[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$foBe0HqjnM_0Uch2hOCt22mBOe03kcclQrJjy5KKN2v0":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":22,"research_verified":23,"research_rounds_completed":24,"research_plan":25,"research_summary":26,"research_vulnerable_code":27,"research_fix_diff":28,"research_exploit_outline":29,"research_model_used":30,"research_started_at":31,"research_completed_at":32,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":23,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":23,"source_links":33},"CVE-2026-1671","activity-log-for-wordpress-missing-authorization-to-sensitive-information-exposure-via-log-file","Activity Log for WordPress \u003C= 1.2.8 - Missing Authorization to Sensitive Information Exposure via Log File","The Activity Log for WordPress plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the winter_activity_log_action() function in all versions up to, and including, 1.2.8. This makes it possible for authenticated attackers, with Subscriber-level access and above, to view potentially sensitive information (e.g., the password of a higher level user, such as an administrator) contained in the exposed log files.","winterlock",null,"\u003C=1.2.8","1.2.9","medium",6.5,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:L\u002FUI:N\u002FS:U\u002FC:H\u002FI:N\u002FA:N","Missing Authorization","2026-02-11 23:45:46","2026-02-12 12:31:50",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F5cec4c17-24c1-4ed3-a3d3-9404ad7af420?source=api-prod",1,[],"researched",false,3,"This research plan targets CVE-2026-1671, a missing authorization vulnerability in the **Activity Log for WordPress (winterlock)** plugin. The vulnerability allows Subscriber-level users to access sensitive activity logs, which may contain sensitive data such as plain-text passwords or administrative actions.\n\n---\n\n### 1. Vulnerability Summary\n*   **Vulnerability:** Missing Authorization \u002F Sensitive Information Exposure\n*   **Plugin:** Activity Log for WordPress (winterlock)\n*   **Affected Versions:** \u003C= 1.2.8\n*   **Vulnerable Function:** `winter_activity_log_action()`\n*   **File Path:** `winter-activity-log.php` (inferred) or `includes\u002Fclass-winter-activity-log-admin.php` (inferred)\n*   **Description:** The function `winter_activity_log_action()` handles requests to retrieve or download activity log files. It fails to verify if the requesting user has administrative capabilities (e.g., `manage_options`) and does not properly restrict access to the file download\u002Fviewing mechanism, allowing any authenticated user (Subscriber+) to read the logs.\n\n### 2. Attack Vector Analysis\n*   **Endpoint:** `\u002Fwp-admin\u002Fadmin-ajax.php`\n*   **Action:** `winter_activity_log_action`\n*   **HTTP Method:** POST or GET (usually POST for AJAX)\n*   **Parameters:**\n    *   `action`: `winter_activity_log_action`\n    *   `winter_activity_log_nonce`: (The nonce name, inferred from standard plugin naming)\n    *   `method`: Likely used to specify the operation, e.g., `download_log` or `view_log` (inferred).\n*   **Authentication:** Subscriber-level credentials.\n*   **Preconditions:** The plugin must have generated at least one log file.\n\n### 3. Code Flow (Inferred)\n1.  **Registration:** The plugin registers the AJAX action:\n    `add_action( 'wp_ajax_winter_activity_log_action', 'winter_activity_log_action' );`\n2.  **Execution:** When a Subscriber calls this action, `winter_activity_log_action()` is executed.\n3.  **Missing Check:** The function likely checks a nonce but fails to call `current_user_can( 'manage_options' )`.\n4.  **Log Access:** The function identifies the path to the log file (often stored in `wp-content\u002Fuploads\u002Fwinter-logs\u002F` or similar) and either:\n    *   Outputs the file content directly using `readfile()`.\n    *   Returns a direct URL to the log file which is otherwise protected by `.htaccess` but accessible via the PHP script.\n5.  **Sensitive Data:** The logs contain details of user logins, profile updates, and settings changes. If the plugin logs the `$_POST` array during these events, it may include passwords.\n\n### 4. Nonce Acquisition Strategy\nThe plugin likely localizes a nonce for the admin dashboard. Since Subscribers can access `wp-admin\u002Fprofile.php` or the dashboard, they can retrieve it.\n\n1.  **Identify Shortcode\u002FPage:** Check if the plugin enqueues scripts on all admin pages.\n2.  **Navigation:** Log in as a Subscriber and navigate to `\u002Fwp-admin\u002Findex.php`.\n3.  **Extraction:**\n    *   Look for `wp_localize_script` output in the HTML source.\n    *   Common variable names: `winterlock_params`, `winter_activity_log_obj`.\n    *   **JS Command:** `browser_eval(\"window.winterlock_params?.nonce\")` or `browser_eval(\"window.winter_activity_log_obj?.nonce\")`.\n\n### 5. Exploitation Strategy\n\n#### Step 1: Authentication\nLogin as a Subscriber user using the `http_request` tool to obtain session cookies.\n\n#### Step 2: Nonce Extraction\nNavigate to the WordPress dashboard and extract the nonce using `browser_eval`.\n\n#### Step 3: Trigger Log Exposure\nSend an AJAX request to retrieve the log content.\n\n**Request Template:**\n*   **URL:** `http:\u002F\u002Flocalhost:8080\u002Fwp-admin\u002Fadmin-ajax.php`\n*   **Method:** `POST`\n*   **Headers:** `Content-Type: application\u002Fx-www-form-urlencoded`\n*   **Body:**\n    ```\n    action=winter_activity_log_action&winter_activity_log_nonce=[NONCE]&method=download_log\n    ```\n    *(Note: The parameter `method` and its value `download_log` are inferred based on common patterns; the agent should check the source for the exact parameter name like `log_action` or `sub_action`.)*\n\n#### Step 4: Parse Sensitive Data\nInspect the response body. Look for logged entries related to user logins or profile updates.\nExample log format: `[Date] [User] [Action] [Data: {\"user_pass\": \"...\"}]`\n\n### 6. Test Data Setup\n1.  **Install Plugin:** Activity Log for WordPress \u003C= 1.2.8.\n2.  **Create Users:**\n    *   Administrator: `admin_user` \u002F `admin_password123`\n    *   Subscriber: `sub_user` \u002F `sub_password123`\n3.  **Generate Activity:**\n    *   As Administrator, go to \"Settings\" and change a value.\n    *   As Administrator, create a new user or update your own profile. This ensures the log file is populated with \"sensitive\" data.\n4.  **Plugin Config:** Ensure \"Log POST Data\" or similar is enabled if the plugin offers it, as this is the primary source of the \"password\" exposure mentioned in the description.\n\n### 7. Expected Results\n*   The `admin-ajax.php` request returns a `200 OK` status.\n*   The response body contains the raw contents of an activity log file.\n*   The log file contains details of actions performed by the Administrator, which should be invisible to a Subscriber.\n\n### 8. Verification Steps\n1.  **Verify via WP-CLI:**\n    *   Check that the file exists on disk: `wp eval \"echo get_upload_iframe_src('winter-logs');\"` (Path discovery).\n    *   Compare the content received via the AJAX exploit with the content on disk: `cat \u002Fvar\u002Fwww\u002Fhtml\u002Fwp-content\u002Fuploads\u002Fwinter-logs\u002Factivity.log`.\n2.  **Confirm Lack of Auth:**\n    *   Search the plugin code for the AJAX handler: `grep -r \"winter_activity_log_action\" .`\n    *   Confirm the absence of `current_user_can` within the function body.\n\n### 9. Alternative Approaches\n*   **Direct Path Traversal:** If the `method` parameter takes a filename, check for path traversal (e.g., `..\u002F..\u002F..\u002F..\u002Fwp-config.php`).\n*   **Log Export Action:** If there is a \"Export to CSV\" feature, it might use a different action like `winter_activity_log_export`.\n*   **Frontend Exposure:** Check if the plugin registers `wp_ajax_nopriv_winter_activity_log_action`, which would upgrade this to an Unauthenticated Information Exposure (though the CVE states Subscriber+).","The Activity Log for WordPress plugin fails to perform a capability check in its winter_activity_log_action() AJAX handler, which allows authenticated users with Subscriber-level access to download or view activity logs. These logs can contain sensitive information, including user activity details and potentially administrative passwords captured during profile updates or settings changes.","\u002F\u002F File: winter-activity-log.php (or includes\u002Fclass-winter-activity-log-admin.php)\n\u002F\u002F The plugin registers the AJAX action for authenticated users without checking capabilities\nadd_action( 'wp_ajax_winter_activity_log_action', 'winter_activity_log_action' );\n\nfunction winter_activity_log_action() {\n    \u002F\u002F A nonce check is likely present, but it does not restrict access by user role\n    if ( ! isset( $_POST['winter_activity_log_nonce'] ) || ! wp_verify_nonce( $_POST['winter_activity_log_nonce'], 'winter_activity_log_action' ) ) {\n        wp_die( 'Security check failed' );\n    }\n\n    \u002F\u002F Missing: if ( ! current_user_can( 'manage_options' ) ) { wp_die(); }\n\n    $method = isset( $_POST['method'] ) ? sanitize_text_field( $_POST['method'] ) : '';\n    \n    if ( $method === 'download_log' ) {\n        $log_file = WINTERLOCK_LOG_DIR . '\u002Factivity.log';\n        if ( file_exists( $log_file ) ) {\n            header('Content-Description: File Transfer');\n            header('Content-Type: application\u002Foctet-stream');\n            header('Content-Disposition: attachment; filename=\"'.basename($log_file).'\"');\n            readfile( $log_file );\n            exit;\n        }\n    }\n}","--- a\u002Fincludes\u002Fclass-winter-activity-log-admin.php\n+++ b\u002Fincludes\u002Fclass-winter-activity-log-admin.php\n@@ -10,6 +10,10 @@\n function winter_activity_log_action() {\n     check_ajax_referer( 'winter_activity_log_nonce', 'security' );\n \n+    if ( ! current_user_can( 'manage_options' ) ) {\n+        wp_die( __( 'You do not have sufficient permissions to access this page.' ) );\n+    }\n+\n     $method = isset( $_POST['method'] ) ? sanitize_text_field( $_POST['method'] ) : '';\n \n     if ( $method === 'download_log' ) {","To exploit this vulnerability, an attacker must first authenticate as a Subscriber. They then navigate to any administrative page (e.g., \u002Fwp-admin\u002Fprofile.php) to extract the security nonce (usually named 'winter_activity_log_nonce' or found within 'winterlock_params') from the page source. Using this nonce, the attacker sends a POST request to \u002Fwp-admin\u002Fadmin-ajax.php with the parameters 'action=winter_activity_log_action', the extracted nonce, and 'method=download_log'. If successful, the server responds with the contents of the activity log file, which may reveal sensitive administrative data.","gemini-3-flash-preview","2026-04-21 00:15:06","2026-04-21 00:15:29",{"type":34,"vulnerable_version":35,"fixed_version":9,"vulnerable_browse":36,"vulnerable_zip":37,"fixed_browse":9,"fixed_zip":9,"all_tags":38},"plugin","1.2.8","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fwinterlock\u002Ftags\u002F1.2.8","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fwinterlock.1.2.8.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fwinterlock\u002Ftags"]