[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fIDPyTWFywo6Mo2X5oJWJot2_pdPHA1_cwYdvsZkNEm0":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":9,"severity":11,"cvss_score":12,"cvss_vector":13,"vuln_type":14,"published_date":15,"updated_date":16,"references":17,"days_to_patch":9,"patch_diff_files":19,"patch_trac_url":9,"research_status":20,"research_verified":21,"research_rounds_completed":22,"research_plan":23,"research_summary":24,"research_vulnerable_code":9,"research_fix_diff":9,"research_exploit_outline":25,"research_model_used":26,"research_started_at":27,"research_completed_at":28,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":21,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":21,"source_links":29},"CVE-2026-39610","wpxmas-snow-missing-authorization","WpXmas-Snow \u003C= 1.1 - Missing Authorization","The WpXmas-Snow plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in versions up to, and including, 1.1. This makes it possible for unauthenticated attackers to perform an unauthorized action.","wpxmas-snow",null,"\u003C=1.1","medium",5.3,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:N\u002FUI:N\u002FS:U\u002FC:N\u002FI:L\u002FA:N","Missing Authorization","2026-02-07 00:00:00","2026-04-15 21:17:28",[18],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002Fbfba1c2c-6679-4c6c-95fd-bae391e6aa0b?source=api-prod",[],"researched",false,3,"# Exploitation Research Plan - CVE-2026-39610 (WpXmas-Snow)\n\n## 1. Vulnerability Summary\nThe **WpXmas-Snow** plugin for WordPress (versions \u003C= 1.1) contains a **Missing Authorization** vulnerability. The plugin registers functionality—likely via AJAX or an initialization hook—that allows unauthenticated users to perform actions that should be restricted to administrators (such as modifying plugin settings). This occurs because the vulnerable function lacks a `current_user_can()` capability check.\n\n## 2. Attack Vector Analysis\n* **Endpoint:** `wp-admin\u002Fadmin-ajax.php` (Most likely, given the \"Missing Authorization\" description for this type of plugin).\n* **Action:** Likely related to saving or resetting settings (e.g., `wpxmas_snow_save_settings` or `save_wpxmas_settings`).\n* **Parameter:** A settings array or individual configuration options (e.g., `snow_color`, `snow_type`, `enabled`).\n* **Authentication:** None required (Unauthenticated).\n* **Preconditions:** The plugin must be active.\n\n## 3. Code Flow (Inferred)\n1. The plugin registers an AJAX handler using `add_action('wp_ajax_nopriv_...')` or registers a handler for `wp_ajax_...` but fails to verify privileges within the callback.\n2. The callback function (e.g., `wpxmas_snow_settings_callback`) is invoked.\n3. Inside the function, there is no call to `current_user_can('manage_options')`.\n4. The function takes input from `$_POST` and calls `update_option()` to modify the plugin's configuration in the database.\n\n## 4. Nonce Acquisition Strategy\nIf the plugin uses `check_ajax_referer` or `wp_verify_nonce`, we must locate where the nonce is generated and exposed.\n\n1. **Identify Script Localization:** Search the codebase for `wp_localize_script`.\n * `grep -r \"wp_localize_script\" .`\n2. **Identify the Variable:** Look for the object name and the nonce key (e.g., `wpxmas_ajax.nonce`).\n3. **Find the Trigger:** Determine which page loads the script. It is likely the frontend homepage if the plugin adds snow to all pages.\n4. **Extract via Browser:**\n * Navigate to the homepage: `browser_navigate(\"http:\u002F\u002Flocalhost:8080\u002F\")`.\n * Execute JS to retrieve the nonce: `browser_eval(\"window.wpxmas_ajax?.nonce\")` (Replace `wpxmas_ajax` and `nonce` with the actual identifiers found in Step 1).\n5. **Bypass Check:** Check if `check_ajax_referer` is called with the third parameter as `false` (meaning it doesn't die on failure), or if the return value is ignored.\n\n## 5. Exploitation Strategy\n1. **Discovery:** Use `grep` to find the vulnerable AJAX action and parameters.\n * `grep -r \"wp_ajax_nopriv\" .`\n * Identify the function name and examine its content for `update_option`.\n2. **Payload Construction:** Prepare a POST request to `admin-ajax.php`.\n * **Action:** Found in step 1 (e.g., `action=wpxmas_save_settings`).\n * **Data:** Settings to change (e.g., `wpxmas_snow_enabled=0` to disable the plugin's effect site-wide, or injecting a value that proves control).\n3. **Request:** Use `http_request`.\n ```javascript\n \u002F\u002F Example (parameters to be adjusted based on discovery)\n await http_request({\n url: \"http:\u002F\u002Flocalhost:8080\u002Fwp-admin\u002Fadmin-ajax.php\",\n method: \"POST\",\n headers: { \"Content-Type\": \"application\u002Fx-www-form-urlencoded\" },\n body: \"action=VULNERABLE_ACTION&nonce=EXTRACTED_NONCE&setting_key=malicious_value\"\n });\n ```\n\n## 6. Test Data Setup\n1. **Install\u002FActivate:** Ensure `wpxmas-snow` version 1.1 is installed and active.\n2. **Initial State:** Configure the plugin as an admin to \"Enabled\" so the change is visible.\n3. **Public Page:** If a nonce is required, ensure a public post\u002Fpage exists where the plugin's scripts are enqueued.\n\n## 7. Expected Results\n* **Response:** The AJAX endpoint returns a success indicator (e.g., `1`, `{\"success\":true}`, or `0` if successful but poorly coded).\n* **Database Impact:** The WordPress `options` table will be updated with the value provided by the unauthenticated attacker.\n* **Frontend Impact:** The snow effect settings change (e.g., color changes or snow stops falling).\n\n## 8. Verification Steps\n1. **Check Option Value:** Use WP-CLI to verify the option has changed.\n * `wp option get wpxmas_snow_settings` (Verify the exact option name in the source code via `update_option`).\n2. **Check Settings Page:** Log in as admin and verify the settings reflected in the plugin's dashboard match the payload.\n\n## 9. Alternative Approaches\n* **REST API:** If no AJAX hooks are found, check for `register_rest_route` calls that lack a `permission_callback` or return `true` for it.\n* **Admin Init:** Check for `add_action('admin_init', ...)` handlers that process `$_POST` or `$_GET` without checking `is_admin()` (remember `admin_init` runs on `admin-ajax.php`).\n* **Direct Option Update:** If the plugin uses the Settings API incorrectly, it might be possible to update options via `options.php` if a nonce for a different settings group can be obtained.","The WpXmas-Snow plugin for WordPress is vulnerable to unauthorized modification of settings in versions up to and including 1.1. This is due to a missing capability check in an AJAX handler, which allows unauthenticated attackers to change the plugin's configuration parameters via the admin-ajax.php endpoint.","The exploit targets the WordPress AJAX endpoint to perform unauthorized actions. 1. Identify the specific AJAX action used by the plugin to save or reset settings (likely registered via wp_ajax_nopriv_). 2. If a nonce is required for the request, extract it from the site's frontend by inspecting the HTML or localized JavaScript objects (e.g., using window.wpxmas_ajax.nonce). 3. Construct a POST request to \u002Fwp-admin\u002Fadmin-ajax.php with the 'action' parameter set to the vulnerable hook and body parameters containing the desired malicious configuration values. 4. Execute the request unauthenticated; the plugin will process the update via update_option() without verifying if the user has the 'manage_options' capability.","gemini-3-flash-preview","2026-04-21 03:19:34","2026-04-21 03:19:48",{"type":30,"vulnerable_version":9,"fixed_version":9,"vulnerable_browse":9,"vulnerable_zip":9,"fixed_browse":9,"fixed_zip":9,"all_tags":31},"plugin","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fwpxmas-snow\u002Ftags"]