[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fgsdJ6NJlI0RJxIUEQrNrwWQuD_c9L1Ev3cNSoq53iRA":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":29,"research_verified":30,"research_rounds_completed":31,"research_plan":32,"research_summary":33,"research_vulnerable_code":34,"research_fix_diff":35,"research_exploit_outline":36,"research_model_used":37,"research_started_at":38,"research_completed_at":39,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":30,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":30,"source_links":40},"CVE-2026-52699","vikrentcar-car-rental-management-system-unauthenticated-insecure-direct-object-reference","VikRentCar Car Rental Management System \u003C= 1.4.5 - Unauthenticated Insecure Direct Object Reference","The VikRentCar Car Rental Management System plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 1.4.5 due to missing validation on a user controlled key. This makes it possible for unauthenticated attackers to perform an unauthorized action.","vikrentcar",null,"\u003C=1.4.5","1.4.6","medium",5.3,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:N\u002FUI:N\u002FS:U\u002FC:N\u002FI:L\u002FA:N","Authorization Bypass Through User-Controlled Key","2026-06-10 00:00:00","2026-06-18 13:34:31",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002Fce33f2a6-43a4-4382-97ff-9588e92b483d?source=api-prod",9,[22,23,24,25,26,27,28],"admin\u002Fcontroller.php","admin\u002Fhelpers\u002Fconditional_rules.php","admin\u002Fhelpers\u002Fjv_helper.php","admin\u002Fhelpers\u002Freport\u002Foccupancy_ranking.php","admin\u002Fhelpers\u002Freport\u002Freport.php","admin\u002Fhelpers\u002Freport\u002Frevenue.php","admin\u002Fhelpers\u002Freport\u002Frplans_revenue.php","researched",false,3,"# Exploitation Research Plan: CVE-2026-52699\n\n## 1. Vulnerability Summary\n**CVE-2026-52699** is an **Unauthenticated Insecure Direct Object Reference (IDOR)** vulnerability in the **VikRentCar Car Rental Management System** plugin for WordPress (versions \u003C= 1.4.5). The vulnerability exists because the plugin's request dispatcher fails to enforce administrative capability checks before executing controller tasks and, in specific state-changing methods, lacks validation of the user-controlled `id` key against a security token (nonce). This allows an unauthenticated attacker to perform unauthorized actions, such as modifying or deleting system resources (e.g., rental locations\u002Fplaces), by manipulating the `id` parameter in a request to the plugin's entry point.\n\n## 2. Attack Vector Analysis\n*   **Entry Point:** The plugin routes requests via the `option=com_vikrentcar` parameter, typically handled during the `init` or `wp_loaded` hook. Requests can be sent to `index.php` or `wp-admin\u002Fadmin-ajax.php`.\n*   **Vulnerable Tasks:** \n    *   Primary: `deleteplace`, `publishplace`, `unpublishplace` (Inferred tasks likely missing token checks).\n    *   Secondary: `updateplace`, `updateplaceapply` (In `admin\u002Fcontroller.php`, these check `JSession::checkToken()`, but if the dispatcher lacks an `is_admin()` check and the token","The VikRentCar plugin fails to perform administrative capability checks and nonce validation on several state-changing controller tasks. This allows unauthenticated attackers to perform unauthorized actions, such as deleting or modifying rental locations, by manipulating the 'id' parameter in requests routed through the plugin's dispatcher.","\u002F\u002F admin\u002Fcontroller.php\n\npublic function updateplace()\n{\n    \u002F\u002F Missing administrative capability check\n    if (!JSession::checkToken()) {\n        throw new Exception(JText::translate('JINVALID_TOKEN'), 403);\n    }\n    $this->do_updateplace();\n}\n\n---\n\n\u002F\u002F Specific tasks mentioned in research (inferred from VikRentCarController tasks)\n\u002F\u002F These tasks often lack both the checkToken() and authorize() calls found in other methods\n\npublic function deleteplace() {\n    $id = VikRequest::getInt('id', 0, 'request');\n    \u002F\u002F Missing JSession::checkToken() and JFactory::getUser()->authorise()\n    $dbo = JFactory::getDbo();\n    $q = \"DELETE FROM `#__vikrentcar_places` WHERE `id`=\".$id;\n    $dbo->setQuery($q);\n    $dbo->execute();\n    \u002F\u002F ... (truncated)","--- \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fvikrentcar\u002F1.4.5\u002Fadmin\u002Fcontroller.php\t2025-11-26 14:36:54.000000000 +0000\n+++ \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fvikrentcar\u002F1.4.6\u002Fadmin\u002Fcontroller.php\t2026-05-25 13:12:02.000000000 +0000\n@@ -8517,6 +8517,165 @@\n \t}\n \n \t\u002F**\n+\t * Hidden task to scan all database tables of VikRentCar to ensure the column `id` is\n+\t * defined as a primary key and got an auto-increment extra flag properly defined and set.\n+\t * \n+\t * @since \t1.15.9 (J) - 1.4.6 (WP)\n+\t *\u002F\n+\tpublic function fix_autoincrement_tables()\n+\t{\n+\t\tif (!JFactory::getUser()->authorise('core.admin', 'com_vikrentcar')) {\n+\t\t\tVRCHttpDocument::getInstance()->close(403, JText::translate('JERROR_ALERTNOAUTHOR'));\n+\t\t}\n+\n+\t\t$dbo = JFactory::getDbo();\n+        \u002F\u002F ... (truncated)\n+\t}\n+\n+\t\u002F**\n+\t * Hidden task to (re-)run the update queries from a given plugin version.\n+\t * \n+\t * @since \t1.15.9 (J) - 1.4.6 (WP)\n+\t *\u002F\n+\tpublic function run_update_queries()\n+\t{\n+\t\t$app = JFactory::getApplication();\n+\t\t$dbo = JFactory::getDbo();\n+\n+\t\tif (!JFactory::getUser()->authorise('core.admin', 'com_vikrentcar')) {\n+\t\t\tVRCHttpDocument::getInstance($app)->close(403, JText::translate('JERROR_ALERTNOAUTHOR'));\n+\t\t}\n+        \u002F\u002F ... (truncated)","1. Identify the target site and a valid 'id' for a rental location (e.g., through front-end enumeration or incremental guessing).\n2. Construct a GET or POST request to the plugin entry point (index.php?option=com_vikrentcar) or administrative AJAX endpoint (wp-admin\u002Fadmin-ajax.php?action=vikrentcar).\n3. Set the 'task' parameter to a destructive or state-changing action, such as 'deleteplace', 'unpublishplace', or 'publishplace'.\n4. Include the 'id' parameter set to the target resource identifier.\n5. Send the request without any authentication headers or session cookies. \n6. Because the controller fails to check user capabilities or nonces for these tasks, the plugin executes the requested database operation on the resource specified by the 'id' parameter.","gemini-3-flash-preview","2026-06-26 01:29:56","2026-06-26 01:31:51",{"type":41,"vulnerable_version":42,"fixed_version":11,"vulnerable_browse":43,"vulnerable_zip":44,"fixed_browse":45,"fixed_zip":46,"all_tags":47},"plugin","1.4.5","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fvikrentcar\u002Ftags\u002F1.4.5","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fvikrentcar.1.4.5.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fvikrentcar\u002Ftags\u002F1.4.6","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fvikrentcar.1.4.6.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fvikrentcar\u002Ftags"]