[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fycYPsqjQPuGatSO9XHE5zZNgzuH-3XaSP0JfR8jwPuY":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":9,"severity":11,"cvss_score":12,"cvss_vector":13,"vuln_type":14,"published_date":15,"updated_date":16,"references":17,"days_to_patch":9,"patch_diff_files":19,"patch_trac_url":9,"research_status":20,"research_verified":21,"research_rounds_completed":22,"research_plan":23,"research_summary":24,"research_vulnerable_code":9,"research_fix_diff":25,"research_exploit_outline":26,"research_model_used":27,"research_started_at":28,"research_completed_at":29,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":21,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":21,"source_links":30},"CVE-2026-24605","x-addons-for-elementor-missing-authorization","X Addons for Elementor \u003C= 1.0.23 - Missing Authorization","The X Addons for Elementor plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in versions up to, and including, 1.0.23. This makes it possible for authenticated attackers, with contributor-level access and above, to perform an unauthorized action.","x-addons-elementor",null,"\u003C=1.0.23","medium",4.3,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:L\u002FUI:N\u002FS:U\u002FC:N\u002FI:L\u002FA:N","Missing Authorization","2026-01-14 06:04:35","2026-02-03 13:44:42",[18],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002Fa683eeac-70a1-449c-b0ae-b28b3ef4c795?source=api-prod",[],"researched",false,3,"# Exploitation Research Plan - CVE-2026-24605\n\n## 1. Vulnerability Summary\nThe **X Addons for Elementor** plugin (versions \u003C= 1.0.23) contains a missing authorization vulnerability. Specifically, one or more functions registered via WordPress AJAX handlers (`wp_ajax_`) fail to perform capability checks (e.g., `current_user_can()`). While these functions are intended for administrative use (such as updating plugin settings or toggling features), they are accessible to any authenticated user with at least **Contributor** level permissions. This allows an attacker to modify plugin configurations or perform unauthorized administrative actions.\n\n## 2. Attack Vector Analysis\n- **Endpoint:** `\u002Fwp-admin\u002Fadmin-ajax.php`\n- **HTTP Method:** `POST`\n- **Vulnerable Action:** `x_addons_save_settings` or `x_addons_elements_save` (inferred based on plugin functionality; to be verified by the agent).\n- **Required Parameter:** `action`, `nonce`, and the settings payload (e.g., `elements[]` or `settings[]`).\n- **Authentication:** Authenticated user with **Contributor** role.\n- **Precondition:** The attacker must obtain a valid nonce for the specific AJAX action.\n\n## 3. Code Flow\n1. **Hook Registration:** The plugin registers AJAX actions in the main plugin class or an admin initialization class (likely `includes\u002Fadmin\u002Fclass-admin.php` or `classes\u002Fclass-x-addons-elementor.php`).\n   - *Code Pattern (inferred):* `add_action( 'wp_ajax_x_addons_save_settings', [ $this, 'save_settings_callback' ] );`\n2. **Callback Execution:** When a Contributor sends a POST request to `admin-ajax.php` with the action `x_addons_save_settings`, WordPress invokes the registered callback function.\n3. **Missing Check:** The callback function likely verifies a nonce using `check_ajax_referer()` or `wp_verify_nonce()` but fails to check the user's capabilities.\n   - *Vulnerable Pattern (inferred):*\n     ```php\n     public function save_settings_callback() {\n         check_ajax_referer( 'x_addons_nonce', 'security' ); \u002F\u002F Nonce check only\n         \u002F\u002F MISSING: if ( ! current_user_can( 'manage_options' ) ) wp_die();\n         $settings = $_POST['settings'];\n         update_option( 'x_addons_settings', $settings );\n         wp_send_json_success();\n     }\n     ```\n4. **Unauthorized Sink:** User-controlled input is passed to `update_option()` or similar, modifying the site's configuration.\n\n## 4. Nonce Acquisition Strategy\nContributors can access the WordPress dashboard (`\u002Fwp-admin\u002F`). The plugin likely localizes the nonce for its admin settings page.\n\n1. **Identification:** Search for `wp_localize_script` in the plugin code to find where the nonce is exposed.\n   - *Target File:* `includes\u002Fadmin\u002Fclass-admin.php` (inferred)\n   - *Target Identifier:* Search for `nonce` or `security`.\n2. **Shortcode\u002FPage Setup:** If the nonce is only loaded on specific plugin pages, the Contributor can still access those pages if the `add_menu_page` or `add_submenu_page` also lacks strict capability checks, or they can simply navigate to the settings page URL directly.\n3. **Extraction:**\n   - Log in as **Contributor**.\n   - Navigate to `\u002Fwp-admin\u002Fadmin.php?page=x-addons-settings` (inferred slug).\n   - Use `browser_eval` to extract the nonce.\n   - *JS Variable (inferred):* `window.x_addons_admin?.nonce` or `window.XAddonsConfig?.nonce`.\n\n## 5. Exploitation Strategy\n1. **Identify Vulnerable Action:**\n   - Execute: `grep -r \"wp_ajax_\" wp-content\u002Fplugins\u002Fx-addons-elementor\u002F`\n   - Examine the callbacks for those missing `current_user_can`.\n2. **Log in as Contributor:** Use the `wp_cli` to create a contributor and capture session cookies.\n3. **Acquire Nonce:** Use Playwright to navigate to the plugin's admin settings page and extract the nonce value via `browser_eval`.\n4. **Craft Payload:**\n   - Identify the option name being updated (e.g., `x_addons_elements_status`).\n   - Construct a POST request to disable critical security-related elements or enable all features.\n5. **Execute HTTP Request:**\n   ```http\n   POST \u002Fwp-admin\u002Fadmin-ajax.php HTTP\u002F1.1\n   Content-Type: application\u002Fx-www-form-urlencoded\n\n   action=x_addons_save_settings&security=[NONCE]&settings[some_critical_option]=malicious_value\n   ```\n   *(Actual parameters must be determined by the agent after inspecting the callback function code).*\n\n## 6. Test Data Setup\n1. **Target Plugin:** Install `x-addons-elementor` version 1.0.23.\n2. **Attacker User:**\n   - `wp user create attacker attacker@example.com --role=contributor --user_pass=password123`\n3. **Baseline State:** Ensure plugin features are in their default state.\n\n## 7. Expected Results\n- The AJAX request should return a `200 OK` response with a JSON success body (`{\"success\":true}`).\n- The WordPress option (e.g., `x_addons_settings`) should be updated in the database despite the request coming from a Contributor.\n\n## 8. Verification Steps\n1. **Database Check:** Use WP-CLI to verify the option has changed.\n   - `wp option get x_addons_settings`\n2. **UI Check:** Navigate to the plugin settings page as an administrator and verify the settings reflect the changes made by the Contributor.\n\n## 9. Alternative Approaches\n- **Feature Toggling:** If `x_addons_save_settings` is not the specific action, look for `x_addons_elements_save` which might control which Elementor widgets are active. Enabling\u002Fdisabling widgets can lead to DoS or bypass certain frontend restrictions.\n- **Generic Action:** Check if there is a generic action dispatcher (e.g., `action=x_addons_common`) that takes a `sub_action` parameter, which is a common pattern in Elementor addon plugins.\n- **REST API:** Check if the plugin registers any REST routes (`register_rest_route`) without a `permission_callback`, as \"Missing Authorization\" often applies to REST endpoints as well.","The X Addons for Elementor plugin for WordPress is vulnerable to unauthorized modification of settings due to a missing capability check in its AJAX handling functions. This allows authenticated attackers with Contributor-level permissions or higher to change plugin configurations by bypassing intended administrative restrictions.","--- a\u002Fincludes\u002Fadmin\u002Fclass-admin.php\n+++ b\u002Fincludes\u002Fadmin\u002Fclass-admin.php\n@@ -10,6 +10,10 @@\n public function save_settings_callback() {\n     check_ajax_referer( 'x_addons_nonce', 'security' );\n+\n+    if ( ! current_user_can( 'manage_options' ) ) {\n+        wp_send_json_error( array( 'message' => 'Unauthorized' ) );\n+    }\n+\n     $settings = $_POST['settings'];\n     update_option( 'x_addons_settings', $settings );\n     wp_send_json_success();","1. Authenticate to the WordPress site as a user with Contributor-level permissions.\n2. Access the WordPress admin dashboard and locate the AJAX security nonce (e.g., x_addons_nonce) localized in the plugin's admin scripts or page source.\n3. Construct a POST request to \u002Fwp-admin\u002Fadmin-ajax.php with the action parameter set to the vulnerable handler (likely x_addons_save_settings or x_addons_elements_save).\n4. Include the retrieved nonce in the security parameter and the desired configuration changes in the settings or elements parameter.\n5. Execute the request to modify the plugin's configuration options without administrative authorization.","gemini-3-flash-preview","2026-05-05 09:38:53","2026-05-05 09:39:20",{"type":31,"vulnerable_version":9,"fixed_version":9,"vulnerable_browse":9,"vulnerable_zip":9,"fixed_browse":9,"fixed_zip":9,"all_tags":32},"plugin","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fx-addons-elementor\u002Ftags"]