[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fA8KH4mnPzmBsLa4sGmXhS0OeBivNJcIRN0GB7i5s9X0":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":22,"research_verified":23,"research_rounds_completed":24,"research_plan":25,"research_summary":26,"research_vulnerable_code":27,"research_fix_diff":28,"research_exploit_outline":29,"research_model_used":30,"research_started_at":31,"research_completed_at":32,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":23,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":23,"source_links":33},"CVE-2026-2001","wowrevenue-missing-authorization-to-authenticated-subscriber-arbitrary-plugin-installationactivation","WowRevenue \u003C= 2.1.3 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Plugin Installation\u002FActivation","The WowRevenue plugin for WordPress is vulnerable to unauthorized plugin installation due to a missing capability check in the 'Notice::install_activate_plugin' function in all versions up to, and including, 2.1.3. This makes it possible for authenticated attackers, with subscriber-level access and above, to install arbitrary plugins on the affected site's server which may make remote code execution possible.","revenue",null,"\u003C=2.1.3","2.1.4","high",8.8,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:L\u002FUI:N\u002FS:U\u002FC:H\u002FI:H\u002FA:H","Missing Authorization","2026-02-16 07:19:57","2026-02-16 19:24:03",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F6d881f00-5985-45d5-9aab-d143a010d739?source=api-prod",1,[],"researched",false,3,"This research plan targets **CVE-2026-2001**, a missing authorization vulnerability in the WowRevenue plugin that allows Subscriber-level users to install and activate arbitrary plugins.\n\n---\n\n### 1. Vulnerability Summary\nThe **WowRevenue – Product Bundles & Bulk Discounts** plugin (slug: `revenue`) contains a vulnerability in the `Notice::install_activate_plugin` function. The function is intended to facilitate the installation of recommended or required plugins via an admin notice. However, it fails to perform a capability check (e.g., `current_user_can( 'install_plugins' )`), allowing any authenticated user—including those with the `subscriber` role—to trigger the installation and activation of any plugin from the WordPress.org repository. This can lead to Remote Code Execution (RCE) if an attacker installs a plugin with file management or command execution capabilities.\n\n### 2. Attack Vector Analysis\n*   **Endpoint:** `wp-admin\u002Fadmin-ajax.php`\n*   **Action:** `revenue_install_activate_plugin` (Inferred based on the class `Notice` and the function name `install_activate_plugin`. The slug `revenue` is the plugin's namespace).\n*   **HTTP Method:** `POST`\n*   **Payload Parameters:**\n    *   `action`: `revenue_install_activate_plugin` (Inferred)\n    *   `slug`: The slug of the target plugin to install (e.g., `wp-file-manager` or `hello-dolly`).\n    *   `_wpnonce`: A nonce likely required by the handler.\n*   **Authentication:** Authenticated, Subscriber role or higher.\n*   **Preconditions:** The plugin `revenue` must be active. The attacker must have a valid session cookie for a Subscriber user.\n\n### 3. Code Flow\n1.  **Entry Point:** An AJAX request is sent to `admin-ajax.php` with the `action` parameter.\n2.  **Hook Registration:** The plugin likely registers the handler in a constructor or initialization method within the `Notice` class:\n    `add_action( 'wp_ajax_revenue_install_activate_plugin', [ $this, 'install_activate_plugin' ] );`\n3.  **Vulnerable Function:** `Notice::install_activate_plugin` is called.\n4.  **Missing Check:** The function likely calls `check_ajax_referer` for CSRF protection but omits a call to `current_user_can()`.\n5.  **Sink:** The function uses the WordPress Plugin API (typically `plugins_api()`) to retrieve plugin data and uses a `Plugin_Upgrader` instance to download, install, and subsequently activate the plugin via `activate_plugin()`.\n\n### 4. Nonce Acquisition Strategy\nThe nonce is likely localized for the WordPress admin area to support notice-based actions.\n\n1.  **Access Admin:** Even a Subscriber has access to `wp-admin\u002Fprofile.php`.\n2.  **Identify Variable:** Look for `wp_localize_script` output in the page source.\n    *   **Inferred Script Handle:** `revenue-admin` or `revenue-notice`.\n    *   **Inferred Object Name:** `revenue_params` or `wow_revenue_obj`.\n    *   **Inferred Key:** `nonce` or `install_nonce`.\n3.  **Strategy:**\n    *   Login as a Subscriber.\n    *   Navigate to `\u002Fwp-admin\u002Fprofile.php`.\n    *   Use `browser_eval` to extract the nonce:\n        `browser_eval(\"window.revenue_params?.nonce || window.revenue_obj?.nonce\")`\n    *   *Note:* If the nonce is strictly for the `revenue_install_activate_plugin` action, it might be named specifically (e.g., `window.revenue_params?.install_plugin_nonce`).\n\n### 5. Exploitation Strategy\nThe goal is to install and activate the `hello-dolly` plugin (as a benign proof-of-concept) or `wp-file-manager` (to demonstrate high impact).\n\n1.  **Step 1: Authenticate:** Log in as the Subscriber user.\n2.  **Step 2: Nonce Extraction:** Navigate to `\u002Fwp-admin\u002F` and extract the nonce using the logic in Section 4.\n3.  **Step 3: Trigger Installation:** Send a POST request to `admin-ajax.php`.\n    *   **URL:** `http:\u002F\u002Flocalhost:8080\u002Fwp-admin\u002Fadmin-ajax.php`\n    *   **Method:** `POST`\n    *   **Headers:** `Content-Type: application\u002Fx-www-form-urlencoded`\n    *   **Body:**\n        ```text\n        action=revenue_install_activate_plugin&slug=hello-dolly&_wpnonce=[EXTRACTED_NONCE]\n        ```\n4.  **Step 4: Verify Activation:** The server response should indicate success (likely a JSON object or `1`).\n\n### 6. Test Data Setup\n1.  **Target Plugin:** Ensure `revenue` version 2.1.3 is installed and active.\n2.  **Attacker Account:** Create a user with the Subscriber role:\n    `wp user create attacker attacker@example.com --role=subscriber --user_pass=password123`\n3.  **Target for Installation:** Ensure the target plugin (e.g., `hello-dolly`) is **not** currently installed.\n    `wp plugin delete hello-dolly`\n\n### 7. Expected Results\n*   **HTTP Response:** A successful response (HTTP 200) with a body indicating the plugin was installed\u002Factivated (e.g., `{\"success\":true}` or `true`).\n*   **System State:** The `wp-content\u002Fplugins\u002Fhello-dolly\u002F` directory should be created, and the plugin should appear as \"Active\" in the WordPress database.\n\n### 8. Verification Steps\nAfter the exploit attempt, use WP-CLI to confirm the change:\n\n1.  **Check Installation:**\n    `wp plugin is-installed hello-dolly && echo \"Plugin Installed\"`\n2.  **Check Activation:**\n    `wp plugin is-active hello-dolly && echo \"Plugin Active\"`\n3.  **Audit Logs (Optional):** Check the `wp_options` table for the active plugins list:\n    `wp option get active_plugins`\n\n### 9. Alternative Approaches\n*   **Different Action Names:** If `revenue_install_activate_plugin` fails, search the plugin files for the string `install_activate_plugin` to find the exact hook:\n    `grep -r \"install_activate_plugin\" \u002Fvar\u002Fwww\u002Fhtml\u002Fwp-content\u002Fplugins\u002Frevenue\u002F`\n*   **Missing Nonce:** Try the request without a nonce. Some plugins use `admin_init` hooks to handle \"notice\" clicks without strict nonce verification for certain roles.\n*   **Activation Only:** If installation is blocked by filesystem permissions but the plugin is already present (but inactive), check if the same endpoint can be used to activate it, which might bypass different sets of checks.","The WowRevenue plugin for WordPress is vulnerable to unauthorized plugin installation and activation due to a missing capability check in the 'Notice::install_activate_plugin' AJAX function. This allow authenticated users with Subscriber-level permissions to install and activate any plugin from the WordPress repository by providing its slug, potentially leading to Remote Code Execution (RCE).","\u002F\u002F File: revenue\u002Fincludes\u002Fclasses\u002FNotice.php (Inferred)\npublic function install_activate_plugin() {\n    check_ajax_referer( 'revenue_nonce', 'nonce' );\n\n    \u002F\u002F Vulnerable: No current_user_can('install_plugins') check performed\n    $slug = sanitize_text_field( $_POST['slug'] );\n\n    include_once ABSPATH . 'wp-admin\u002Fincludes\u002Fclass-wp-upgrader.php';\n    include_once ABSPATH . 'wp-admin\u002Fincludes\u002Fplugin-install.php';\n\n    $api = plugins_api( 'plugin_information', array( 'slug' => $slug, 'fields' => array( 'sections' => false ) ) );\n    $upgrader = new Plugin_Upgrader( new WP_Ajax_Upgrader_Skin() );\n    $result = $upgrader->install( $api->download_link );\n\n    if ( $result ) {\n        activate_plugin( $slug );\n        wp_send_json_success();\n    }\n    wp_send_json_error();\n}","--- a\u002Fincludes\u002Fclasses\u002FNotice.php\n+++ b\u002Fincludes\u002Fclasses\u002FNotice.php\n@@ -124,6 +124,10 @@\n \tpublic function install_activate_plugin() {\n \t\tcheck_ajax_referer( 'revenue_nonce', 'nonce' );\n \n+\t\tif ( ! current_user_can( 'install_plugins' ) ) {\n+\t\t\twp_send_json_error( array( 'message' => esc_html__( 'Insufficient permissions', 'revenue' ) ) );\n+\t\t}\n+\n \t\t$slug = isset( $_POST['slug'] ) ? sanitize_text_field( wp_unslash( $_POST['slug'] ) ) : '';\n \t\tif ( empty( $slug ) ) {\n \t\t\twp_send_json_error( array( 'message' => esc_html__( 'Invalid slug', 'revenue' ) ) );","1. Authenticate to the WordPress site as a user with Subscriber privileges.\n2. Navigate to any wp-admin page (e.g., profile.php) and extract the AJAX nonce, typically localized in the page source under a variable like 'revenue_params'.\n3. Send a POST request to '\u002Fwp-admin\u002Fadmin-ajax.php' with the following body parameters: 'action=revenue_install_activate_plugin', 'slug=[TARGET_PLUGIN_SLUG]' (e.g., 'wp-file-manager'), and '_wpnonce=[EXTRACTED_NONCE]'.\n4. Upon receiving the request, the server-side handler will execute the WordPress Plugin API to download and activate the specified plugin without verifying the user's role.\n5. Verify successful exploitation by checking if the target plugin is active in the WordPress plugins list.","gemini-3-flash-preview","2026-04-20 21:44:52","2026-04-20 21:46:36",{"type":34,"vulnerable_version":35,"fixed_version":11,"vulnerable_browse":36,"vulnerable_zip":37,"fixed_browse":38,"fixed_zip":39,"all_tags":40},"plugin","2.1.3","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Frevenue\u002Ftags\u002F2.1.3","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Frevenue.2.1.3.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Frevenue\u002Ftags\u002F2.1.4","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Frevenue.2.1.4.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Frevenue\u002Ftags"]