[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fsgFEbSh6q07jQWXWxrr-Esxcge2oM0i1mhWO3-ikg8Y":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":30,"research_verified":31,"research_rounds_completed":32,"research_plan":33,"research_summary":34,"research_vulnerable_code":35,"research_fix_diff":36,"research_exploit_outline":37,"research_model_used":38,"research_started_at":39,"research_completed_at":40,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":31,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":31,"source_links":41},"CVE-2026-24987","activity-log-for-wordpress-missing-authorization","Activity Log for WordPress \u003C= 1.2.7 - Missing Authorization","The Activity Log for WordPress plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in all versions up to, and including, 1.2.7. This makes it possible for authenticated attackers, with Subscriber-level access and above, to perform an unauthorized action.","winterlock",null,"\u003C=1.2.7","1.2.8","medium",4.3,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:L\u002FUI:N\u002FS:U\u002FC:N\u002FI:L\u002FA:N","Missing Authorization","2026-03-17 00:00:00","2026-03-27 20:25:37",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002Faa93cf13-0578-447e-8b03-24f5f48fc782?source=api-prod",11,[22,23,24,25,26,27,28,29],"README.txt","application\u002Fcontrollers\u002FWal_cloudintegration.php","application\u002Fcontrollers\u002FWal_controlsecurity.php","application\u002Fcontrollers\u002FWal_disabledlogs.php","application\u002Fcontrollers\u002FWal_history.php","application\u002Fcontrollers\u002FWal_logalerts.php","application\u002Fcontrollers\u002FWal_reports.php","application\u002Fcontrollers\u002FWal_usersessions.php","researched",false,3,"# Exploitation Research Plan: CVE-2026-24987 (Activity Log for WordPress)\n\n## 1. Vulnerability Summary\nThe **Activity Log for WordPress (winterlock)** plugin \u003C= 1.2.7 suffers from a **Missing Authorization** vulnerability. The plugin uses a custom MVC framework (Winter MVC) where controller methods are mapped to `admin.php` pages via the `page` and `function` query parameters. Multiple sensitive functions in controllers like `Wal_history`, `Wal_reports`, and `Wal_cloudintegration` lack capability checks (`current_user_can` or the plugin's internal `wal_access_allowed`) and nonce verification. This allows authenticated users with Subscriber-level access to perform unauthorized actions, such as modifying log favorites or creating system reports.\n\n## 2. Attack Vector Analysis\n- **Endpoint**: `\u002Fwp-admin\u002Fadmin.php`\n- **Query Parameters**: \n    - `page`: The controller slug (e.g., `wal_history`, `wal_reports`).\n    - `function`: The method to execute (e.g., `save_history`, `report_edit`).\n- **Required Role**: Subscriber (or any authenticated user).\n- **Nonce**: None required for the vulnerable methods identified.\n- **Payload**:\n    - For `save_history`: `id` (the ID of the activity log entry).\n    - For `report_edit`: POST parameters like `report_name`, `report_email`, etc.\n\n## ","The Activity Log for WordPress plugin (winterlock) lacks capability checks and nonce verification on numerous controller methods exposed through its custom MVC routing. This allows authenticated attackers with Subscriber-level permissions to perform unauthorized actions such as modifying log records, creating\u002Fediting system reports, and accessing sensitive log data via AJAX-style datatable endpoints.","\u002F\u002F application\u002Fcontrollers\u002FWal_history.php lines 61-68\n\tpublic function save_history()\n\t{\n        $this->load->model('History_m');\n\n        $id = $this->input->post_get('id');\n\n        $this->history_m->update(array('is_favourite'=>1), $id);\n\n        exit();\n    }\n\n---\n\n\u002F\u002F application\u002Fcontrollers\u002FWal_reports.php lines 17-30\n    public function report_edit()\n    {\n        $this->load->model('log_m');\n        $this->load->model('report_m');\n\n        $report_id = $this->input->post_get('id');\n\n        \u002F\u002F Prepare db data\n        $this->data['db_data'] = NULL;\n\n        if(!empty($report_id))\n            $this->data['db_data'] = $this->report_m->get($report_id, TRUE);\n\n---\n\n\u002F\u002F application\u002Fcontrollers\u002FWal_history.php lines 79-85\n\tpublic function datatable()\n\t{\n        \u002F\u002F$this->enable_error_reporting();\n        remove_action( 'shutdown', 'wp_ob_end_flush_all', 1 );\n\n        \u002F\u002F configuration\n        $columns = array('idhistory', 'level', 'date', 'avatar', 'user_info', 'description', 'page', 'action');","diff -ru \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fwinterlock\u002F1.2.7\u002Fapplication\u002Fcontrollers\u002FWal_cloudintegration.php \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fwinterlock\u002F1.2.8\u002Fapplication\u002Fcontrollers\u002FWal_cloudintegration.php\n--- \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fwinterlock\u002F1.2.7\u002Fapplication\u002Fcontrollers\u002FWal_cloudintegration.php\t2026-01-17 14:00:10.000000000 +0000\n+++ \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fwinterlock\u002F1.2.8\u002Fapplication\u002Fcontrollers\u002FWal_cloudintegration.php\t2026-02-11 21:30:56.000000000 +0000\n@@ -277,6 +277,14 @@\n \t\u002F\u002F json for datatables\n \tpublic function datatable()\n \t{\n+\n+        if ( ! current_user_can( 'administrator' ) ) {\n+            exit();\n+        }\n+        \n+        check_ajax_referer('winterlock_secure_ajax', 'winterlock_secure');\n+\n+\n         \u002F\u002F$this->enable_error_reporting();\n         remove_action( 'shutdown', 'wp_ob_end_flush_all', 1 );\n \ndiff -ru \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fwinterlock\u002F1.2.7\u002Fapplication\u002Fcontrollers\u002FWal_history.php \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fwinterlock\u002F1.2.8\u002Fapplication\u002Fcontrollers\u002FWal_history.php\n--- \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fwinterlock\u002F1.2.7\u002Fapplication\u002Fcontrollers\u002FWal_history.php\t2026-01-17 14:00:10.000000000 +0000\n+++ \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fwinterlock\u002F1.2.8\u002Fapplication\u002Fcontrollers\u002FWal_history.php\t2026-02-11 21:30:56.000000000 +0000\n@@ -71,6 +71,13 @@\n \t\u002F\u002F json for datatables\n \tpublic function datatable()\n \t{\n+\n+        if ( ! current_user_can( 'administrator' ) ) {\n+            exit();\n+        }\n+        \n+        check_ajax_referer('winterlock_secure_ajax', 'winterlock_secure');\n+        \n         \u002F\u002F$this->enable_error_reporting();\n         remove_action( 'shutdown', 'wp_ob_end_flush_all', 1 );","To exploit this vulnerability, an authenticated attacker with Subscriber-level access needs to access the WordPress admin panel and target the plugin's custom MVC router via `\u002Fwp-admin\u002Fadmin.php`. By manipulating the 'page' (controller) and 'function' (method) query parameters, the attacker can execute sensitive logic. For example, a GET request to `admin.php?page=wal_history&function=save_history&id=[LOG_ID]` allows unauthorized modification of activity log statuses. Similarly, POST requests to `admin.php?page=wal_reports&function=report_edit` can be used to create or modify system reports. Information disclosure is possible by hitting various `datatable` functions which return JSON-formatted system logs and user data without verifying the requester's administrative capabilities.","gemini-3-flash-preview","2026-04-18 03:11:35","2026-04-18 03:12:26",{"type":42,"vulnerable_version":43,"fixed_version":11,"vulnerable_browse":44,"vulnerable_zip":45,"fixed_browse":46,"fixed_zip":47,"all_tags":48},"plugin","1.2.7","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fwinterlock\u002Ftags\u002F1.2.7","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fwinterlock.1.2.7.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fwinterlock\u002Ftags\u002F1.2.8","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fwinterlock.1.2.8.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fwinterlock\u002Ftags"]