[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fM3zip5W9oGXxI2LIeuAYLIdF0p0H6eCvDzvp_z3FKeA":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":26,"research_verified":27,"research_rounds_completed":28,"research_plan":29,"research_summary":30,"research_vulnerable_code":31,"research_fix_diff":32,"research_exploit_outline":33,"research_model_used":34,"research_started_at":35,"research_completed_at":36,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":27,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":27,"source_links":37},"CVE-2026-32527","wp-insightly-for-contact-form-7-wpforms-elementor-formidable-and-ninja-forms-missing-authorization","WP Insightly for Contact Form 7, WPForms, Elementor, Formidable and Ninja Forms \u003C= 1.1.5 - Missing Authorization","The WP Insightly for Contact Form 7, WPForms, Elementor, Formidable and Ninja Forms plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in all versions up to, and including, 1.1.5. This makes it possible for authenticated attackers, with Subscriber-level access and above, to perform an unauthorized action.","cf7-insightly",null,"\u003C=1.1.5","1.1.6","medium",4.3,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:L\u002FUI:N\u002FS:U\u002FC:N\u002FI:L\u002FA:N","Missing Authorization","2026-03-20 00:00:00","2026-03-27 19:31:08",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F8919ba4e-e217-4e1d-8bd6-4c2387f9680f?source=api-prod",8,[22,23,24,25],"cf7-insightly.php","includes\u002Fplugin-pages.php","readme.txt","templates\u002Flogs.php","researched",false,3,"This research plan focuses on exploiting a **Missing Authorization** vulnerability in the **WP Insightly** plugin (version \u003C= 1.1.5). The vulnerability allows authenticated users with Subscriber-level permissions to perform administrative actions, such as modifying plugin feeds or triggering CRM synchronization, because the AJAX handlers fail to verify user capabilities.\n\n---\n\n### 1. Vulnerability Summary\n*   **Vulnerability:** Missing Authorization (Insecure Direct Object Reference \u002F Missing Capability Check).\n*   **Location:** `includes\u002Fplugin-pages.php` within the `vxcf_insightly_pages` class.\n*   **Problem:** The plugin registers multiple AJAX actions via `wp_ajax_` hooks. While these hooks correctly restrict access to authenticated users, the callback functions (e.g., `update_feed`, `send_to_crm`, `refresh_data`) do not perform a `current_user_can('manage_options')` check.\n*   **Impact:** A Subscriber can modify plugin configuration (Integrity) or trigger unauthorized data transmissions to Insightly CRM.\n\n### 2. Attack Vector Analysis\n*   **Endpoint:** `\u002Fwp-admin\u002Fadmin-ajax.php`\n*   **Action:** `update_feed_vxcf_insightly` (inferred from `$this->id = \"vxcf_insightly\"` in `cf7-insightly.php`).\n*   **Authentication:** Authenticated (Subscriber level or higher).\n*   **Payload:** URL-encoded POST parameters including a nonce and feed configuration.\n*   **Preconditions:** \n    1.  The plugin must be active.\n    2.  At least one \"Feed\" must exist in the plugin (to modify).\n    3.  The attacker must obtain a valid WordPress nonce (`vx_nonce`).\n\n### 3. Code Flow\n1.  **Registration:** In `includes\u002Fplugin-pages.php`, the `__construct` method registers AJAX handlers using the pattern `wp_ajax_update_feed_vxcf_insightly`.\n2.  **Trigger:** A Subscriber sends a POST request to `admin-ajax.php` with `action=update_feed_vxcf_insightly`.\n3.  **Execution:** WordPress routes the request to `vxcf_insightly_pages::update_feed`.\n4.  **Failure:** The handler likely calls `check_ajax_referer('vx_nonce', 'nonce')` but fails to call `current_user_can('manage_options')`. The code proceeds to update the database table `wp_vxcf_insightly_feeds` based on `$_POST` data.\n\n### 4. Nonce Acquisition Strategy\nThe nonce is generated using `wp_create_nonce('vx_nonce')`. In CRM Perks plugins, this nonce is typically exposed in the admin dashboard. \n\n**Strategy:**\n1.  The plugin often registers its submenus with the `read` capability (allowing Subscribers to see them) or leaks the nonce in the global admin script data.\n2.  **Access Test:** Navigate to the plugin's main page as a Subscriber: `\u002Fwp-admin\u002Fadmin.php?page=vxcf_insightly`.\n3.  **Extraction:**\n    *   If the page loads, use `browser_eval` to extract the nonce from the hidden input field: \n        `document.getElementById('vx_nonce_field')?.value`\n    *   Alternatively, check the global JS object (localized via `wp_localize_script`): \n        `window.vxcf_insightly_pages?.nonce` (or similar, based on the `$this->id`).\n\n### 5. Exploitation Strategy\nWe will demonstrate the vulnerability by modifying an existing feed's name using a Subscriber account.\n\n**Step 1: Obtain Nonce**\nUse the `browser_navigate` and `browser_eval` tools to grab the `vx_nonce`.\n\n**Step 2: Submit Malicious Update**\nPerform a POST request to `admin-ajax.php`.\n\n*   **URL:** `http:\u002F\u002Flocalhost:8080\u002Fwp-admin\u002Fadmin-ajax.php`\n*   **Method:** `POST`\n*   **Headers:** `Content-Type: application\u002Fx-www-form-urlencoded`\n*   **Body:**\n    ```\n    action=update_feed_vxcf_insightly&nonce=[NONCE]&feed_id=1&feed_name=VULNERABILITY_CONFIRMED&active=1\n    ```\n    *(Note: Parameters based on standard CRM Perks feed update logic. If `update_feed` expects a serialized object, the `feed` parameter may be used instead.)*\n\n### 6. Test Data Setup\n1.  **Admin Action:** Log in as Admin.\n2.  **Plugin Setup:** \n    *   Go to \"Insightly Feeds\" and create one dummy feed named \"Original Feed\".\n    *   Note the `id` of the feed (usually `1` for the first feed).\n3.  **Subscriber Setup:** Create a user `attacker` with the `subscriber` role.\n\n### 7. Expected Results\n*   The AJAX request should return a success message (likely JSON or a string like `1` or `updated`).\n*   The Subscriber's request is accepted despite lacking administrative privileges.\n*   The database record for the feed will be updated.\n\n### 8. Verification Steps\n1.  **Database Check:** Use WP-CLI to verify the feed name changed:\n    `wp db query \"SELECT name FROM wp_vxcf_insightly_feeds WHERE id=1\"`\n2.  **UI Check:** Log back in as Admin and view the Feeds list to see the altered name \"VULNERABILITY_CONFIRMED\".\n\n### 9. Alternative Approaches\nIf `update_feed` is strictly protected, target **`refresh_data_vxcf_insightly`**:\n*   **Action:** `refresh_data_vxcf_insightly`\n*   **Payload:** `action=refresh_data_vxcf_insightly&nonce=[NONCE]`\n*   **Effect:** Triggers an unauthorized API refresh\u002Fsync with Insightly.\n\nIf the Subscriber cannot access the plugin admin pages directly to get a nonce:\n*   Check if the plugin enqueues its scripts on the **Dashboard** (`index.php`).\n*   Try to find the nonce in the source of `wp-admin\u002Findex.php`.\n*   If `check_ajax_referer` is used with `die=false` (common in some CRM Perks versions), try omitting the nonce entirely.","The WP Insightly plugin for WordPress fails to implement capability checks on several AJAX handlers, most notably the log detail viewer. This allows authenticated attackers, such as Subscribers, to access sensitive CRM logs, modify plugin settings, or trigger unauthorized data synchronization with the Insightly CRM.","\u002F\u002F includes\u002Fplugin-pages.php lines 19-30\npublic function __construct() {\n  \n  $this->data=$this->get_data_object();\nglobal $pagenow;\n  if(in_array($pagenow, array(\"admin-ajax.php\"))){\n  add_action('wp_ajax_update_feed_'.$this->id, array($this, 'update_feed'));\n  add_action('wp_ajax_update_feed_sort_'.$this->id, array($this, 'update_feed_sort'));\n  add_action('wp_ajax_get_field_map_'.$this->id, array($this, 'get_field_map_ajax'));\n  add_action('wp_ajax_get_field_map_object_'.$this->id, array($this, 'get_field_map_object_ajax'));\n  add_action('wp_ajax_get_objects_'.$this->id, array($this, 'get_objects_ajax'));\n  add_action('wp_ajax_log_detail_'.$this->id, array($this, 'log_detail'));\n   add_action('wp_ajax_refresh_data_'.$this->id, array($this, 'refresh_data')); \n  add_action('wp_ajax_send_to_crm_'.$this->id, array($this, 'send_to_crm')); \n  }\n\n---\n\n\u002F\u002F includes\u002Fplugin-pages.php line 1416 (v1.1.5)\npublic function log_detail(){\n$log_id=$this->post('id');\n$log=$this->data->get_log_by_id($log_id); \n  $data=json_decode($log['data'],true);","diff -ru \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fcf7-insightly\u002F1.1.5\u002Fcf7-insightly.php \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fcf7-insightly\u002F1.1.6\u002Fcf7-insightly.php\n--- \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fcf7-insightly\u002F1.1.5\u002Fcf7-insightly.php\t2025-05-22 11:22:26.000000000 +0000\n+++ \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fcf7-insightly\u002F1.1.6\u002Fcf7-insightly.php\t2026-02-23 16:56:48.000000000 +0000\n@@ -2,7 +2,7 @@\n \u002F**\n * Plugin Name: WP Contact Form Insightly\n * Description: Integrates Contact Form 7, Ninja Forms, \u003Ca href=\"https:\u002F\u002Fwordpress.org\u002Fplugins\u002Fcontact-form-entries\u002F\">Contact Form Entries Plugin\u003C\u002Fa> and many other forms with Insightly allowing form submissions to be automatically sent to your Insightly account \n-* Version: 1.1.5\n+* Version: 1.1.6\n * Requires at least: 3.8\n * Author URI: https:\u002F\u002Fwww.crmperks.com\n * Plugin URI: https:\u002F\u002Fwww.crmperks.com\u002Fplugins\u002Fcontact-form-plugins\u002Fcontact-form-insightly-plugin\u002F\n@@ -24,7 +24,7 @@\n   public  $crm_name = \"insightly\";\n   public  $id = \"vxcf_insightly\";\n   public  $domain = \"vxcf-insightly\";\n-  public  $version = \"1.1.5\";\n+  public  $version = \"1.1.6\";\n   public  $update_id = \"6000001\";\n   public  $min_cf_version = \"1.0\";\n   public $type = \"vxcf_insightly\";\n@@ -118,18 +118,7 @@\n   add_action('init', array($this,'init'));\n        \u002F\u002Floading translations\n load_plugin_textdomain('contact-form-insightly-crm', FALSE,  $this->plugin_dir_name(). '\u002Flanguages\u002F' );\n-  \n-  self::$db_version=get_option($this->type.\"_version\");\n-  if(self::$db_version != $this->version && current_user_can( 'manage_options' )){\n-  $data=$this->get_data_object();\n-  $data->update_table();\n-  update_option($this->type.\"_version\", $this->version);\n-  \u002F\u002Fadd post permissions\n-  require_once(self::$path . \"includes\u002Finstall.php\"); \n-  $install=new vxcf_insightly_install();\n-  $install->create_roles();   \n-\n-  }\n+$this->maybe_install(true);  \n }\n   \n   }\n@@ -149,6 +138,27 @@\n self::$plugin->instance();\n }\n } }\n+public function maybe_install($version_check=false){\n+    \n+  if(current_user_can( 'manage_options' )){\n+  self::$db_version=get_option($this->type.\"_version\");\n+     $do_install=false;\n+      if($version_check == false){\n+        $do_install=true;  \n+      }else if(self::$db_version != $this->version){\n+        $do_install=true;   \n+      }\n+  if($do_install){\n+  $data=$this->get_data_object();\n+  $data->update_table();\n+  update_option($this->type.\"_version\", $this->version);\n+  \u002F\u002Fadd post permissions\n+  require_once(self::$path . \"includes\u002Finstall.php\"); \n+  $install=new vxcf_insightly_install();\n+  $install->create_roles();   \n+  }\n+  } \n+}\n \n  public function form_submitted($form){ \n \n@@ -508,29 +518,6 @@\n   echo wp_kses_post($message) ;\n   echo '\u003C\u002Fp>\u003C\u002Fdiv>';\n   } \n-\n-\n-  \u002F**\n-  * create tables and roles\n-  * \n-  *\u002F\n-  public function install(){\n-      \n-  if(current_user_can( 'manage_options' )){\n-  self::$db_version=get_option($this->type.\"_version\");\n-  if(self::$db_version != $this->version){\n-  $data=$this->get_data_object();\n-  $data->update_table();\n-  update_option($this->type.\"_version\", $this->version);\n-  \u002F\u002Fadd post permissions\n-  require_once(self::$path . \"includes\u002Finstall.php\"); \n-  $install=new vxcf_insightly_install();\n-  $install->create_roles();   \n-\n-  }\n-\n-  } \n-  }\n \u002F**\n * Contact Form status\n * \n@@ -1275,6 +1262,7 @@\n   *\u002F\n   public function activate(){ \n $this->plugin_api(true);\n+$this->maybe_install();\n do_action('plugin_status_'.$this->type,'activate');  \n   }\n     \u002F**\n@@ -1414,6 +1414,11 @@\n   * \n   *\u002F\n   public function log_detail(){\n+          check_ajax_referer('vx_crm_ajax','vx_crm_ajax');\n+      if(!current_user_can($this->id.'_read_logs')){\n+  esc_html_e('You do not have permissions to access this page','cf7-insightly');    \n+  return;\n+  }\n $log_id=$this->post('id');\n $log=$this->data->get_log_by_id($log_id); \n   $data=json_decode($log['data'],true);","The exploit targets administrative AJAX actions that lack permission checks. An authenticated attacker with Subscriber-level access first obtains a valid WordPress nonce (often leaked in script data or accessible via hidden input fields in the plugin's dashboard pages if they are visible). The attacker then sends a POST request to `\u002Fwp-admin\u002Fadmin-ajax.php`. By setting the 'action' parameter to a vulnerable callback like `log_detail_vxcf_insightly` or `update_feed_vxcf_insightly`, the attacker can retrieve sensitive log data or modify CRM integration settings, as the backend handler fails to verify if the user possesses administrative capabilities before executing the request logic.","gemini-3-flash-preview","2026-04-18 02:10:01","2026-04-18 02:10:38",{"type":38,"vulnerable_version":39,"fixed_version":11,"vulnerable_browse":40,"vulnerable_zip":41,"fixed_browse":42,"fixed_zip":43,"all_tags":44},"plugin","1.1.5","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fcf7-insightly\u002Ftags\u002F1.1.5","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fcf7-insightly.1.1.5.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fcf7-insightly\u002Ftags\u002F1.1.6","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fcf7-insightly.1.1.6.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fcf7-insightly\u002Ftags"]