[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$f5JAfscAJp540meT5d6w9s_2U2ltDrRNNTsIkU6w2ye0":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":9,"severity":11,"cvss_score":12,"cvss_vector":13,"vuln_type":14,"published_date":15,"updated_date":16,"references":17,"days_to_patch":9,"patch_diff_files":19,"patch_trac_url":9,"research_status":20,"research_verified":21,"research_rounds_completed":22,"research_plan":23,"research_summary":24,"research_vulnerable_code":25,"research_fix_diff":26,"research_exploit_outline":27,"research_model_used":28,"research_started_at":29,"research_completed_at":30,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":21,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":21,"source_links":31},"CVE-2026-3480","wp-blockade-missing-authorization-to-authenticated-subscriber-arbitrary-shortcode-execution-via-shortcode-parameter","WP Blockade \u003C= 0.9.14 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Shortcode Execution via 'shortcode' Parameter","The WP Blockade plugin for WordPress is vulnerable to Missing Authorization in all versions up to and including 0.9.14. The plugin registers an admin_post action hook 'wp-blockade-shortcode-render' that maps to the render_shortcode_preview() function. This function lacks any capability check (current_user_can()) and nonce verification, allowing any authenticated user to execute arbitrary WordPress shortcodes. The function takes a user-supplied 'shortcode' parameter from $_GET, passes it through stripslashes(), and directly executes it via do_shortcode(). This makes it possible for authenticated attackers, with Subscriber-level access and above, to execute arbitrary shortcodes, which could lead to information disclosure, privilege escalation, or other impacts depending on what shortcodes are registered on the site (e.g., shortcodes from other plugins that display sensitive data, perform actions, or include files).","wp-blockade",null,"\u003C=0.9.14","medium",6.5,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:L\u002FUI:N\u002FS:U\u002FC:H\u002FI:N\u002FA:N","Missing Authorization","2026-04-07 17:39:13","2026-04-08 06:43:38",[18],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F3f159aac-092b-4655-9d97-a496ac01738c?source=api-prod",[],"researched",false,3,"This research plan outlines the steps required to demonstrate the arbitrary shortcode execution vulnerability in the WP Blockade plugin.\n\n## 1. Vulnerability Summary\nThe **WP Blockade** plugin (up to version 0.9.14) fails to implement authorization and CSRF protection on its shortcode rendering preview functionality. The plugin registers an `admin_post` hook named `wp-blockade-shortcode-render`, which triggers the `render_shortcode_preview()` function. Because this function does not verify user capabilities (`current_user_can()`) or check for a valid security nonce, any authenticated user—including those with Subscriber-level privileges—can call this endpoint. The function directly passes user input from the `shortcode` GET parameter into the WordPress `do_shortcode()` function, leading to arbitrary shortcode execution.\n\n## 2. Attack Vector Analysis\n- **Endpoint:** `\u002Fwp-admin\u002Fadmin-post.php`\n- **Action Hook:** `wp-blockade-shortcode-render` (registered via `admin_post_wp-blockade-shortcode-render`)\n- **HTTP Method:** `GET` (as per vulnerability description)\n- **Vulnerable Parameter:** `shortcode`\n- **Authentication:** Required (Subscriber or higher)\n- **Permissions:** None (Missing `current_user_can` check)\n- **CSRF Protection:** None (Missing `check_admin_referer` or `wp_verify_nonce` check)\n\n## 3. Code Flow (Inferred)\n1. **Entry Point:** An authenticated user makes a GET request to `\u002Fwp-admin\u002Fadmin-post.php?action=wp-blockade-shortcode-render&shortcode=[payload]`.\n2. **Hook Execution:** WordPress core (`wp-admin\u002Fadmin-post.php`) detects the `action` and triggers the `admin_post_wp-blockade-shortcode-render` hook.\n3. **Handler Call:** The plugin's `render_shortcode_preview()` function is called.\n4. **Processing:**\n   - The function retrieves `$_GET['shortcode']`.\n   - It applies `stripslashes()` to the input.\n   - **Sink:** It calls `echo do_shortcode( stripslashes( $_GET['shortcode'] ) );`.\n5. **Execution:** WordPress parses and executes the provided shortcode. If the shortcode is registered by WordPress core or any installed plugin, it executes its respective callback.\n\n## 4. Nonce Acquisition Strategy\nAccording to the vulnerability description, the function **completely lacks nonce verification**.\n- **Nonce Requirement:** None.\n- **Bypass Strategy:** No bypass is necessary as no check exists. An attacker only needs a valid session cookie for a Subscriber-level user.\n\n## 5. Exploitation Strategy\nThe goal is to prove that a Subscriber user can execute a shortcode that they would normally not be able to trigger, or one that returns sensitive data.\n\n### Step-by-Step Plan:\n1. **Login as Subscriber:** Use the `http_request` tool to authenticate as a Subscriber user and capture the session cookies.\n2. **Identify Target Shortcode:** We will use a WordPress core shortcode that generates distinct HTML to prove execution. The `[caption]` shortcode is ideal because it wraps content in a specific `div` or `figure` tag.\n3. **Construct Payload:**\n   - Shortcode: `[caption width=\"1\" caption=\"EXPLOIT_SUCCESS\"]Vulnerable[\u002Fcaption]`\n   - URL Encoded: `%5Bcaption%20width%3D%221%22%20caption%3D%22EXPLOIT_SUCCESS%22%5DVulnerable%5B%2Fcaption%5D`\n4. **Execute Request:** Send an authenticated GET request to the `admin-post.php` endpoint.\n\n### Request Details:\n- **URL:** `http:\u002F\u002Flocalhost:8080\u002Fwp-admin\u002Fadmin-post.php?action=wp-blockade-shortcode-render&shortcode=%5Bcaption%20width%3D%221%22%20caption%3D%22EXPLOIT_SUCCESS%22%5DVulnerable%5B%2Fcaption%5D`\n- **Method:** `GET`\n- **Headers:** Must include the `Cookie` header obtained during login.\n\n## 6. Test Data Setup\n1. **Plugin Installation:** Ensure `wp-blockade` version 0.9.14 is installed and active.\n2. **User Creation:** Create a Subscriber user:\n   - Username: `low_priv_user`\n   - Password: `password123`\n   - Role: `subscriber`\n   ```bash\n   wp user create low_priv_user low_priv@example.com --role=subscriber --user_pass=password123\n   ```\n\n## 7. Expected Results\n- **HTTP Status:** `200 OK`\n- **Response Body:** Should contain the rendered HTML for the caption shortcode, specifically looking for the string `EXPLOIT_SUCCESS`.\n- **Response Example:**\n  ```html\n  \u003Cdiv id=\"attachment_...\" style=\"width: 11px\" class=\"wp-caption alignnone\">\n      \u003Cp class=\"wp-caption-text\">EXPLOIT_SUCCESS\u003C\u002Fp>\n  \u003C\u002Fdiv>\n  ```\n\n## 8. Verification Steps\n1. **Check Response:** Confirm that the response body contains `EXPLOIT_SUCCESS` and the `wp-caption` class.\n2. **Access Control Verification:** Attempt the same request without a session cookie. It should either fail or behave differently (usually redirecting to login), confirming that while authentication is checked by WordPress core for `admin_post`, the plugin fails to check *authorization* (capabilities).\n3. **Role Check:** Verify the `low_priv_user` is indeed a Subscriber:\n   ```bash\n   wp user get low_priv_user --field=roles\n   ```\n\n## 9. Alternative Approaches\nIf `admin-post.php` requires a specific referrer or behaves unexpectedly with GET, attempt the following:\n- **POST Request:** Change the method to `POST` and send the parameters in the body:\n  - `action=wp-blockade-shortcode-render`\n  - `shortcode=[caption ...]`\n- **Information Disclosure PoC:** If other plugins are present (e.g., WooCommerce, MemberPress), try to execute shortcodes that reveal information, such as `[woocommerce_my_account]` or plugin-specific \"user info\" shortcodes, to demonstrate high impact.\n- **Cross-Site Scripting (XSS):** If any registered shortcode reflects attributes without proper escaping (common in older plugins), this vulnerability can be used as a vector for Reflected XSS targeting other authenticated users.","The WP Blockade plugin for WordPress (\u003C= 0.9.14) is vulnerable to arbitrary shortcode execution because its shortcode rendering endpoint lacks authorization and nonce checks. This allows any authenticated user, including those with Subscriber-level privileges, to execute any registered shortcode on the site by providing it via a GET parameter.","\u002F\u002F From inferred plugin logic\nadd_action( 'admin_post_wp-blockade-shortcode-render', 'render_shortcode_preview' );\n\nfunction render_shortcode_preview() {\n    \u002F\u002F Function lacks current_user_can() and check_admin_referer() checks\n    if ( isset( $_GET['shortcode'] ) ) {\n        echo do_shortcode( stripslashes( $_GET['shortcode'] ) );\n    }\n    exit;\n}","--- a\u002Fwp-blockade.php\n+++ b\u002Fwp-blockade.php\n@@ -1,5 +1,9 @@\n function render_shortcode_preview() {\n+    if ( ! current_user_can( 'edit_posts' ) ) {\n+        wp_die( __( 'You do not have sufficient permissions to access this page.' ) );\n+    }\n+    check_admin_referer( 'wp-blockade-render-action', 'security' );\n     if ( isset( $_GET['shortcode'] ) ) {\n         echo do_shortcode( stripslashes( $_GET['shortcode'] ) );\n     }","1. Authenticate to the WordPress site as a user with minimal privileges (Subscriber).\n2. Construct a GET request targeting the admin-post.php endpoint: `\u002Fwp-admin\u002Fadmin-post.php?action=wp-blockade-shortcode-render`.\n3. Add a 'shortcode' parameter to the request containing the shortcode to be executed (e.g., `[caption width=\"1\" caption=\"EXPLOIT_SUCCESS\"]Vulnerable[\u002Fcaption]`).\n4. Submit the request while including the valid authentication session cookies.\n5. Verify execution by observing the rendered HTML output of the shortcode in the server's response body.","gemini-3-flash-preview","2026-04-17 20:34:12","2026-04-17 20:34:32",{"type":32,"vulnerable_version":9,"fixed_version":9,"vulnerable_browse":9,"vulnerable_zip":9,"fixed_browse":9,"fixed_zip":9,"all_tags":33},"plugin","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fwp-blockade\u002Ftags"]