WP-Safety
CVE-2026-25003

Client Portal – Private user pages and login <= 1.2.1 - Missing Authorization

mediumMissing Authorization
6.5
CVSS Score
6.5
CVSS Score
medium
Severity
1.2.2
Patched in
109d
Time to patch

Description

The Client Portal – Private user pages and login plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in all versions up to, and including, 1.2.1. This makes it possible for authenticated attackers, with Subscriber-level access and above, to perform an unauthorized action.

CVSS Vector Breakdown

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
None
Confidentiality
High
Integrity
None
Availability

Technical Details

Affected versions<=1.2.1
PublishedJanuary 16, 2026
Last updatedMay 4, 2026
Affected pluginclient-portal

What Changed in the Fix

Changes introduced in v1.2.2

Loading patch diff...

Source Code

WordPress.org SVN
Vulnerable v1.2.1
Browse source Download .zip
Patched v1.2.2
Browse source Download .zip
Research Plan
Unverified

_pages_in_bulk' ) ); ``` Is there a nonce check in the standard bulk action workflow? When you use a bulk action in WordPress, the form usually has a `_wpnonce` and an `action` and `action2`. If the plugin's `cp_create_private_pages_in_bulk` function calls `check_admin_referer('bulk-…

Show full research plan

_pages_in_bulk' ) );
```
Is there a nonce check in the standard bulk action workflow?
When you use a bulk action in WordPress, the form usually has a _wpnonce and an action and action2.
If the plugin's cp_create_private_pages_in_bulk function calls check_admin_referer('bulk-users'), it's checking the core WP nonce for the users page.
If it calls check_admin_referer('cp_create_private_page_nonce'), it's checking its own.
If it calls neither, it's completely unprotected against CSRF and AuthZ.
Given 1.1.9 "Fix: CSRF issue", it's likely it does check a nonce now.
But which one?
If it checks bulk-users, a Subscriber can't get it.
If it checks a custom one, I need to find where it's exposed.

Let's look at `index.php` again for where nonces are created.
The `cp_enqueue_admin_scripts` function is hooked to `admin_enqueue_scripts`. This runs on *all* admin pages for any logged-in user.
If the nonce is created there, the Subscriber can get it.

*   **JavaScript Variable for Nonce:**
    I will guess the variable name based on the plugin slug `client
References
https://www.wordfence.com/threat-intel/vulnerabilities/id/a8360ce3-6885-418c-9950-4a5f888c703b?source=api-prod

Check if your site is affected.

Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.

Run free audit Browse CVE database