[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$f20q317_zBybWXd7MUV2LmPMbVsqFmcyigdF1skzvRlg":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":22,"research_verified":23,"research_rounds_completed":24,"research_plan":25,"research_summary":26,"research_vulnerable_code":27,"research_fix_diff":28,"research_exploit_outline":29,"research_model_used":30,"research_started_at":31,"research_completed_at":32,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":23,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":23,"source_links":33},"CVE-2026-1060","wp-adminify-unauthenticated-sensitive-information-exposure-via-get-addons-list-rest-api","WP Adminify \u003C= 4.0.7.7 - Unauthenticated Sensitive Information Exposure via 'get-addons-list' REST API","The WP Adminify plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 4.0.7.7 via the \u002Fwp-json\u002Fadminify\u002Fv1\u002Fget-addons-list REST API endpoint. The endpoint is registered with permission_callback set to __return_true, allowing unauthenticated attackers to retrieve the complete list of available addons, their installation status, version numbers, and download URLs.","adminify",null,"\u003C=4.0.7.7","4.0.7.8","medium",5.3,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:N\u002FUI:N\u002FS:U\u002FC:L\u002FI:N\u002FA:N","Exposure of Sensitive Information to an Unauthorized Actor","2026-01-27 00:00:00","2026-01-28 14:25:13",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F7ecb4f95-346e-49b3-859f-44f28a72f065?source=api-prod",2,[],"researched",false,3,"This research plan focuses on exploiting CVE-2026-1060, a sensitive information exposure vulnerability in the **WP Adminify** plugin.\n\n## 1. Vulnerability Summary\nThe WP Adminify plugin (versions \u003C= 4.0.7.7) exposes a REST API endpoint `\u002Fwp-json\u002Fadminify\u002Fv1\u002Fget-addons-list` which is registered with a `permission_callback` that returns `true`. This misconfiguration allows any unauthenticated user to query the internal status of plugin addons. The exposed data includes addon slugs, current versions, installation statuses, and—most critically—**direct download URLs** for these addons.\n\n## 2. Attack Vector Analysis\n- **Endpoint:** `\u002Fwp-json\u002Fadminify\u002Fv1\u002Fget-addons-list`\n- **Namespace:** `adminify\u002Fv1`\n- **HTTP Method:** `GET` (Inferred based on \"get\" naming convention in REST routes)\n- **Authentication:** None (Unauthenticated)\n- **Preconditions:** The WP Adminify plugin must be active. No specific addon needs to be enabled for the list itself to be returned.\n\n## 3. Code Flow\n1. **Route Registration:** The plugin hooks into `rest_api_init`.\n2. **Endpoint Definition:** Inside the registration logic (likely in a class named `Adminify_Rest_API` or similar), `register_rest_route` is called:\n   ```php\n   register_rest_route( 'adminify\u002Fv1', '\u002Fget-addons-list', [\n       'methods'             => 'GET', \u002F\u002F or WP_REST_Server::READABLE\n       'callback'            => [ $this, 'get_addons_list_callback' ],\n       'permission_callback' => '__return_true', \u002F\u002F VULNERABILITY: No capability check\n   ]);\n   ```\n3. **Callback Execution:** When the endpoint is hit, `get_addons_list_callback` is executed.\n4. **Data Retrieval:** The callback fetches an array of addons, often from a remote server or internal config file, and appends metadata like `version`, `status`, and `download_url`.\n5. **Response:** The data is returned as a JSON object to the unauthenticated requester.\n\n## 4. Nonce Acquisition Strategy\nAccording to the vulnerability description, the `permission_callback` is set to `__return_true`. \n- **Requirement:** No `_wpnonce` or `X-WP-Nonce` should be required to access this specific endpoint because it is explicitly designed to be public (though incorrectly so).\n- **Verification:** If the request returns a `401 Unauthorized` or `rest_cookie_invalid_nonce`, a nonce can be retrieved by navigating to the site homepage and checking the localized scripts for the `wp_rest` nonce or generic `adminify` nonces.\n\n*Note: Since this is a REST API information leak with `__return_true`, we will proceed assuming no nonce is required.*\n\n## 5. Exploitation Strategy\nThe exploit involves a direct GET request to the vulnerable REST endpoint.\n\n**Step 1: Discovery**\nSend a simple GET request to check for the existence of the endpoint.\n\n- **Tool:** `http_request`\n- **Method:** `GET`\n- **URL:** `http:\u002F\u002Flocalhost:8080\u002Fwp-json\u002Fadminify\u002Fv1\u002Fget-addons-list`\n- **Headers:** `Accept: application\u002Fjson`\n\n**Step 2: Data Extraction**\nParse the JSON response. Look for the following keys in the objects within the returned list:\n- `slug`: The internal name of the addon.\n- `version`: The current version of the addon.\n- `download_url`: The URL used to fetch the addon zip.\n\n## 6. Test Data Setup\n1. **Plugin Installation:** Ensure WP Adminify version 4.0.7.7 is installed and activated.\n2. **Permalinks:** Ensure WordPress Permalinks are enabled (e.g., set to \"Post name\") so the `\u002Fwp-json\u002F` route is reachable.\n   - Command: `wp rewrite structure '\u002F%postname%\u002F' --hard`\n3. **Addons:** No specific addons need to be configured, as the vulnerability exposes the *available* list regardless of local configuration.\n\n## 7. Expected Results\nA successful exploit will return a `200 OK` status with a JSON body similar to:\n```json\n[\n  {\n    \"slug\": \"adminify-pro-addon\",\n    \"version\": \"1.2.3\",\n    \"status\": \"not_installed\",\n    \"download_url\": \"https:\u002F\u002Fwpadminify.com\u002Fdownloads\u002Fsome-secret-token\u002Faddon.zip\"\n  },\n  ...\n]\n```\nThe presence of `download_url` for potentially premium or internal components confirms the \"Sensitive Information Exposure\" vulnerability.\n\n## 8. Verification Steps\n1. **Confirm Exposure:** Use `http_request` to view the response body.\n2. **Check for Access Control:** Attempt the same request while logged out (incognito\u002Ffresh session) to prove it is unauthenticated.\n3. **Validate Download URL:** If a `download_url` is provided in the JSON, attempt a HEAD request to that URL to verify it is valid and accessible.\n\n## 9. Alternative Approaches\nIf the `\u002Fwp-json\u002F` prefix is blocked or changed:\n1. Try the alternative route: `\u002F?rest_route=\u002Fadminify\u002Fv1\u002Fget-addons-list`.\n2. Check for other Adminify REST routes that might use the same `permission_callback` by searching the plugin source for `register_rest_route` calls near the vulnerable endpoint.\n3. If `GET` fails, attempt `POST` with an empty body, as some WP REST implementations are inconsistent with method requirements.","The WP Adminify plugin for WordPress exposes a REST API endpoint \u002Fwp-json\u002Fadminify\u002Fv1\u002Fget-addons-list to unauthenticated users due to an insecure permission_callback set to __return_true. This allows attackers to access sensitive metadata about plugin addons, including internal status, version numbers, and direct download URLs.","\u002F\u002F Likely located in a class handling REST API registration\nregister_rest_route( 'adminify\u002Fv1', '\u002Fget-addons-list', [\n    'methods'             => 'GET',\n    'callback'            => [ $this, 'get_addons_list_callback' ],\n    'permission_callback' => '__return_true',\n]);","--- a\u002Finc\u002Fclasses\u002Fclass-adminify-rest-api.php\n+++ b\u002Finc\u002Fclasses\u002Fclass-adminify-rest-api.php\n@@ -25,3 +25,5 @@\n                 'methods'             => 'GET',\n                 'callback'            => [ $this, 'get_addons_list_callback' ],\n-                'permission_callback' => '__return_true',\n+                'permission_callback' => function () {\n+                    return current_user_can('manage_options');\n+                },\n             ]);","The exploit targets the exposed REST API route without requiring any authentication or nonces. An attacker sends a GET request to the endpoint `\u002Fwp-json\u002Fadminify\u002Fv1\u002Fget-addons-list`. Because the permission check is explicitly bypassed by the plugin, the server responds with a JSON array containing the configuration and metadata of all available addons. The attacker then parses this response to extract addon slugs and, most importantly, the `download_url` field, which can be used to download the addon source code directly.","gemini-3-flash-preview","2026-05-04 23:31:02","2026-05-04 23:32:44",{"type":34,"vulnerable_version":35,"fixed_version":11,"vulnerable_browse":36,"vulnerable_zip":37,"fixed_browse":38,"fixed_zip":39,"all_tags":40},"plugin","4.0.7.7","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fadminify\u002Ftags\u002F4.0.7.7","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fadminify.4.0.7.7.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fadminify\u002Ftags\u002F4.0.7.8","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fadminify.4.0.7.8.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fadminify\u002Ftags"]