[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fFoLGeV6O5mTKMYWykMJSBjOTQKiz1JLhr8t7iGG-9wg":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":22,"research_verified":23,"research_rounds_completed":24,"research_plan":25,"research_summary":9,"research_vulnerable_code":9,"research_fix_diff":9,"research_exploit_outline":9,"research_model_used":26,"research_started_at":27,"research_completed_at":28,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":23,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":23,"source_links":29},"CVE-2026-32363","wplifecycle-missing-authorization","WPLifeCycle \u003C= 3.3.1 - Missing Authorization","The WPLifeCycle plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in versions up to, and including, 3.3.1. This makes it possible for unauthenticated attackers to perform an unauthorized action.","free-php-version-info",null,"\u003C=3.3.1","4.0","medium",5.3,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:N\u002FUI:N\u002FS:U\u002FC:N\u002FI:L\u002FA:N","Missing Authorization","2026-02-15 00:00:00","2026-04-15 20:51:11",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F04013d96-d1b2-4d97-ad10-c2739eb9bc30?source=api-prod",60,[],"researched",false,3,"# Exploitation Research Plan: CVE-2026-32363 (WPLifeCycle Missing Authorization)\n\n## 1. Vulnerability Summary\nThe **WPLifeCycle** plugin (versions \u003C= 3.3.1) is vulnerable to **Missing Authorization**. The vulnerability exists because certain functions registered as AJAX handlers (or via other hooks) do not implement `current_user_can()` checks. This allows unauthenticated users to perform actions intended only for administrators. Given the CVSS vector `CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:N\u002FUI:N\u002FS:U\u002FC:N\u002FI:L\u002FA:N`, the impact is limited to **Low Integrity**, suggesting an attacker can modify specific plugin settings or site options without being logged in.\n\n## 2. Attack Vector Analysis\n*   **Endpoint:** `\u002Fwp-admin\u002Fadmin-ajax.php`\n*   **Action:** Likely a hook registered with `wp_ajax_nopriv_` (to allow unauthenticated access) that performs a state-changing operation (e.g., `update_option`).\n*   **Parameter:** An `action` parameter in a POST request, along with whatever data the vulnerable function expects (e.g., `setting_name`, `value`).\n*   **Authentication:** None (Unauthenticated).\n*   **Preconditions:** The plugin `free-php-version-info` must be active.\n\n## 3. Code Flow (Inferred - Subject to verification by Agent)\n1.  **Entry Point:** An unauthenticated user sends a POST request to `wp-admin\u002Fadmin-ajax.php?action=[VULNERABLE_ACTION]`.\n2.  **Hook Registration:** The plugin likely contains code similar to:\n    ```php\n    add_action('wp_ajax_nopriv_wpl_save_settings', 'wpl_save_settings_callback');\n    add_action('wp_ajax_wpl_save_settings', 'wpl_save_settings_callback');\n    ```\n3.  **Vulnerable Callback:** The callback function (e.g., `wpl_save_settings_callback`) likely processes `$_POST` data and calls `update_option()` or `set_transient()` without checking:\n    -   `current_user_can('manage_options')`\n    -   A valid WordPress nonce (via `check_ajax_referer`)\n4.  **Sink:** The `update_option()` function is called, modifying the database.\n\n## 4. Nonce Acquisition Strategy\nIf the vulnerable function uses `check_ajax_referer` or `wp_verify_nonce`, a nonce must be extracted.\n1.  **Identify Shortcodes\u002FPages:** Search the plugin for `add_shortcode`. If the plugin displays PHP info on the frontend, it may enqueue scripts there.\n2.  **Locate Nonce Localization:** Search for `wp_localize_script`. Common keys might be `wpl_ajax` or `wplifecycle_obj`.\n    -   *Example Search:* `grep -r \"wp_localize_script\" .`\n3.  **Extraction Process:**\n    -   Create a page containing the plugin's shortcode: `wp post create --post_type=page --post_status=publish --post_content='[wplifecycle_info]'` (shortcode name is inferred).\n    -   Navigate to the page using `browser_navigate`.\n    -   Use `browser_eval` to find the nonce: `browser_eval(\"window.wpl_ajax_obj?.nonce\")` (variable name is inferred).\n\n**Note:** If the vulnerability is \"Missing Authorization,\" it is highly probable that even if a nonce is present, the **capability check** is missing. If the nonce is also missing or the handler uses `wp_ajax_nopriv_` without checking the result of `check_ajax_referer(..., ..., false)`, exploitation is trivial.\n\n## 5. Exploitation Strategy\nThe agent will follow these steps:\n1.  **Discovery:** Run `grep -rn \"wp_ajax_nopriv\" wp-content\u002Fplugins\u002Ffree-php-version-info\u002F` to identify the specific action name.\n2.  **Payload Identification:** Inspect the identified callback function to see which parameters it accepts. Look for `update_option`, `delete_option`, or `update_user_meta`.\n3.  **Request Construction:** Send a POST request using `http_request`.\n    -   **URL:** `http:\u002F\u002Flocalhost:8080\u002Fwp-admin\u002Fadmin-ajax.php`\n    -   **Method:** POST\n    -   **Headers:** `Content-Type: application\u002Fx-www-form-urlencoded`\n    -   **Body:** `action=[FOUND_ACTION]&[PARAM]=[VALUE]`\n4.  **Target Setting:** Aim to modify a setting that is visible in the WordPress admin or affects site behavior (e.g., changing a \"dismissed notice\" flag or a plugin-specific configuration).\n\n## 6. Test Data Setup\n1.  **Install\u002FActivate Plugin:** Ensure `free-php-version-info` version 3.3.1 is installed and active.\n2.  **Initial State Check:** Record the current value of the targeted option using WP-CLI.\n    -   *Command:* `wp option get [target_option_name]`\n\n## 7. Expected Results\n*   **Response:** The HTTP request to `admin-ajax.php` should return a `200 OK` or a JSON success message (e.g., `{\"success\":true}`).\n*   **Database Change:** The targeted option in the `wp_options` table should be updated to the attacker-supplied value.\n\n## 8. Verification Steps\n1.  **WP-CLI Verification:** After the exploit attempt, verify the change in the database.\n    -   *Command:* `wp option get [target_option_name]`\n2.  **State Comparison:** Compare this value against the initial state recorded in Step 6. If they differ and match the payload, the exploit is successful.\n\n## 9. Alternative Approaches\n*   **Settings Loophole:** If the plugin uses a generic `save_settings` function that takes an array of options, try to overwrite core WordPress options (e.g., `users_can_register`) if the plugin doesn't whitelist which options can be updated.\n*   **REST API:** Check if the plugin also registers REST API routes without `permission_callback` by searching for `register_rest_route`.\n*   **Init-based handling:** If no AJAX actions are found, search for `add_action('init', ...)` or `add_action('admin_init', ...)` that checks for a specific `$_GET` or `$_POST` parameter without checking capabilities.","gemini-3-flash-preview","2026-04-20 22:12:14","2026-04-20 22:12:36",{"type":30,"vulnerable_version":9,"fixed_version":9,"vulnerable_browse":9,"vulnerable_zip":9,"fixed_browse":9,"fixed_zip":9,"all_tags":31},"plugin","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Ffree-php-version-info\u002Ftags"]