[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fTxJP-Z-KgGrGHjiZ_Nngb_U_K-lMGS9WpxairryGfq8":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":28,"research_verified":29,"research_rounds_completed":30,"research_plan":31,"research_summary":9,"research_vulnerable_code":9,"research_fix_diff":9,"research_exploit_outline":9,"research_model_used":32,"research_started_at":33,"research_completed_at":34,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":29,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":29,"source_links":35},"CVE-2026-42677","wp-document-revisions-missing-authorization","WP Document Revisions \u003C= 3.8.1 - Missing Authorization","The WP Document Revisions plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in versions up to, and including, 3.8.1. This makes it possible for unauthenticated attackers to perform an unauthorized action.","wp-document-revisions",null,"\u003C=3.8.1","4.0.0","medium",5.3,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:N\u002FUI:N\u002FS:U\u002FC:N\u002FI:L\u002FA:N","Missing Authorization","2026-05-15 00:00:00","2026-05-19 13:15:51",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002Feb9c5a81-ef7e-4b40-b1c7-619fc2731623?source=api-prod",5,[22,23,24,25,26,27],"css\u002Fstyle.css","docs\u002Fchangelog.md","docs\u002Ffeatures.md","docs\u002Ffilters.md","docs\u002Ffrequently-asked-questions.md","docs\u002Fheader.md","researched",false,3,"# Exploitation Research Plan: CVE-2026-42677 (WP Document Revisions)\n\n## 1. Vulnerability Summary\nThe **WP Document Revisions** plugin (versions \u003C= 3.8.1) contains a missing authorization vulnerability in the function `update_post_slug_field`. This function is intended to allow users to update the URL slug (permalink) of a document post. However, because it lacks both capability checks (`current_user_can`) and potentially nonce verification, unauthenticated attackers can invoke this function via the WordPress AJAX API to modify the slug of any document.\n\nThis can lead to broken links, disruption of document workflows, and potential bypasses of access controls that rely on specific URL structures.\n\n## 2. Attack Vector Analysis\n- **Endpoint:** `\u002Fwp-admin\u002Fadmin-ajax.php`\n- **Action:** `update_post_slug_field` (Inferred from the function name in `docs\u002Fchangelog.md`)\n- **Vulnerable Hook:** `wp_ajax_nopriv_update_post_slug_field` (likely registered without restriction) or `wp_ajax_update_post_slug_field` (missing capability check inside the handler).\n- **HTTP Method:** `POST`\n- **Authentication:** None (Unauthenticated)\n- **Preconditions:** The attacker must know the `ID` of a \"Document\" post. This is often discoverable via the REST API (`\u002Fwp-json\u002Fwp\u002Fv2\u002Fdocuments`) if enabled, or by iterating through post IDs.\n\n## 3. Code Flow\nThe expected execution path is:\n1. **Entry Point:** An unauthenticated `POST` request is sent to `admin-ajax.php` with the `action` parameter set to `update_post_slug_field`.\n2. **Hook Execution:** WordPress triggers the action handler associated with `wp_ajax_nopriv_update_post_slug_field` (or the `wp_ajax_` variant if the user is logged in but lacks permissions).\n3. **Vulnerable Sink:** The handler calls `update_post_slug_field()`. \n4. **Missing Check:** Based on the fix description in `docs\u002Fchangelog.md` (Version 3.8.0), the function `update_post_slug_field` fails to verify if the requester has the `edit_documents` capability or if the request is legitimate via a nonce.\n5. **Modification:** The function proceeds to call `wp_update_post()` or modifies the `post_name` field in the database directly for the specified `post_id`.\n\n## 4. Nonce Acquisition Strategy\nIf the plugin requires a nonce (even if it fails to check permissions), it is likely localized via `wp_localize_script`. Since this is an unauthenticated vulnerability, we must look for a nonce exposed to the frontend.\n\n1. **Identify Script Handle:** The plugin likely uses a handle like `wp-document-revisions` or `document-revisions-admin`.\n2. **Shortcode Page:** Create a page containing a Document shortcode to ensure the plugin's environment is loaded.\n   - `wp post create --post_type=page --post_status=publish --post_content='[documents]'`\n3. **Browser Extraction:**\n   - Navigate to the newly created page.\n   - Use `browser_eval` to search for the nonce variable. Based on common WordPress plugin patterns, it might be inside a global object.\n   - **Target Variable (Inferred):** `window.WPDocumentRevisions?.ajax_nonce` or `window.wp_dr_params?.nonce`.\n   - *Note:* If the vulnerability is truly \"Missing Authorization\" for unauthenticated users, the `wp_ajax_nopriv` handler may not be checking the nonce at all, or using a default action.\n\n## 5. Exploitation Strategy\nWe will attempt to change the slug of an existing document from `original-slug` to `pwned-slug`.\n\n### Step 1: Discover Target Document\nIdentify a valid Document ID.\n```bash\nwp post list --post_type=document --fields=ID,post_name\n```\n\n### Step 2: Perform the Attack\nSend an unauthenticated request to the AJAX endpoint.\n\n**HTTP Request (Conceptual):**\n- **URL:** `http:\u002F\u002Flocalhost:8080\u002Fwp-admin\u002Fadmin-ajax.php`\n- **Method:** `POST`\n- **Headers:** `Content-Type: application\u002Fx-www-form-urlencoded`\n- **Body:** \n  - `action=update_post_slug_field`\n  - `post_id=[TARGET_ID]`\n  - `new_slug=pwned-document-url`\n  - `nonce=[EXTRACTED_NONCE]` (If required)\n\n### Step 3: Payload Implementation (via http_request tool)\n```python\n# Implementation for the security agent\nparams = {\n    \"action\": \"update_post_slug_field\",\n    \"post_id\": 123, # Replace with discovered ID\n    \"new_slug\": \"pwned-slug\"\n}\n# Use http_request to send the POST\n```\n\n## 6. Test Data Setup\nTo verify the exploit, the environment must contain:\n1. **Document Post:** A document with a known ID and slug.\n   - `wp post create --post_type=document --post_title=\"Sensitive Document\" --post_name=\"sensitive-doc\" --post_status=publish`\n2. **Permalinks:** Ensure permalinks are enabled (e.g., Post Name) so slug changes are visible.\n   - `wp rewrite structure '\u002F%postname%\u002F'`\n\n## 7. Expected Results\n- **Success:** The HTTP response returns `1`, `true`, or a success JSON (e.g., `{\"success\":true}`).\n- **Database Change:** The `post_name` field for the document ID in the `wp_posts` table is updated to `pwned-slug`.\n- **Visibility:** Navigating to the original URL (`\u002Fdocuments\u002Fsensitive-doc\u002F`) results in a 404, while the new URL (`\u002Fdocuments\u002Fpwned-slug\u002F`) loads the document.\n\n## 8. Verification Steps\nAfter the exploit, verify the change using WP-CLI:\n```bash\n# Check if the slug was updated\nwp post get [ID] --field=post_name\n\n# Verify the new permalink\nwp post list --post_type=document --post_id=[ID] --fields=ID,post_name,guid\n```\n\n## 9. Alternative Approaches\nIf the `action` name is not `update_post_slug_field`:\n1. **Grep for AJAX Actions:**\n   `grep -rn \"wp_ajax\" .` in the plugin directory to find the actual registered action name.\n2. **Check Parameter Names:** If `new_slug` fails, try `slug`, `post_name`, or `new_post_slug`.\n3. **REST API:** Check if a similar missing authorization exists on the REST route:\n   `POST \u002Fwp-json\u002Fwp-document-revisions\u002Fv1\u002Fupdate-slug` (inferred path).\n4. **Referer Header:** Some WordPress AJAX handlers check `HTTP_REFERER`. If the request fails, try setting the Referer to the site's home page or admin page.","gemini-3-flash-preview","2026-05-20 17:33:40","2026-05-20 17:34:48",{"type":36,"vulnerable_version":37,"fixed_version":11,"vulnerable_browse":38,"vulnerable_zip":39,"fixed_browse":40,"fixed_zip":41,"all_tags":42},"plugin","3.8.1","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fwp-document-revisions\u002Ftags\u002F3.8.1","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fwp-document-revisions.3.8.1.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fwp-document-revisions\u002Ftags\u002F4.0.0","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fwp-document-revisions.4.0.0.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fwp-document-revisions\u002Ftags"]