[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fUg51M9hGXskZ0v2KUTddES3X6lT7EpNpzUWDuNN-BTk":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":24,"research_verified":25,"research_rounds_completed":26,"research_plan":27,"research_summary":9,"research_vulnerable_code":9,"research_fix_diff":9,"research_exploit_outline":9,"research_model_used":28,"research_started_at":29,"research_completed_at":30,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":25,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":25,"source_links":31},"CVE-2026-25003","client-portal-private-user-pages-and-login-missing-authorization","Client Portal – Private user pages and login \u003C= 1.2.1 - Missing Authorization","The Client Portal – Private user pages and login plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in all versions up to, and including, 1.2.1. This makes it possible for authenticated attackers, with Subscriber-level access and above, to perform an unauthorized action.","client-portal",null,"\u003C=1.2.1","1.2.2","medium",6.5,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:L\u002FUI:N\u002FS:U\u002FC:N\u002FI:H\u002FA:N","Missing Authorization","2026-01-16 00:00:00","2026-05-04 15:22:03",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002Fa8360ce3-6885-418c-9950-4a5f888c703b?source=api-prod",109,[22,23],"index.php","readme.txt","researched",false,3,"_pages_in_bulk' ) );\n    ```\n    Is there a nonce check in the standard bulk action workflow?\n    When you use a bulk action in WordPress, the form usually has a `_wpnonce` and an `action` and `action2`.\n    If the plugin's `cp_create_private_pages_in_bulk` function calls `check_admin_referer('bulk-users')`, it's checking the core WP nonce for the users page.\n    If it calls `check_admin_referer('cp_create_private_page_nonce')`, it's checking its own.\n    If it calls *neither*, it's completely unprotected against CSRF and AuthZ.\n    Given 1.1.9 \"Fix: CSRF issue\", it's likely it *does* check a nonce now.\n    But which one?\n    If it checks `bulk-users`, a Subscriber can't get it.\n    If it checks a custom one, I need to find where it's exposed.\n\n    Let's look at `index.php` again for where nonces are created.\n    The `cp_enqueue_admin_scripts` function is hooked to `admin_enqueue_scripts`. This runs on *all* admin pages for any logged-in user.\n    If the nonce is created there, the Subscriber can get it.\n\n    *   **JavaScript Variable for Nonce:**\n        I will guess the variable name based on the plugin slug `client","gemini-3-flash-preview","2026-05-05 07:48:32","2026-05-05 07:49:26",{"type":32,"vulnerable_version":33,"fixed_version":11,"vulnerable_browse":34,"vulnerable_zip":35,"fixed_browse":36,"fixed_zip":37,"all_tags":38},"plugin","1.2.1","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fclient-portal\u002Ftags\u002F1.2.1","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fclient-portal.1.2.1.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fclient-portal\u002Ftags\u002F1.2.2","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fclient-portal.1.2.2.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fclient-portal\u002Ftags"]