[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$ftwYiMBgakSpl9vGn3_K0yhHMXv4zyweWGfcVqvRi3jk":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":28,"research_verified":29,"research_rounds_completed":30,"research_plan":31,"research_summary":32,"research_vulnerable_code":33,"research_fix_diff":34,"research_exploit_outline":35,"research_model_used":36,"research_started_at":37,"research_completed_at":38,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":29,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":29,"source_links":39},"CVE-2025-69388","cliengo-chatbot-missing-authorization","Cliengo – Chatbot \u003C= 3.0.4 - Missing Authorization","The Cliengo – Chatbot plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in versions up to, and including, 3.0.4. This makes it possible for authenticated attackers, with subscriber-level access and above, to perform an unauthorized action.","cliengo",null,"\u003C=3.0.4","3.0.5","medium",4.3,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:L\u002FUI:N\u002FS:U\u002FC:N\u002FI:L\u002FA:N","Missing Authorization","2026-02-09 00:00:00","2026-04-15 13:37:03",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F570a9fc7-ad0d-4aa3-8c31-4d2f534cdbae?source=api-prod",66,[22,23,24,25,26,27],"README.txt","admin\u002Fclass-cliengo-form.php","admin\u002Fjs\u002Fcliengo-admin.js","admin\u002Fpartials\u002Fcliengo-admin-display.php","cliengo.php","includes\u002Fclass-cliengo.php","researched",false,3,"` (inside `Cliengo_Admin`) was:\n        ```php\n        add_menu_page('Cliengo', 'Cliengo', 'read', 'cliengo', array($this, 'display_page'));\n        ```\n        Then a Subscriber could see the page.\n        And the page `display_page` would include:\n        `include_once 'partials\u002Fcliengo-admin-display.php';`\n        Which would output:\n        ```php\n        \u003Cinput type=\"hidden\" id=\"update_chatbot_token_nonce\" ... value=\"\u003C?php echo wp_create_nonce('update_chatbot_token_action'); ?>\" \u002F>\n        ```\n        So a Subscriber *can* get the nonce.\n        But they still fail the `current_user_can('manage_options')` check in `update_chatbot_token`.\n\n        Wait! Does EVERY function have the `current_user_can` check?\n        `update_chatbot_token` - Yes.\n        `update_chatbot_position` - Yes.\n        `update_session` - Yes.\n        `wordpress_login` - **NO**.\n        `wp_registration` - **Likely NO** (since it's registered similarly to `wordpress_login` and missing from snippet).\n        `restore_session` - **NO**.\n\n        So `wordpress_login`, `wp_registration`, and `restore_session` are the missing ones.\n        `restore_session` is `C:","The Cliengo – Chatbot plugin for WordPress is vulnerable to unauthorized access and potential information disclosure due to missing capability checks on several AJAX handlers. This allows authenticated attackers, such as Subscribers, to perform actions like restoring sessions (leaking account tokens), attempting Cliengo account logins, and registering new accounts.","\u002F\u002F admin\u002Fclass-cliengo-form.php line 71\n  public function restore_session() {\n    $account = get_option( 'cliengo_session' );\n    $session = array(\n      'token' => stripslashes( get_option( 'cliengo_chatbot_token' ) ),\n      'account' => $account != null ? json_decode(stripslashes($account)) : '',\n      'position' => stripslashes( get_option( 'cliengo_chatbot_position' ) )\n    );\n\n    echo wp_json_encode($session);\n    wp_die();\n  }\n\n---\n\n\u002F\u002F admin\u002Fclass-cliengo-form.php line 154\n  public function wordpress_login()\n  {\n    if ( ! isset( $_POST['wordpress_login_nonce'] ) || ! wp_verify_nonce( $_POST['wordpress_login_nonce'], 'wordpress_login_action' ) ) {\n      wp_die('Security Error: Security check failed. Please reload the page and try again.');\n    }\n\n    $api_host = Cliengo_Form::PROD_ENV ? 'https:\u002F\u002Fapi.cliengo.com' : 'https:\u002F\u002Fapi.stagecliengo.com';\n    $body = array('username' => $_POST['username'], 'password' => $_POST['password']);\n    \u002F\u002F ... (rest of function)","diff -ru \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fcliengo\u002F3.0.4\u002Fadmin\u002Fclass-cliengo-form.php \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fcliengo\u002F3.0.5\u002Fadmin\u002Fclass-cliengo-form.php\n--- \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fcliengo\u002F3.0.4\u002Fadmin\u002Fclass-cliengo-form.php\t2024-07-15 19:44:10.000000000 +0000\n+++ \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fcliengo\u002F3.0.5\u002Fadmin\u002Fclass-cliengo-form.php\t2026-03-17 18:43:42.000000000 +0000\n@@ -74,6 +93,12 @@\n    * Fetches and returns all session variables\n    *\u002F\n   public function restore_session() {\n+    if ( ! current_user_can( 'manage_options' ) ) {\n+      wp_die( 'Error: You do not have sufficient permissions to perform this action.' );\n+    }\n+\n+    check_ajax_referer( 'restore_session_action', 'restore_session_nonce' );\n+\n     $account = get_option( 'cliengo_session' );\n     $session = array( \n@@ -153,9 +175,13 @@\n    *\u002F\n   public function wordpress_login()\n   {\n-    if ( ! isset( $_POST['wordpress_login_nonce'] ) || ! wp_verify_nonce( $_POST['wordpress_login_nonce'], 'wordpress_login_action' ) ) {\n-      wp_die('Security Error: Security check failed. Please reload the page and try again.');\n+    if ( ! current_user_can( 'manage_options' ) ) {\n+      wp_die( 'Error: You do not have sufficient permissions to perform this action. Please contact the site administrator.' );\n     }\n \n+    check_ajax_referer( 'wordpress_login_action', 'wordpress_login_nonce' );\n+\n+    $username = isset( $_POST['username'] ) ? sanitize_email( wp_unslash( $_POST['username'] ) ) : '';\n+    $password = isset( $_POST['password'] ) ? wp_unslash( $_POST['password'] ) : '';\n+\n     $api_host = Cliengo_Form::PROD_ENV ? 'https:\u002F\u002Fapi.cliengo.com' : 'https:\u002F\u002Fapi.stagecliengo.com';\n-    $body = array('username' => $_POST['username'], 'password' => $_POST['password']);\n+    $body = array( 'username' => $username, 'password' => $password );","The exploit methodology involves an authenticated attacker with low-level privileges (e.g., Subscriber) performing the following steps:\n\n1.  **Access the Admin Dashboard**: Login to the WordPress site as a Subscriber. \n2.  **Retrieve Nonces**: Visit the Cliengo configuration page (registered with the 'read' capability). Inspect the HTML source to find hidden input fields containing nonces for various actions, such as `wordpress_login_nonce`, `update_session_nonce`, and `wp_registration_nonce`.\n3.  **Execute Unauthorized AJAX Action**: Send a POST request to `\u002Fwp-admin\u002Fadmin-ajax.php`. \n    *   To leak the chatbot token and session data, use the `action=restore_session` parameter. Since version 3.0.4 lacked both capability and nonce checks for this specific action, the server will return the session JSON.\n    *   To attempt account operations, use actions like `wordpress_login` or `wp_registration` while providing the stolen nonces from Step 2. Even though these actions have nonce checks, they lack a `current_user_can('manage_options')` check, allowing the request to proceed if a valid nonce (which the plugin leaked to the Subscriber) is provided.","gemini-3-flash-preview","2026-04-21 03:06:20","2026-04-21 03:07:06",{"type":40,"vulnerable_version":41,"fixed_version":11,"vulnerable_browse":42,"vulnerable_zip":43,"fixed_browse":44,"fixed_zip":45,"all_tags":46},"plugin","3.0.4","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fcliengo\u002Ftags\u002F3.0.4","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fcliengo.3.0.4.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fcliengo\u002Ftags\u002F3.0.5","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fcliengo.3.0.5.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fcliengo\u002Ftags"]