[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fneEu7V3rYWb4sxhGr4sH2IQUYNZXluOXeD1gr3rGx74":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":28,"research_verified":29,"research_rounds_completed":30,"research_plan":31,"research_summary":9,"research_vulnerable_code":9,"research_fix_diff":9,"research_exploit_outline":9,"research_model_used":32,"research_started_at":33,"research_completed_at":34,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":29,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":29,"source_links":35},"CVE-2026-49769","wpforo-forum-unauthenticated-php-object-injection","wpForo Forum \u003C= 3.1.0 - Unauthenticated PHP Object Injection","The wpForo Forum plugin for WordPress is vulnerable to PHP Object Injection in versions up to, and including, 3.1.0 via deserialization of untrusted input. This makes it possible for unauthenticated attackers to inject a PHP Object. No known POP chain is present in the vulnerable software. If a POP chain is present via an additional plugin or theme installed on the target system, it could allow the attacker to delete arbitrary files, retrieve sensitive data, or execute code.","wpforo",null,"\u003C=3.1.0","3.1.1","high",8.1,"CVSS:3.1\u002FAV:N\u002FAC:H\u002FPR:N\u002FUI:N\u002FS:U\u002FC:H\u002FI:H\u002FA:H","Deserialization of Untrusted Data","2026-06-04 00:00:00","2026-06-08 14:44:44",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002Fa3902a32-2bb9-44bb-9dbd-3887f0b5be81?source=api-prod",5,[22,23,24,25,26,27],"admin\u002Fassets\u002F.DS_Store","admin\u002Fassets\u002Fcss\u002Fadmin.css","classes\u002FMembers.php","includes\u002Ffunctions.php","includes\u002Fhooks.php","readme.txt","researched",false,3,"This research plan outlines the steps to verify and exploit an unauthenticated PHP Object Injection vulnerability in the **wpForo Forum** plugin (version \u003C= 3.1.0).\n\n## 1. Vulnerability Summary\n- **Vulnerability:** Unauthenticated PHP Object Injection\n- **CVE ID:** CVE-2026-49769\n- **Affected Component:** `wpforo\\classes\\Members` class, specifically the `decode()` method and its interaction with member session\u002Fcookie handling.\n- **Sink:** `unserialize()` or `maybe_unserialize()` (inferred to be within the truncated portion of `classes\u002FMembers.php`).\n- **Source:** Untrusted user input provided via a cookie (likely `wpf_member_data` or `wpforo_member`) or a request parameter processed during the `init` hook sequence.\n- **Impact:** If a POP (Property-Oriented Programming) chain is present on the system (via other plugins\u002Fthemes or WordPress core), an attacker can achieve Remote Code Execution (RCE), arbitrary file deletion, or sensitive data retrieval.\n\n## 2. Attack Vector Analysis\n- **Endpoint:** Any WordPress frontend page (the vulnerability triggers during the `init` hook).\n- **Trigger Hook:** `add_action( 'init', function() { if( ! WPF()->current_userid ) $this->init_current_user(); } );` in `classes\u002FMembers.php`.\n- **Preconditions:**\n    - Plugin `wpForo Forum` version \u003C= 3.1.0 installed and active.\n    - An unauthenticated session (guest user).\n- **Payload Location:** A specific cookie (likely `wpforo_member`) that the plugin attempts to decode to restore guest session data.\n\n## 3. Code Flow Trace\n1.  **Initialization:** Upon any request, WordPress fires the `init` hook.\n2.  **Hook Execution:** The anonymous function registered in `wpforo\\classes\\Members::init_hooks()` executes.\n3.  **Condition Check:** If the user is not logged in (`! WPF()->current_userid`), it calls `$this->init_current_user()`.\n4.  **Session Restoration:** `init_current_user()` (inferred) checks for a session cookie (e.g., `$_COOKIE['wpforo_member']`) to identify the guest or restore \"fields\" data.\n5.  **Vulnerable Sink:** The data from the cookie is passed to `wpforo\\classes\\Members::decode($member)`.\n6.  **Deserialization:** Inside `decode()` (or a subsequent call to a metadata handler), the code performs `unserialize()` or `maybe_unserialize()` on keys within the member array (e.g., `$member['fields']`).\n\n## 4. Nonce Acquisition Strategy\nBecause the vulnerability resides in the `init` hook sequence used for session restoration of unauthenticated users, **no WordPress nonce is required** for the primary exploitation path. The code executes before nonce verification layers are typically reached.\n\n## 5. Exploitation Strategy\n\n### Step 1: Payload Generation\nSince no POP chain is present in wpForo itself, we will use a standard WordPress Core POP chain to demonstrate the vulnerability. We will use the `Requests_Utility_FilteredIterator` chain (present in WordPress \u003C 6.4) to trigger a function call.\n\n**Payload Concept:**\n```php\n\u002F\u002F Example: Triggering phpinfo() or a simple file write if a chain exists\n\u002F\u002F This is a conceptual payload for a common WP Core chain\n$object = new Requests_Utility_FilteredIterator([ 'phpinfo', '1' ], 'passthru');\n$serialized_payload = serialize($object);\n```\n\n### Step 2: Request Construction\nThe payload must be placed in the cookie that `init_current_user()` processes. We will use `wpforo_member` (common for this plugin version) and base64-encode the serialized string.\n\n**HTTP Request:**\n- **Method:** `GET`\n- **URL:** `http:\u002F\u002Flocalhost:8080\u002F`\n- **Headers:**\n    - `Cookie: wpforo_member=[BASE64_ENCODED_SERIALIZED_OBJECT]`\n\n## 6. Test Data Setup\n1.  **Plugin Installation:** Install wpForo version 3.1.0.\n2.  **Environment Check:** Ensure the environment is running a PHP version compatible with the plugin (>= 7.1).\n3.  **No Auth Required:** Ensure you are testing as a logged-out guest.\n\n## 7. Expected Results\n- **Success:** The application processes the cookie and triggers the deserialization. If using a POP chain like `Requests_Utility_FilteredIterator` with `phpinfo`, the output of `phpinfo()` should appear in the response, or the system should exhibit behavior corresponding to the injected object's magic methods (`__destruct`, `__wakeup`).\n- **Failure:** The page loads normally without executing the payload, or a 500 error occurs due to a malformed serialized string (indicating the sink was reached but the payload was invalid).\n\n## 8. Verification Steps\nAfter sending the HTTP request, verify the injection via:\n1.  **Server Logs:** Check for PHP errors related to `unserialize()` or class instantiation failures.\n2.  **Manual Check:** If the payload triggers a visible change (e.g., creating a file or modifying user meta), use `wp-cli` to verify:\n    ```bash\n    wp eval 'echo \"Target file exists: \" . (file_exists(\"pwned.txt\") ? \"Yes\" : \"No\");'\n    ```\n\n## 9. Alternative Approaches\nIf the cookie-based `init` path fails, investigate the following alternative entry points:\n- **AJAX Action:** `wp_ajax_nopriv_wpforo_get_member`. Check if this action accepts a `member` parameter that is passed to `decode()`.\n- **Parameter `wpfval`:** In some wpForo versions, URL parameters passed through the `wpfval()` helper were automatically deserialized if they appeared to be serialized strings. Test `\u002F?wpforo_member=[PAYLOAD]`.\n\n**Note:** If `wpforo_member` is not the correct cookie name, use `browser_navigate` to visit the forum and inspect the `Set-Cookie` headers or the `window.wpforo_obj` JavaScript object to find the exact cookie name used for guest session tracking.","gemini-3-flash-preview","2026-06-26 04:55:15","2026-06-26 04:57:19",{"type":36,"vulnerable_version":37,"fixed_version":11,"vulnerable_browse":38,"vulnerable_zip":39,"fixed_browse":40,"fixed_zip":41,"all_tags":42},"plugin","3.1.0","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fwpforo\u002Ftags\u002F3.1.0","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fwpforo.3.1.0.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fwpforo\u002Ftags\u002F3.1.1","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fwpforo.3.1.1.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fwpforo\u002Ftags"]