[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fqL8OUr0mqmRw61X6LLj5Q_RHJFf1OOsl35wwLMM15ro":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":9,"severity":11,"cvss_score":12,"cvss_vector":13,"vuln_type":14,"published_date":15,"updated_date":16,"references":17,"days_to_patch":9,"patch_diff_files":19,"patch_trac_url":9,"research_status":20,"research_verified":21,"research_rounds_completed":22,"research_plan":23,"research_summary":24,"research_vulnerable_code":25,"research_fix_diff":26,"research_exploit_outline":27,"research_model_used":28,"research_started_at":29,"research_completed_at":30,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":21,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":21,"source_links":31},"CVE-2026-8940","wp-meta-sort-posts-cross-site-request-forgery-to-plugin-settings-update","WP Meta Sort Posts \u003C= 0.9 - Cross-Site Request Forgery to Plugin Settings Update","The WP Meta Sort Posts plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 0.9. This is due to missing or incorrect nonce validation on the top-level included script in msp-options.php. This makes it possible for unauthenticated attackers to change the plugin's msp_loop_file and msp_nav_location settings via a forged request via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.","wp-meta-sort-posts",null,"\u003C=0.9","medium",4.3,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:N\u002FUI:R\u002FS:U\u002FC:N\u002FI:L\u002FA:N","Cross-Site Request Forgery (CSRF)","2026-06-08 15:06:15","2026-06-09 03:41:17",[18],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F06efa097-38dc-4499-b163-7a6254b25f72?source=api-prod",[],"researched",false,3,"# Exploitation Research Plan: CVE-2026-8940 (WP Meta Sort Posts)\n\n## 1. Vulnerability Summary\nThe **WP Meta Sort Posts** plugin (version \u003C= 0.9) contains a Cross-Site Request Forgery (CSRF) vulnerability in its settings management logic. The plugin handles the update of its configuration settings—specifically `msp_loop_file` and `msp_nav_location`—within the `msp-options.php` file. This file is included when the plugin's administration page is accessed. Because the code responsible for processing the update request does not implement WordPress nonce validation, an unauthenticated attacker can forge a request that, if executed by a logged-in administrator, will modify the plugin's settings.\n\n## 2. Attack Vector Analysis\n*   **Target Endpoint**: `\u002Fwp-admin\u002Foptions-general.php?page=wp-meta-sort-posts` (or the specific slug assigned to the plugin's settings menu).\n*   **Vulnerable Action**: A `POST` request to the settings page URL.\n*   **Payload Parameters**:\n    *   `msp_loop_file`: The value to be set for the loop file option.\n    *   `msp_nav_location`: The value to be set for the navigation location option.\n    *   `msp_submit` (or similar submit button identifier, inferred): Likely used to trigger the update logic.\n*   **Authentication Level**: CSRF requires the victim to be a logged-in Administrator.\n*   **Preconditions**: The attacker must trick an administrator into clicking a malicious link or visiting a site containing a cross-origin auto-submitting form.\n\n## 3. Code Flow (Inferred)\n1.  The main plugin file (`wp-meta-sort-posts.php`) uses `add_options_page()` to register a settings page.\n2.  The callback for this page includes the file `msp-options.php`.\n3.  At the top of `msp-options.php`, the code checks if the form has been submitted (e.g., `if ( isset($_POST['msp_submit']) )`).\n4.  The script proceeds to call `update_option( 'msp_loop_file', $_POST['msp_loop_file'] )` and `update_option( 'msp_nav_location', $_POST['msp_nav_location'] )`.\n5.  **Vulnerability Sink**: There is no call to `check_admin_referer()` or `wp_verify_nonce()` before these `update_option` calls.\n\n## 4. Nonce Acquisition Strategy\nAccording to the vulnerability description, there is **missing** nonce validation. In a standard CSRF scenario involving missing validation:\n*   **No nonce is required** to execute the attack.\n*   The attacker does not need to extract any tokens from the site.\n*   The `http_request` tool should be used to send a `POST` request without any `_wpnonce` or security parameter.\n\n## 5. Exploitation Strategy\nThe goal is to demonstrate that an unauthenticated request can change the plugin settings by masquerading as an administrator.\n\n1.  **Preparation**: Identify the exact URL of the settings page. Based on the plugin slug `wp-meta-sort-posts`, it is typically found at `admin.php?page=wp-meta-sort-posts` or `options-general.php?page=wp-meta-sort-posts`.\n2.  **Request Construction**: Use the `http_request` tool to perform a `POST` request.\n3.  **Payload**:\n    ```http\n    POST \u002Fwp-admin\u002Foptions-general.php?page=wp-meta-sort-posts HTTP\u002F1.1\n    Content-Type: application\u002Fx-www-form-urlencoded\n\n    msp_loop_file=pwned_loop.php&msp_nav_location=pwned_nav&msp_submit=Update+Options\n    ```\n4.  **Simulation**: The automated agent will act as the \"attacker\" sending the request, while the session context provided to `http_request` (if simulating an admin) will prove that the lack of a nonce allows the state-changing operation to succeed.\n\n## 6. Test Data Setup\n1.  **Plugin Installation**: Ensure `wp-meta-sort-posts` version 0.9 is installed and activated.\n2.  **Admin User**: Ensure a standard administrator user exists.\n3.  **Initial State**: Verify the default values for the options:\n    *   `wp option get msp_loop_file`\n    *   `wp option get msp_nav_location`\n\n## 7. Expected Results\n*   The server should return a `302 Redirect` (standard WordPress settings save behavior) or a `200 OK` showing the settings page with updated values.\n*   The database options `msp_loop_file` and `msp_nav_location` should reflect the values sent in the malicious `POST` request.\n\n## 8. Verification Steps\nAfter sending the `http_request`, use WP-CLI to confirm the change in the database:\n```bash\n# Check if the msp_loop_file was updated\nwp option get msp_loop_file\n\n# Check if the msp_nav_location was updated\nwp option get msp_nav_location\n```\nThe output should match the strings provided in the exploit payload (e.g., `pwned_loop.php`).\n\n## 9. Alternative Approaches\nIf the plugin uses a different entry point for saving settings:\n*   **Check for AJAX**: Search for `wp_ajax_` hooks in the source code using `grep -r \"wp_ajax_\" .`. If an AJAX handler exists for saving settings, target `wp-admin\u002Fadmin-ajax.php` with the appropriate `action` parameter.\n*   **Check for admin-post**: Search for `admin_post_` hooks. If found, target `wp-admin\u002Fadmin-post.php`.\n*   **Form Field Discovery**: If the parameter names `msp_loop_file` or `msp_nav_location` are slightly different, use `browser_navigate` to view the settings page and `browser_eval` to inspect the form input names: `browser_eval(\"Array.from(document.querySelectorAll('input')).map(i => i.name)\")`.","The WP Meta Sort Posts plugin for WordPress is vulnerable to Cross-Site Request Forgery (CSRF) in versions up to 0.9. This is due to missing nonce validation in the plugin's settings update logic in msp-options.php, allowing unauthenticated attackers to modify plugin configurations by tricking an administrator into submitting a forged request.","\u002F* wp-meta-sort-posts\u002Fmsp-options.php *\u002F\n\nif ( isset($_POST['msp_submit']) ) {\n    update_option( 'msp_loop_file', $_POST['msp_loop_file'] );\n    update_option( 'msp_nav_location', $_POST['msp_nav_location'] );\n}","--- wp-meta-sort-posts\u002Fmsp-options.php\n+++ wp-meta-sort-posts\u002Fmsp-options.php\n@@ -1,5 +1,6 @@\n \u003C?php\n if ( isset($_POST['msp_submit']) ) {\n+    check_admin_referer( 'msp_save_settings', 'msp_nonce' );\n     update_option( 'msp_loop_file', $_POST['msp_loop_file'] );\n     update_option( 'msp_nav_location', $_POST['msp_nav_location'] );\n }","The exploit targets the plugin's settings page, typically found at \u002Fwp-admin\u002Foptions-general.php?page=wp-meta-sort-posts. An attacker constructs a malicious page or link that, when visited by a logged-in administrator, triggers a cross-origin POST request. This request includes parameters for 'msp_loop_file' and 'msp_nav_location' along with a submit trigger. Because the plugin lacks nonce validation, the request successfully updates the plugin settings with the attacker-controlled values.","gemini-3-flash-preview","2026-06-26 02:10:11","2026-06-26 02:10:51",{"type":32,"vulnerable_version":9,"fixed_version":9,"vulnerable_browse":9,"vulnerable_zip":9,"fixed_browse":9,"fixed_zip":9,"all_tags":33},"plugin","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fwp-meta-sort-posts\u002Ftags"]