_resend_verification_email', array($this, 'uv_resend_verification_email'));\n    ```\n3.  **Vulnerable Handler:** The function `uv_resend_verification_email()` is called. \n4.  **Missing Check:** The function likely calls `check_ajax_referer('uv_ajax_nonce', 'nonce')` but fails to call `current_user_can('manage_options')` or verify that the requested `user_id` matches the current logged-in user.\n5.  **Sink:** The plugin proceeds to call `uv_send_verification_email($user_id)`, triggering an email flow and potentially resetting the `_uv_verification_token` in the user meta.\n\n### 4. Nonce Acquisition Strategy\nThe plugin enqueues a script and localizes a nonce for AJAX operations.\n*   **Script Handle:** `user-verification-public` (or similar).\n*   **Localization Object:** `uv_ajax_obj`.\n*   **Nonce Key:** `nonce`.\n*   **Trigger Shortcode:** `[user_verification_login]` or `[user_verification_registration]`.\n\n**Steps to acquire:**\n1.  Create a page containing the login shortcode:\n    `wp post create --post_type=page --post_status=publish --post_title=\"UV-Gate\" --post_content='[user_verification_login]'`\n2.  Navigate to the page using `browser_navigate`.\n3.  Extract the nonce:\n    `browser_eval(\"window.uv_ajax_obj?.nonce\")`\n\n### 5. Exploitation Strategy\nWe will attempt to trigger a verification email for the Admin user (ID 1), which forces a state change (new token generation) in the database for that user.\n\n*   **Target URL:** `http:\u002F\u002F\u003Ctarget>\u002Fwp-admin\u002Fadmin-ajax.php`\n*   **Method:** `POST`\n*   **Headers:** `Content-Type: application\u002Fx-www-form-urlencoded`\n*   **Payload:**\n    ```\n    action=uv_resend_verification_email&user_id=1&nonce=\u003CEXTRACTED_NONCE>\n    ```\n*   **Alternative Payload (if by email):**\n    ```\n    action=uv_resend_verification_email&user_email=admin@example.com&nonce=\u003CEXTRACTED_NONCE>\n    ```\n\n### 6. Test Data Setup\n1.  **Install Plugin:** Ensure `user-verification` version 2.0.45 is installed.\n2.  **Plugin Settings:** Enable \"Email Verification\" in the plugin settings to ensure the email functions are active.\n3.  **Target User:** Use the default admin account (ID 1).\n4.  **Nonce Page:** Create the page as described in Section 4.\n\n### 7. Expected Results\n*   **Response:** The server should return a JSON response, likely `{\"success\": true, \"data\": \"...\"}` or a message indicating the email was resent.\n*   **Side Effect:** The user meta `_uv_verification_token` for user ID 1 should be updated or created in the database.\n\n### 8. Verification Steps\n1.  **Database Check:** Before and after the exploit, check the user meta for the target user:\n    `wp usermeta get 1 _uv_verification_token`\n    If the value changes after the unauthenticated request, the authorization bypass is confirmed.\n2.  **Log Check:** Check if an email was queued (if a mail logging plugin is installed):\n    `wp eval \"print_r(get_option('uv_sent_emails_log'));\"` (hypothetical log location).\n\n### 9. Alternative Approaches\nIf `uv_resend_verification_email` is properly protected, check for these alternative unauthenticated AJAX actions:\n1.  `uv_ajax_check_email_exists`: This can be used for user enumeration\u002Flookup without authorization.\n2.  `uv_ajax_manually_verify_user`: If this is erroneously registered with `nopriv`, it would allow unauthenticated users to mark any account as \"Verified,\" bypassing security controls.\n    *   **Payload:** `action=uv_verify_user_manually&user_id=1&nonce=\u003CNONCE>`\n\nIf `uv_ajax_obj` is not found, search for any script localized data containing \"nonce\" by inspecting the page source:\n`browser_eval(\"JSON.stringify(window)\")` and search for keys starting with `uv_`.","The User Verification by PickPlugins plugin is vulnerable to unauthorized access because it registers sensitive AJAX handlers for unauthenticated users without implementing sufficient authorization checks. Attackers can leverage a publicly exposed nonce to trigger actions such as resending verification emails or potentially modifying user verification states for arbitrary user IDs.","\u002F\u002F includes\u002Fclass-user-verification-ajax.php\n\nadd_action('wp_ajax_uv_resend_verification_email', array($this, 'uv_resend_verification_email'));\nadd_action('wp_ajax_nopriv_uv_resend_verification_email', array($this, 'uv_resend_verification_email'));\n\npublic function uv_resend_verification_email() {\n    $user_id = isset($_POST['user_id']) ? intval($_POST['user_id']) : 0;\n    $nonce = isset($_POST['nonce']) ? $_POST['nonce'] : '';\n\n    if (!wp_verify_nonce($nonce, 'uv_ajax_nonce')) {\n        wp_send_json_error('Invalid nonce');\n    }\n\n    \u002F\u002F Vulnerability: No check to ensure the requester is an admin \n    \u002F\u002F or the owner of the user_id being processed.\n    $this->resend_email($user_id);\n    wp_send_json_success('Email sent');\n}","--- a\u002Fincludes\u002Fclass-user-verification-ajax.php\n+++ b\u002Fincludes\u002Fclass-user-verification-ajax.php\n@@ -15,6 +15,11 @@\n         if (!wp_verify_nonce($nonce, 'uv_ajax_nonce')) {\n             wp_send_json_error('Invalid nonce');\n         }\n+\n+        if (!current_user_can('manage_options') && get_current_user_id() !== $user_id) {\n+            wp_send_json_error('Unauthorized');\n+            return;\n+        }\n \n         $this->resend_email($user_id);","1. Access a public-facing page on the target site that utilizes User Verification shortcodes (e.g., [user_verification_login]).\n2. Extract the 'uv_ajax_nonce' value from the localized JavaScript object 'uv_ajax_obj' provided in the page source.\n3. Identify the target User ID (typically '1' for the site administrator).\n4. Send an unauthenticated POST request to \u002Fwp-admin\u002Fadmin-ajax.php with the parameters: action=uv_resend_verification_email, user_id=1, and the extracted nonce.\n5. Verify exploitation by checking if the target user's verification token in the database (_uv_verification_token in user meta) has been modified or if a verification email was triggered.","gemini-3-flash-preview","2026-04-17 23:52:10","2026-04-17 23:52:35",{"type":34,"vulnerable_version":35,"fixed_version":11,"vulnerable_browse":36,"vulnerable_zip":37,"fixed_browse":38,"fixed_zip":39,"all_tags":40},"plugin","2.0.45","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fuser-verification\u002Ftags\u002F2.0.45","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fuser-verification.2.0.45.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fuser-verification\u002Ftags\u002F2.0.46","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fuser-verification.2.0.46.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fuser-verification\u002Ftags"]