[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fwoAQ29QE2HJUiJ_eOybuQvmd5LadLkD4Bqypjbn478I":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":30,"research_verified":31,"research_rounds_completed":32,"research_plan":33,"research_summary":9,"research_vulnerable_code":9,"research_fix_diff":9,"research_exploit_outline":9,"research_model_used":34,"research_started_at":35,"research_completed_at":36,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":31,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":31,"source_links":37},"CVE-2026-39503","easy-digital-downloads-ecommerce-payments-and-subscriptions-made-easy-missing-authorization","Easy Digital Downloads – eCommerce Payments and Subscriptions made easy \u003C= 3.6.5 - Missing Authorization","The Easy Digital Downloads – eCommerce Payments and Subscriptions made easy plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in versions up to, and including, 3.6.5. This makes it possible for unauthenticated attackers to perform an unauthorized action.","easy-digital-downloads",null,"\u003C=3.6.5","3.6.6","medium",5.3,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:N\u002FUI:N\u002FS:U\u002FC:N\u002FI:L\u002FA:N","Missing Authorization","2026-04-20 00:00:00","2026-04-30 15:03:51",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F3ee538dd-466b-471d-8055-af32ecfdfc77?source=api-prod",11,[22,23,24,25,26,27,28,29],"assets\u002Fbuild\u002Fcss\u002Fadmin\u002Fadmin-rtl.min.css","assets\u002Fbuild\u002Fcss\u002Fadmin\u002Fadmin.min.css","assets\u002Fbuild\u002Fcss\u002Fadmin\u002Fchosen-rtl.min.css","assets\u002Fbuild\u002Fcss\u002Fadmin\u002Fchosen.min.css","assets\u002Fbuild\u002Fcss\u002Fadmin\u002Femails-rtl.min.css","assets\u002Fbuild\u002Fcss\u002Fadmin\u002Femails.min.css","assets\u002Fbuild\u002Fcss\u002Fadmin\u002Fextension-manager-rtl.min.css","assets\u002Fbuild\u002Fcss\u002Fadmin\u002Fextension-manager.min.css","researched",false,3,"This analysis focuses on a \"Missing Authorization\" vulnerability in Easy Digital Downloads (EDD) \u003C= 3.6.5. Based on the provided CSS assets and known architecture of EDD, the vulnerability likely resides in an AJAX handler used for administrative tasks that was inadvertently exposed to unauthenticated users via `wp_ajax_nopriv_` hooks without a `current_user_can()` check.\n\nThe presence of `assets\u002Fbuild\u002Fcss\u002Fadmin\u002Femails.min.css` referencing `.edd-promo-notice__ajax` and `#edd-admin-notice-emails` strongly suggests the vulnerability involves the unauthorized dismissal of administrative or promotional notices.\n\n### 1. Vulnerability Summary\nThe Easy Digital Downloads plugin uses AJAX handlers to manage admin notices and promotional content. In version 3.6.5, specific handlers (likely `edd_dismiss_notice`) are registered using `wp_ajax_nopriv_`, making them accessible to unauthenticated visitors. The function fails to perform a capability check (e.g., `current_user_can( 'manage_shop_settings' )`), allowing any user to dismiss important administrative alerts or promotional notices for all administrators.\n\n### 2. Attack Vector Analysis\n* **Endpoint**: `\u002Fwp-admin\u002Fadmin-ajax.php`\n* **Action**: `edd_dismiss_notice` (inferred from `.edd-promo-notice__ajax` in CSS)\n* **HTTP Method**: POST\n* **Authentication**: None required (unauthenticated)\n* **Preconditions**: The plugin must have an active notice that is targetable (e.g., the \"Emails\" promo notice).\n\n### 3. Code Flow (Inferred)\n1. **Hook Registration**: The plugin registers the action:\n `add_action( 'wp_ajax_nopriv_edd_dismiss_notice', 'edd_ajax_dismiss_notice' );`\n2. **Entry Point**: `admin-ajax.php` receives a POST request with `action=edd_dismiss_notice`.\n3. **Vulnerable Function**: `edd_ajax_dismiss_notice()` is called.\n4. **Missing Check**: The function likely checks a nonce but fails to verify if the user has `manage_options` or `manage_shop_settings` capabilities.\n5. **Sink**: The function calls `update_option( 'edd_dismissed_notices', ... )` or `set_user_meta(...)`, modifying the global or user-specific state of dismissed notices.\n\n### 4. Nonce Acquisition Strategy\nEDD typically localizes its administrative AJAX data. Even for unauthenticated users, the nonce might be leaked if the plugin enqueues scripts on the frontend (e.g., for checkout or download management).\n\n1. **Identify the Script**: Look for `edd_admin_vars` or `edd_scripts_vars` in the page source.\n2. **Check Frontend**: Navigate to the homepage or a \"Downloads\" page.\n3. **Extraction**:\n * `browser_navigate(\"http:\u002F\u002Flocalhost:8080\u002F\")`\n * `browser_eval(\"window.edd_scripts_vars?.dismiss_notice_nonce\")` (inferred key)\n * *Note*: If the action is specifically for the Email promo, look for a variable named `edd_emails_vars` or similar.\n\n### 5. Exploitation Strategy\nThe goal is to unauthentically dismiss the \"Emails\" promotional notice (referenced in `emails.min.css`).\n\n**Step 1: Discover target notice ID**\nCommon EDD notice IDs include:\n* `edd_emails_promo_notice`\n* `edd_api_notice`\n* `edd_connect_notice`\n\n**Step 2: Construct the Exploit Request**\n* **URL**: `http:\u002F\u002Flocalhost:8080\u002Fwp-admin\u002Fadmin-ajax.php`\n* **Headers**: `Content-Type: application\u002Fx-www-form-urlencoded`\n* **Body**:\n ```text\n action=edd_dismiss_notice¬ice_id=edd_emails_promo_notice&nonce=[EXTRACTED_NONCE]\n ```\n\n**Step 3: Alternative Payload (Generic Dismissal)**\nIf a specific nonce is not required for `nopriv` (or if it's checked loosely), try:\n```text\naction=edd_dismiss_notice¬ice_id=edd_emails_promo_notice\n```\n\n### 6. Test Data Setup\nTo ensure the exploit is testable, the \"Emails\" notice should be \"active\" in the environment.\n1. **Activate EDD**: Ensure the plugin is active.\n2. **Clear Dismissed Notices**: Reset the option to ensure the notice would normally be visible.\n ```bash\n wp option delete edd_dismissed_notices\n ```\n\n### 7. Expected Results\n* **Response**: The server should return `1`, `success`, or a JSON object like `{\"success\":true}`.\n* **State Change**: The database option `edd_dismissed_notices` will be updated to include the targeted `notice_id`.\n\n### 8. Verification Steps\nAfter sending the HTTP request, verify the dismissal using WP-CLI:\n```bash\n# Check if the notice is now in the dismissed list\nwp option get edd_dismissed_notices\n```\nThe output should be a serialized array containing `edd_emails_promo_notice`.\n\n### 9. Alternative Approaches\nIf `edd_dismiss_notice` is not the vulnerable action, use `grep` to find all `nopriv` actions that perform \"update\" or \"dismiss\" logic:\n1. `grep -r \"wp_ajax_nopriv_\" wp-content\u002Fplugins\u002Feasy-digital-downloads\u002F`\n2. Search for any function calls that update options or meta:\n `grep -r \"update_option\" wp-content\u002Fplugins\u002Feasy-digital-downloads\u002Fincludes\u002Fadmin\u002F`\n3. Look for \"Stats Recount\" functions: `edd_recount_stats`. In some versions, unauthenticated users could trigger a recount of shop stats, leading to potential DoS or unauthorized data processing:\n * **Action**: `edd-recount-stats`\n * **Request**: `GET \u002Fwp-admin\u002Findex.php?edd-action=recount_stats&type=orders` (check if `edd-action` is handled in `init` without auth).","gemini-3-flash-preview","2026-05-04 19:46:23","2026-05-04 19:47:06",{"type":38,"vulnerable_version":39,"fixed_version":11,"vulnerable_browse":40,"vulnerable_zip":41,"fixed_browse":42,"fixed_zip":43,"all_tags":44},"plugin","3.6.5","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Feasy-digital-downloads\u002Ftags\u002F3.6.5","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Feasy-digital-downloads.3.6.5.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Feasy-digital-downloads\u002Ftags\u002F3.6.6","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Feasy-digital-downloads.3.6.6.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Feasy-digital-downloads\u002Ftags"]