[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fCsHj0PbHs1IOYU0ORq8kgyM4OejOfYg0Ft0AqykdJHc":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":9,"severity":11,"cvss_score":12,"cvss_vector":13,"vuln_type":14,"published_date":15,"updated_date":16,"references":17,"days_to_patch":9,"patch_diff_files":19,"patch_trac_url":9,"research_status":20,"research_verified":21,"research_rounds_completed":22,"research_plan":23,"research_summary":24,"research_vulnerable_code":9,"research_fix_diff":9,"research_exploit_outline":25,"research_model_used":26,"research_started_at":27,"research_completed_at":28,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":21,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":21,"source_links":29},"CVE-2026-39700","wowoptin-missing-authorization","WowOptin \u003C= 1.4.34 - Missing Authorization","The WowOptin plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in versions up to, and including, 1.4.34. This makes it possible for unauthenticated attackers to perform an unauthorized action.","optin",null,"\u003C=1.4.34","medium",5.3,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:N\u002FUI:N\u002FS:U\u002FC:N\u002FI:L\u002FA:N","Missing Authorization","2026-03-01 00:00:00","2026-04-15 21:47:12",[18],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002Fa6382ebd-f836-4f39-8113-1475163d6b81?source=api-prod",[],"researched",false,3,"This research plan outlines the steps to identify and exploit the Missing Authorization vulnerability (CVE-2026-39700) in the WowOptin plugin (version \u003C= 1.4.34).\n\n### 1. Vulnerability Summary\nThe WowOptin plugin for WordPress is vulnerable to unauthorized access due to a missing capability check in one of its AJAX or initialization handlers. This allows unauthenticated attackers to perform actions that should be restricted to administrators. Based on the \"Low Integrity\" (I:L) impact and unauthenticated access (PR:N), the vulnerability likely involves modifying plugin settings, manipulating opt-in data, or triggering plugin-specific actions via `admin-ajax.php` without proper `current_user_can()` validation.\n\n### 2. Attack Vector Analysis\n* **Endpoint:** `\u002Fwp-admin\u002Fadmin-ajax.php`\n* **Hook Type:** `wp_ajax_nopriv_{action}` (unauthenticated AJAX) or a function hooked to `admin_init` that fails to check user privileges.\n* **Authentication:** None required (unauthenticated).\n* **Action Name (Inferred Candidates):** \n * `wow_optin_save_settings`\n * `optin_save_data`\n * `optin_export_subscribers`\n * `wow_optin_update_status`\n* **Payload Parameter:** Likely a `POST` request containing plugin settings or IDs.\n\n### 3. Code Flow Trace\n1. **Entry Point:** The attacker sends a `POST` request to `admin-ajax.php`.\n2. **Hook Registration:** The plugin registers a handler via `add_action('wp_ajax_nopriv_...', 'callback_function')`.\n3. **Vulnerable Callback:** The `callback_function` (to be identified in the plugin files) processes user-supplied data from `$_POST`.\n4. **Missing Check:** The function performs a sensitive operation (e.g., `update_option()`, `wp_delete_post()`, or modifying database tables via `$wpdb`) without calling `current_user_can('manage_options')`.\n5. **Sink:** The operation is completed, altering the plugin state or exposing data.\n\n### 4. Nonce Acquisition Strategy\nIf the vulnerable handler checks a nonce using `check_ajax_referer` or `wp_verify_nonce`, it must be obtained from the frontend.\n\n1. **Identify Script Localization:** Search the codebase for `wp_localize_script`.\n * *Search Pattern:* `grep -rn \"wp_localize_script\" .`\n2. **Find the Localized Object:** Look for an object containing a nonce, often named something like `wow_optin_ajax` or `optin_vars`.\n3. **Identify Trigger Shortcode:** Find the shortcode that enqueues the frontend scripts.\n * *Search Pattern:* `grep -rn \"add_shortcode\" .`\n * *Common shortcode:* `[wow-optin]`\n4. **Automated Extraction:**\n * Create a test post\u002Fpage: `wp post create --post_type=page --post_status=publish --post_content='[wow-optin id=\"1\"]'` (Replace `1` with a valid opt-in ID if known).\n * Navigate to the page using `browser_navigate`.\n * Extract the nonce via `browser_eval`:\n ```javascript\n \u002F\u002F Example based on typical plugin patterns\n window.wow_optin_ajax?.nonce || window.optin_vars?.nonce\n ```\n\n### 5. Exploitation Strategy\nOnce the vulnerable action and required parameters are identified:\n\n1. **Discovery Phase:** \n * Identify the action: `grep -r \"wp_ajax_nopriv\" .`\n * Examine the handler for missing `current_user_can`.\n2. **Request Construction:**\n * **Method:** `POST`\n * **URL:** `http:\u002F\u002Flocalhost:8080\u002Fwp-admin\u002Fadmin-ajax.php`\n * **Headers:** `Content-Type: application\u002Fx-www-form-urlencoded`\n * **Body:** `action={vulnerable_action}&nonce={extracted_nonce}¶m1=value1&...`\n3. **Execution:** Use the `http_request` tool to send the payload.\n\n### 6. Test Data Setup\n1. **Install Plugin:** Ensure WowOptin \u003C= 1.4.34 is installed and active.\n2. **Create Sample Content:**\n * Create at least one \"Optin\" (popup) through the admin UI or via CLI if the schema is known.\n * `wp post create --post_type=optin --post_title=\"Test Optin\" --post_status=publish` (verify post type slug).\n3. **Public Page:** Create a page with the plugin's shortcode to facilitate nonce extraction.\n\n### 7. Expected Results\n* **Success Indicator:** The server returns a `200 OK` or a JSON success response (e.g., `{\"success\":true}`).\n* **Impact:** A plugin setting is changed (e.g., disabling a popup), or a new administrative user\u002Foption is created, or subscriber data is returned in the response.\n\n### 8. Verification Steps\nAfter the HTTP request, verify the change using WP-CLI:\n* Check if an option was updated: `wp option get wow_optin_settings`\n* Check if a post was modified: `wp post get {id}`\n* Check for newly created data: `wp db query \"SELECT * FROM wp_wow_optin_subscribers\"` (example table name).\n\n### 9. Alternative Approaches\n* **Admin-Init Bypass:** If no `wp_ajax_nopriv` is found, check for functions hooked to `admin_init`. Since `admin-ajax.php` triggers `admin_init`, a handler there that lacks a capability check is reachable by unauthenticated users.\n * *Search Pattern:* `grep -rn \"add_action.*admin_init\" .`\n* **Parameter Fuzzing:** If the logic involves updating settings, try common WordPress setting names or plugin-specific option keys in the `$_POST` payload.","The WowOptin plugin for WordPress (versions up to and including 1.4.34) fails to implement capability checks in its AJAX or initialization handlers. This allows unauthenticated attackers to execute sensitive plugin functions, such as modifying settings or exporting data, via the admin-ajax.php endpoint.","1. Identify an AJAX action registered with 'wp_ajax_nopriv_' in the plugin code that performs sensitive operations (e.g., updating options or deleting data).\n2. Obtain a valid AJAX nonce from the frontend by viewing the source code of a page where the plugin's scripts are localized (searching for objects such as 'wow_optin_ajax' or 'optin_vars').\n3. Send a POST request to '\u002Fwp-admin\u002Fadmin-ajax.php' with the 'action' parameter set to the identified vulnerable callback, including the extracted nonce and the desired payload parameters.\n4. Because the handler lacks a 'current_user_can()' check, the operation will be performed regardless of the attacker's authentication or privilege level.","gemini-3-flash-preview","2026-04-18 22:18:35","2026-04-18 22:18:50",{"type":30,"vulnerable_version":9,"fixed_version":9,"vulnerable_browse":9,"vulnerable_zip":9,"fixed_browse":9,"fixed_zip":9,"all_tags":31},"plugin","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Foptin\u002Ftags"]