[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fkcyzk5O6G8lwIEsL0ULD4rUz9pYnEi7Gv5600xHemhM":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":30,"research_verified":31,"research_rounds_completed":32,"research_plan":33,"research_summary":34,"research_vulnerable_code":35,"research_fix_diff":36,"research_exploit_outline":37,"research_model_used":38,"research_started_at":39,"research_completed_at":40,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":31,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":31,"source_links":41},"CVE-2026-4326","vertex-addons-for-elementor-missing-authorization-to-authenticated-subscriber-arbitrary-plugin-installation-and-activati","Vertex Addons for Elementor \u003C= 1.6.4 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Plugin Installation and Activation via 'afeb_activate_required_plugins'","The Vertex Addons for Elementor plugin for WordPress is vulnerable to Missing Authorization in all versions up to and including 1.6.4. This is due to improper authorization enforcement in the activate_required_plugins() function. Specifically, the current_user_can('install_plugins') capability check does not terminate execution when it fails — it only sets an error message variable while allowing the plugin installation and activation code to execute. The error response is only sent after the installation and activation have already completed. This makes it possible for authenticated attackers, with Subscriber-level access and above, to install and activate arbitrary plugins from the WordPress.","addons-for-elementor-builder",null,"\u003C=1.6.4","1.7.0","high",8.8,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:L\u002FUI:N\u002FS:U\u002FC:H\u002FI:H\u002FA:H","Missing Authorization","2026-04-08 00:00:00","2026-04-09 01:25:55",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F1bb409f0-ccbd-4dfa-b097-b29ee539daa3?source=api-prod",1,[22,23,24,25,26,27,28,29],"addons-for-elementor-builder.php","afeb.php","app\u002FAjax.php","app\u002FAssets.php","assets\u002Fjs\u002Fglobal\u002Fcomponent.js","assets\u002Fjs\u002Fglobal\u002Fcomponent.min.js","html\u002Fadmin\u002Fmenus\u002Fdashboard\u002Ffragments\u002Fcontent\u002Fdashboard\u002Ftpl.php","readme.txt","researched",false,3,"# Exploitation Research Plan: CVE-2026-4326 - Vertex Addons for Elementor\n\n## 1. Vulnerability Summary\nThe **Vertex Addons for Elementor** plugin (versions \u003C= 1.6.4) contains a missing authorization vulnerability in its AJAX handler for plugin activation. The function `AFEB\\Ajax::activate_required_plugins()` performs a capability check using `current_user_can('install_plugins')`, but fails to exit or return when the check evaluates to `false`. Instead, it merely assigns an error message to a variable and continues to the plugin installation and activation logic. This allows any authenticated user (including those with **Subscriber** privileges) to install and activate arbitrary plugins from the WordPress.org repository.\n\n## 2. Attack Vector Analysis\n*   **Endpoint:** `\u002Fwp-admin\u002Fadmin-ajax.php`\n*   **Action:** `afeb_activate_required_plugins`\n*   **Required Authentication:** Any logged-in user (Subscriber and above).\n*   **Vulnerable Parameter:** Likely `slug` or `plugin` (the slug of the WordPress.org plugin to install).\n*   **Preconditions:**\n    *   The plugin **Vertex Addons for Elementor** must be active.\n    *   **Elementor** must be active (the `Ajax` class is initialized only after `elementor\u002Floaded` in `afeb.php`).\n\n## 3. Code Flow\n1.  **Initialization:** In `afeb.php`, `Vertex_Addons_For_Elementor::init()` is called on the `elementor\u002Floaded` hook.\n2.  **Ajax Registration:** `init()` calls `(new Ajax())->init();`. Inside `app\u002FAjax.php`, the `init()` method calls `actions()`.\n3.  **Hook Registration:** `Ajax::actions()` registers the vulnerable hook:\n    `add_action('wp_ajax_afeb_activate_required_plugins', [$this, 'activate_required_plugins']);`\n4.  **Vulnerability Sink:** The `activate_required_plugins` function is called.\n    *   It verifies the nonce: `check_ajax_referer('afeb_ajax_nonce', 'nonce');`.\n    *   It checks `current_user_can('install_plugins')`.\n    *   **The Bug:** If the check fails, it populates an error variable but does **not** call `wp_die()` or `return`.\n    *   It proceeds to use `Plugin_Upgrader` or a similar WordPress core utility to install and activate the plugin provided in the `$_POST` data.\n    *   The error response is only sent at the very end of the function.\n\n## 4. Nonce Acquisition Strategy\nThe endpoint requires a nonce tied to the action `afeb_ajax_nonce`. This nonce is localized for administrative screens.\n\n1.  **Identify Localization:** In `app\u002FAssets.php`, the `backend_script()` function enqueues `afeb-backend-script` and calls `$this->localize_script($handle)`.\n2.  **Access Backend:** Since Subscribers can access the WordPress dashboard (`\u002Fwp-admin\u002Findex.php`), the `admin_enqueue_scripts` hook will fire for them.\n3.  **Extraction:**\n    *   Login as a Subscriber.\n    *   Navigate to `\u002Fwp-admin\u002F`.\n    *   The localized data is likely attached to a global JavaScript object named `afeb_admin` or `afeb_backend` (inferred from the plugin prefix `afeb`).\n    *   Use `browser_eval` to extract it: `window.afeb_admin?.nonce` or `window.afeb_backend?.nonce`.\n\n## 5. Exploitation Strategy\nWe will attempt to install and activate the `hello-dolly` plugin (a benign, standard plugin) to prove the vulnerability.\n\n### Step-by-Step Plan:\n1.  **Login:** Authenticate as a Subscriber-level user.\n2.  **Extract Nonce:**\n    *   Navigate to `\u002Fwp-admin\u002F`.\n    *   Execute `browser_eval(\"afeb_admin.nonce\")` to retrieve the `afeb_ajax_nonce`. (If `afeb_admin` is not found, inspect the page source for `wp_localize_script` outputs).\n3.  **Execute Exploit:**\n    *   Send a POST request to `admin-ajax.php`.\n    *   **Headers:** `Content-Type: application\u002Fx-www-form-urlencoded`\n    *   **Body:**\n        ```\n        action=afeb_activate_required_plugins&nonce=[EXTRACTED_NONCE]&slug=hello-dolly\n        ```\n    *   *Note: If `slug` does not work, try `plugin=hello-dolly`.*\n\n## 6. Test Data Setup\n1.  **Roles:** Ensure a user with the `subscriber` role exists.\n2.  **Plugins:** \n    *   Install `elementor` (required for Vertex Addons to load).\n    *   Install `addons-for-elementor-builder` version 1.6.4.\n3.  **Activation:** Activate both plugins via WP-CLI.\n\n## 7. Expected Results\n*   **Response:** Even if the response returns a JSON error like `{\"success\":false,\"data\":{\"message\":\"You do not have permission...\"}}`, the plugin installation should have already occurred.\n*   **State Change:** The `hello-dolly` plugin should be present in the `wp-content\u002Fplugins` directory and marked as \"Active\" in the database.\n\n## 8. Verification Steps\nAfter sending the HTTP request, use WP-CLI to confirm the installation:\n```bash\nwp plugin is-installed hello-dolly\nwp plugin status hello-dolly\n```\nSuccessful exploitation is confirmed if the status is `Active`.\n\n## 9. Alternative Approaches\nIf the `afeb_activate_required_plugins` function expects an array of plugins:\n*   **Payload:** `action=afeb_activate_required_plugins&nonce=[NONCE]&plugins[]=hello-dolly`\n*   **Payload:** `action=afeb_activate_required_plugins&nonce=[NONCE]&slugs[]=hello-dolly`\n\nIf the nonce is not found on the dashboard, check the Elementor editor page (if the Subscriber has access to any post):\n*   Navigate to `\u002Fwp-admin\u002Fpost.php?post=[ID]&action=elementor`.\n*   Check for `afeb` related localized scripts there.","The Vertex Addons for Elementor plugin for WordPress is vulnerable to unauthorized plugin installation and activation because the capability check in the 'activate_required_plugins' function fails to terminate execution upon failure. This allows authenticated users with Subscriber-level access or higher to install and activate any plugin from the WordPress repository by sending a crafted AJAX request with a valid nonce.","\u002F\u002F app\u002FAjax.php (lines 224-233 in version 1.6.4)\n    public function activate_required_plugins()\n    {\n        check_ajax_referer('afeb_ajax_nonce', 'nonce');\n\n        $error = '';\n\n        if (!current_user_can('install_plugins'))\n            $error = esc_html__('Sorry, you are not allowed to install plugins on this site.', 'addons-for-elementor-builder');\n\n        $plugins = isset($_POST['plugins']) ? map_deep($_POST['plugins'], 'sanitize_text_field') : [];","diff -ru \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Faddons-for-elementor-builder\u002F1.6.4\u002Fapp\u002FAjax.php \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Faddons-for-elementor-builder\u002F1.7.0\u002Fapp\u002FAjax.php\n--- \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Faddons-for-elementor-builder\u002F1.6.4\u002Fapp\u002FAjax.php\t2026-02-28 04:34:56.000000000 +0000\n+++ \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Faddons-for-elementor-builder\u002F1.7.0\u002Fapp\u002FAjax.php\t2026-03-25 18:05:28.000000000 +0000\n@@ -224,10 +224,14 @@\n     {\n         check_ajax_referer('afeb_ajax_nonce', 'nonce');\n \n-        $error = '';\n-\n         if (!current_user_can('install_plugins'))\n-            $error = esc_html__('Sorry, you are not allowed to install plugins on this site.', 'addons-for-elementor-builder');\n+        {\n+            wp_send_json_error([\n+                'message' => esc_html__('Sorry, you are not allowed to install plugins on this site.', 'addons-for-elementor-builder'),\n+            ], 403);\n+        }\n+\n+        $error = '';\n \n         $plugins = isset($_POST['plugins']) ? map_deep($_POST['plugins'], 'sanitize_text_field') : [];\n         $time_limit = ini_get('max_execution_time');\n@@ -294,6 +298,13 @@\n     {\n         check_ajax_referer('afeb_ajax_nonce', 'nonce');\n \n+        if (!current_user_can('manage_options'))\n+        {\n+            wp_send_json_error([\n+                'message' => esc_html__('Sorry, you are not allowed to import template kit settings on this site.', 'addons-for-elementor-builder'),\n+            ], 403);\n+        }\n+\n         $time_limit = ini_get('max_execution_time');\n \n         if (!did_action('elementor\u002Floaded') || !class_exists(Plugin::class))\n@@ -386,6 +397,13 @@\n     {\n         check_ajax_referer('afeb_ajax_nonce', 'nonce');\n \n+        if (!current_user_can('manage_options'))\n+        {\n+            wp_send_json_error([\n+                'message' => esc_html__('Sorry, you are not allowed to import template kits on this site.', 'addons-for-elementor-builder'),\n+            ], 403);\n+        }\n+","The exploit requires authentication as any registered user (e.g., Subscriber). First, the attacker logs in and navigates to the WordPress dashboard (\u002Fwp-admin\u002F) to extract the 'afeb_ajax_nonce' from the localized script variables (the plugin enqueues these scripts for all admin users via the 'admin_enqueue_scripts' hook). Once the nonce is obtained, the attacker sends a POST request to '\u002Fwp-admin\u002Fadmin-ajax.php' with the action parameter set to 'afeb_activate_required_plugins', the extracted nonce, and a 'plugins' array containing the slug of the target plugin from the WordPress repository (e.g., 'plugins[]=hello-dolly'). Because the capability check 'current_user_can('install_plugins')' in the plugin's AJAX handler does not stop the execution flow, the plugin installation and activation proceed despite the unauthorized user status.","gemini-3-flash-preview","2026-04-17 19:46:12","2026-04-17 19:46:44",{"type":42,"vulnerable_version":43,"fixed_version":11,"vulnerable_browse":44,"vulnerable_zip":45,"fixed_browse":46,"fixed_zip":47,"all_tags":48},"plugin","1.6.4","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Faddons-for-elementor-builder\u002Ftags\u002F1.6.4","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Faddons-for-elementor-builder.1.6.4.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Faddons-for-elementor-builder\u002Ftags\u002F1.7.0","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Faddons-for-elementor-builder.1.7.0.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Faddons-for-elementor-builder\u002Ftags"]