WP-Safety
CVE-2026-32386

Envo Extra <= 1.9.13 - Missing Authorization

mediumMissing Authorization
4.3
CVSS Score
4.3
CVSS Score
medium
Severity
1.9.14
Patched in
57d
Time to patch

Description

The Envo Extra plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in versions up to, and including, 1.9.13. This makes it possible for authenticated attackers, with contributor-level access and above, to perform an unauthorized action.

CVSS Vector Breakdown

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
None
Confidentiality
Low
Integrity
None
Availability

Technical Details

Affected versions<=1.9.13
PublishedFebruary 18, 2026
Last updatedApril 15, 2026
Affected pluginenvo-extra

What Changed in the Fix

Changes introduced in v1.9.14

Loading patch diff...

Source Code

WordPress.org SVN
Vulnerable v1.9.13
Browse source Download .zip
Patched v1.9.14
Browse source Download .zip
Research Plan
Unverified

```markdown # Exploitation Research Plan - CVE-2026-32386 (Envo Extra <= 1.9.13) ## 1. Vulnerability Summary The **Envo Extra** plugin for WordPress (versions <= 1.9.13) contains a missing authorization vulnerability in its AJAX handlers. Specifically, functions registered via `wp_ajax_` (authentic…

Show full research plan 
# Exploitation Research Plan - CVE-2026-32386 (Envo Extra <= 1.9.13)

## 1. Vulnerability Summary
The **Envo Extra** plugin for WordPress (versions <= 1.9.13) contains a missing authorization vulnerability in its AJAX handlers. Specifically, functions registered via `wp_ajax_` (authenticated AJAX) fail to perform a capability check (e.g., `current_user_can('manage_options')`) before executing actions that modify plugin settings or global site options. This allows authenticated users with low-level privileges (Contributor and above) to perform unauthorized actions, such as dismissing site-wide notifications or potentially modifying minor plugin states.

## 2. Attack Vector Analysis
- **Endpoint**: `/wp-admin/admin-ajax.php`
- **Action**: `envo_extra_dismiss_notice` (registered in the notification system)
- **HTTP Method**: POST
- **Authentication**: Required (Contributor level or higher)
- **Parameters**:
  - `action`: `envo_extra_dismiss_notice`
  - `security`: A valid WordPress nonce (check `envo_extra_nonce` in localized JS)
  - `notice_id`: The ID of the notice to dismiss (e.g., `review`, `import`, or `maybe_later`)
- **Preconditions**: The attacker must be logged in as at least a Contributor to access the admin dashboard and obtain a valid nonce.
Research Findings
Static analysis — not yet PoC-verified

Summary

The Envo Extra plugin for WordPress fails to perform an authorization check in its AJAX handler for dismissing notifications in versions up to and including 1.9.13. This allows authenticated users with Contributor-level access or higher to hide administrative site-wide notices without proper permissions.

Vulnerable Code

// lib/envothemes-demo-import/envothemes-demo-import.php line 117
require_once( ENVO_PATH . 'includes/notify/notify.php' );

---

// The handler registration (referenced in lib/envothemes-demo-import/envothemes-demo-import.php via notify.php)
// fails to check capabilities before updating site options.
// add_action( 'wp_ajax_envo_extra_dismiss_notice', 'envo_extra_dismiss_notice' );
// function envo_extra_dismiss_notice() {
//     check_ajax_referer( 'envo_extra_nonce', 'security' );
//     // Missing: current_user_can( 'manage_options' )
//     update_option( 'envothemes_' . $_POST['notice_id'] . '_dismiss', true );
//     wp_die();
// }

Security Fix

diff -ru /home/deploy/wp-safety.org/data/plugin-versions/envo-extra/1.9.13/envo-extra.php /home/deploy/wp-safety.org/data/plugin-versions/envo-extra/1.9.14/envo-extra.php
--- /home/deploy/wp-safety.org/data/plugin-versions/envo-extra/1.9.13/envo-extra.php	2025-11-25 09:45:02.000000000 +0000
+++ /home/deploy/wp-safety.org/data/plugin-versions/envo-extra/1.9.14/envo-extra.php	2026-01-24 06:34:02.000000000 +0000
@@ -3,7 +3,7 @@
  * Plugin Name: Envo Extra
  * Plugin URI: https://envothemes.com/
  * Description: Extra addon for EnvoThemes Themes
- * Version: 1.9.13
+ * Version: 1.9.14
  * Author: EnvoThemes
  * Author URI: https://envothemes.com/
  * License: GPL-2.0+
@@ -56,6 +56,9 @@
 
 add_action( 'wp_enqueue_scripts', 'envo_extra_scripts' );
 
+function envo_extra_admin_scripts() {
+    wp_enqueue_script( 'preview-script-elmn', ENVO_EXTRA_PLUGIN_URL . 'lib/elementor/assets/js/elementor.js', [ ], ELEMENTOR_VERSION, true );
+}
 //Dequeue Styles
 function envo_extra_dequeue_unnecessary_styles() {
 	$value = get_theme_mod( 'main_typographydesktop', array() );
... (truncated)

Exploit Outline

To exploit this vulnerability, an attacker must first be logged in with at least Contributor-level privileges. The attacker needs to obtain a valid AJAX nonce (envo_extra_nonce), which is commonly found in the localized JavaScript variables of the WordPress admin dashboard. The attacker then sends a POST request to the /wp-admin/admin-ajax.php endpoint with the 'action' set to 'envo_extra_dismiss_notice', the 'security' parameter set to the retrieved nonce, and the 'notice_id' parameter set to the ID of the notice they wish to dismiss (e.g., 'review'). Due to the lack of a capability check using current_user_can(), the plugin updates the site's options to mark the notice as dismissed, effectively modifying administrative plugin state without authorization.

References
https://www.wordfence.com/threat-intel/vulnerabilities/id/1a7de110-e581-4cf7-9f2f-edb4a305dff5?source=api-prod

Check if your site is affected.

Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.

Run free audit Browse CVE database