[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fNEqox-F-7JRtytsjADkWJCwv140jMIDfnimMrMuZhBs":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":9,"severity":11,"cvss_score":12,"cvss_vector":13,"vuln_type":14,"published_date":15,"updated_date":16,"references":17,"days_to_patch":9,"patch_diff_files":19,"patch_trac_url":9,"research_status":20,"research_verified":21,"research_rounds_completed":22,"research_plan":23,"research_summary":24,"research_vulnerable_code":25,"research_fix_diff":26,"research_exploit_outline":27,"research_model_used":28,"research_started_at":29,"research_completed_at":30,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":21,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":21,"source_links":31},"CVE-2026-9014","wp-promoter-missing-authorization-to-unauthenticated-statistics-reset-via-wpp-resetstats-ajax-action","WP Promoter \u003C= 1.3 - Missing Authorization to Unauthenticated Statistics Reset via wpp-reset_stats AJAX Action","The WP Promoter plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the reset_stats() function in versions up to, and including, 1.3. The function is hooked to both the wp_ajax_wpp-reset_stats and wp_ajax_nopriv_wpp-reset_stats actions and contains no authentication, authorization, or nonce validation. This makes it possible for unauthenticated attackers to reset the plugin's bar and popup statistics by deleting the wpp_bar and wpp_popup options.","wp-promoter",null,"\u003C=1.3","medium",5.3,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:N\u002FUI:N\u002FS:U\u002FC:N\u002FI:L\u002FA:N","Missing Authorization","2026-05-26 17:23:04","2026-05-27 05:31:30",[18],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002Fce546f2e-5323-44b9-b980-5619f2db2944?source=api-prod",[],"researched",false,3,"# Exploitation Research Plan - CVE-2026-9014 (WP Promoter)\n\n## 1. Vulnerability Summary\nThe **WP Promoter** plugin (\u003C= 1.3) contains a missing authorization vulnerability in its statistics reset functionality. The function `reset_stats()` is incorrectly exposed to unauthenticated users via the `wp_ajax_nopriv_wpp-reset_stats` hook. Because the function lacks any capability checks (`current_user_can`) or CSRF protection (nonces), any unauthenticated attacker can trigger a reset of the plugin's bar and popup statistics by deleting the underlying WordPress options.\n\n## 2. Attack Vector Analysis\n- **Endpoint:** `\u002Fwp-admin\u002Fadmin-ajax.php`\n- **AJAX Action:** `wpp-reset_stats`\n- **HTTP Method:** `POST` (standard for AJAX, though `GET` might also work depending on implementation)\n- **Parameters:** `action=wpp-reset_stats`\n- **Authentication:** None required (vulnerable via `nopriv` hook)\n- **Preconditions:** The plugin must be active.\n\n## 3. Code Flow\nBased on the vulnerability description, the execution flow is as follows:\n1. **Entry Point:** An HTTP request hits `admin-ajax.php` with the parameter `action=wpp-reset_stats`.\n2. **Hook Execution:** WordPress triggers the `wp_ajax_nopriv_wpp-reset_stats` hook (for logged-out users) or `wp_ajax_wpp-reset_stats` (for logged-in users).\n3. **Target Function:** The plugin's `reset_stats()` function (inferred) is called.\n4. **Missing Check:** The function fails to call `check_ajax_referer()` or `current_user_can('manage_options')`.\n5. **The Sink:** The function executes `delete_option('wpp_bar')` and `delete_option('wpp_popup')` (quoted from description).\n6. **Response:** The plugin likely exits using `wp_die()` or `wp_send_json_success()`.\n\n## 4. Nonce Acquisition Strategy\nAccording to the vulnerability description, the `reset_stats()` function **contains no nonce validation**. \n- **Action String:** Not applicable.\n- **Bypass:** No bypass is necessary as the security check is entirely absent in the vulnerable versions.\n\n*Note: If testing reveals a nonce is actually present but the description was slightly inaccurate, the agent should search for `wp_localize_script` in the plugin source to identify the JS variable name (likely something like `wpp_vars` or `wpp_ajax`) and use `browser_eval` to extract it.*\n\n## 5. Exploitation Strategy\nThe goal is to demonstrate that an unauthenticated request can successfully delete the statistics options.\n\n### Step-by-step Plan:\n1. **Prepare Request:** Construct a POST request to the AJAX endpoint.\n2. **Execute Request:** Use `http_request` to send the payload.\n3. **Payload Structure:**\n   - **URL:** `{{base_url}}\u002Fwp-admin\u002Fadmin-ajax.php`\n   - **Method:** `POST`\n   - **Headers:** `Content-Type: application\u002Fx-www-form-urlencoded`\n   - **Body:** `action=wpp-reset_stats`\n\n## 6. Test Data Setup\nTo verify the impact, we must first ensure the statistics options exist and contain data.\n1. **Initialize Options:** Use WP-CLI to create the options that the plugin uses for statistics.\n   ```bash\n   wp option update wpp_bar '{\"views\": 100, \"clicks\": 50}' --format=json\n   wp option update wpp_popup '{\"views\": 200, \"clicks\": 75}' --format=json\n   ```\n2. **Confirm Setup:**\n   ```bash\n   wp option get wpp_bar\n   wp option get wpp_popup\n   ```\n\n## 7. Expected Results\n- **HTTP Response:** The server should return a `200 OK` status. The body might be empty, `0`, `1`, or a JSON success message depending on how the plugin terminates the AJAX call.\n- **Database State:** The options `wpp_bar` and `wpp_popup` should no longer exist in the `wp_options` table (or should be reset to default\u002Fempty values).\n\n## 8. Verification Steps\nAfter the `http_request` tool completes, verify the deletion using WP-CLI:\n1. **Check Options:**\n   ```bash\n   wp option get wpp_bar\n   wp option get wpp_popup\n   ```\n2. **Success Criteria:** If WP-CLI returns an error like `Error: Could not get 'wpp_bar' option.`, the exploit is successful because the unauthenticated request triggered the `delete_option()` call.\n\n## 9. Alternative Approaches\n- **Method Variation:** If `POST` fails, attempt a `GET` request: `\u002Fwp-admin\u002Fadmin-ajax.php?action=wpp-reset_stats`.\n- **Parameter Variation:** If the options are not deleted, check the source code for a specific \"type\" parameter (e.g., `action=wpp-reset_stats&type=bar`) that might be required to target a specific option, though the description implies both are deleted.\n- **Capability Check Verification:** Attempt the request with a low-privileged user (Subscriber) to confirm that no capability checks are enforced for any level of user.","The WP Promoter plugin for WordPress (versions \u003C= 1.3) allows unauthenticated attackers to reset plugin statistics due to missing authorization and CSRF checks in its AJAX handler. The `reset_stats` function is hooked to the `nopriv` AJAX action and fails to verify user permissions or nonces before deleting key configuration options.","\u002F\u002F File: wp-promoter.php (inferred from plugin slug)\n\nadd_action( 'wp_ajax_wpp-reset_stats', 'reset_stats' );\nadd_action( 'wp_ajax_nopriv_wpp-reset_stats', 'reset_stats' );\n\nfunction reset_stats() {\n    delete_option('wpp_bar');\n    delete_option('wpp_popup');\n    wp_die();\n}","--- wp-promoter.php\n+++ wp-promoter.php\n@@ -1,6 +1,9 @@\n add_action( 'wp_ajax_wpp-reset_stats', 'reset_stats' );\n-add_action( 'wp_ajax_nopriv_wpp-reset_stats', 'reset_stats' );\n \n function reset_stats() {\n+    check_ajax_referer( 'wpp-reset-stats-nonce', 'nonce' );\n+    if ( ! current_user_can( 'manage_options' ) ) {\n+        wp_die( -1 );\n+    }\n     delete_option('wpp_bar');\n     delete_option('wpp_popup');\n     wp_die();","To exploit this vulnerability, an unauthenticated attacker can send a crafted POST request to the WordPress AJAX endpoint. \n\n1. Target Endpoint: \u002Fwp-admin\u002Fadmin-ajax.php\n2. Authentication: None required.\n3. Method: POST\n4. Payload: A form-urlencoded body containing the parameter 'action=wpp-reset_stats'.\n5. Mechanism: Because the plugin registers the 'wpp-reset_stats' action with 'wp_ajax_nopriv_', any logged-out visitor can trigger the handler. Since the handler lacks capability checks (current_user_can) and CSRF protection (check_ajax_referer), the server will execute delete_option() calls for the statistics data ('wpp_bar' and 'wpp_popup') upon receiving the request.","gemini-3-flash-preview","2026-06-04 19:03:21","2026-06-04 19:03:49",{"type":32,"vulnerable_version":9,"fixed_version":9,"vulnerable_browse":9,"vulnerable_zip":9,"fixed_browse":9,"fixed_zip":9,"all_tags":33},"plugin","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fwp-promoter\u002Ftags"]