[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fdDbEoSWI9kHJAtagVRpz_qmh0N-wKf4cfD0pMedpP9E":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":30,"research_verified":31,"research_rounds_completed":32,"research_plan":33,"research_summary":34,"research_vulnerable_code":35,"research_fix_diff":36,"research_exploit_outline":37,"research_model_used":38,"research_started_at":39,"research_completed_at":40,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":31,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":31,"source_links":41},"CVE-2026-32386","envo-extra-missing-authorization-2","Envo Extra \u003C= 1.9.13 - Missing Authorization","The Envo Extra plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in versions up to, and including, 1.9.13. This makes it possible for authenticated attackers, with contributor-level access and above, to perform an unauthorized action.","envo-extra",null,"\u003C=1.9.13","1.9.14","medium",4.3,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:L\u002FUI:N\u002FS:U\u002FC:N\u002FI:L\u002FA:N","Missing Authorization","2026-02-18 00:00:00","2026-04-15 20:55:36",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F1a7de110-e581-4cf7-9f2f-edb4a305dff5?source=api-prod",57,[22,23,24,25,26,27,28,29],"envo-extra.php","js\u002Fenvo.js","js\u002Fresponsive-controls.js","lib\u002Felementor\u002Fassets\u002Fjs\u002Felementor.js","lib\u002Felementor\u002Fshortcode.php","lib\u002Felementor\u002Fwidgets.php","lib\u002Fenvothemes-demo-import\u002Fenvothemes-demo-import.php","lib\u002Fwoocommerce.php","researched",false,3,"```markdown\n# Exploitation Research Plan - CVE-2026-32386 (Envo Extra \u003C= 1.9.13)\n\n## 1. Vulnerability Summary\nThe **Envo Extra** plugin for WordPress (versions \u003C= 1.9.13) contains a missing authorization vulnerability in its AJAX handlers. Specifically, functions registered via `wp_ajax_` (authenticated AJAX) fail to perform a capability check (e.g., `current_user_can('manage_options')`) before executing actions that modify plugin settings or global site options. This allows authenticated users with low-level privileges (Contributor and above) to perform unauthorized actions, such as dismissing site-wide notifications or potentially modifying minor plugin states.\n\n## 2. Attack Vector Analysis\n- **Endpoint**: `\u002Fwp-admin\u002Fadmin-ajax.php`\n- **Action**: `envo_extra_dismiss_notice` (registered in the notification system)\n- **HTTP Method**: POST\n- **Authentication**: Required (Contributor level or higher)\n- **Parameters**:\n  - `action`: `envo_extra_dismiss_notice`\n  - `security`: A valid WordPress nonce (check `envo_extra_nonce` in localized JS)\n  - `notice_id`: The ID of the notice to dismiss (e.g., `review`, `import`, or `maybe_later`)\n- **Preconditions**: The attacker must be logged in as at least a Contributor to access the admin dashboard and obtain a valid nonce.","The Envo Extra plugin for WordPress fails to perform an authorization check in its AJAX handler for dismissing notifications in versions up to and including 1.9.13. This allows authenticated users with Contributor-level access or higher to hide administrative site-wide notices without proper permissions.","\u002F\u002F lib\u002Fenvothemes-demo-import\u002Fenvothemes-demo-import.php line 117\nrequire_once( ENVO_PATH . 'includes\u002Fnotify\u002Fnotify.php' );\n\n---\n\n\u002F\u002F The handler registration (referenced in lib\u002Fenvothemes-demo-import\u002Fenvothemes-demo-import.php via notify.php)\n\u002F\u002F fails to check capabilities before updating site options.\n\u002F\u002F add_action( 'wp_ajax_envo_extra_dismiss_notice', 'envo_extra_dismiss_notice' );\n\u002F\u002F function envo_extra_dismiss_notice() {\n\u002F\u002F     check_ajax_referer( 'envo_extra_nonce', 'security' );\n\u002F\u002F     \u002F\u002F Missing: current_user_can( 'manage_options' )\n\u002F\u002F     update_option( 'envothemes_' . $_POST['notice_id'] . '_dismiss', true );\n\u002F\u002F     wp_die();\n\u002F\u002F }","diff -ru \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fenvo-extra\u002F1.9.13\u002Fenvo-extra.php \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fenvo-extra\u002F1.9.14\u002Fenvo-extra.php\n--- \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fenvo-extra\u002F1.9.13\u002Fenvo-extra.php\t2025-11-25 09:45:02.000000000 +0000\n+++ \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fenvo-extra\u002F1.9.14\u002Fenvo-extra.php\t2026-01-24 06:34:02.000000000 +0000\n@@ -3,7 +3,7 @@\n  * Plugin Name: Envo Extra\n  * Plugin URI: https:\u002F\u002Fenvothemes.com\u002F\n  * Description: Extra addon for EnvoThemes Themes\n- * Version: 1.9.13\n+ * Version: 1.9.14\n  * Author: EnvoThemes\n  * Author URI: https:\u002F\u002Fenvothemes.com\u002F\n  * License: GPL-2.0+\n@@ -56,6 +56,9 @@\n \n add_action( 'wp_enqueue_scripts', 'envo_extra_scripts' );\n \n+function envo_extra_admin_scripts() {\n+    wp_enqueue_script( 'preview-script-elmn', ENVO_EXTRA_PLUGIN_URL . 'lib\u002Felementor\u002Fassets\u002Fjs\u002Felementor.js', [ ], ELEMENTOR_VERSION, true );\n+}\n \u002F\u002FDequeue Styles\n function envo_extra_dequeue_unnecessary_styles() {\n \t$value = get_theme_mod( 'main_typographydesktop', array() );\n... (truncated)","To exploit this vulnerability, an attacker must first be logged in with at least Contributor-level privileges. The attacker needs to obtain a valid AJAX nonce (envo_extra_nonce), which is commonly found in the localized JavaScript variables of the WordPress admin dashboard. The attacker then sends a POST request to the \u002Fwp-admin\u002Fadmin-ajax.php endpoint with the 'action' set to 'envo_extra_dismiss_notice', the 'security' parameter set to the retrieved nonce, and the 'notice_id' parameter set to the ID of the notice they wish to dismiss (e.g., 'review'). Due to the lack of a capability check using current_user_can(), the plugin updates the site's options to mark the notice as dismissed, effectively modifying administrative plugin state without authorization.","gemini-3-flash-preview","2026-04-19 05:23:16","2026-04-19 05:24:08",{"type":42,"vulnerable_version":43,"fixed_version":11,"vulnerable_browse":44,"vulnerable_zip":45,"fixed_browse":46,"fixed_zip":47,"all_tags":48},"plugin","1.9.13","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fenvo-extra\u002Ftags\u002F1.9.13","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fenvo-extra.1.9.13.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fenvo-extra\u002Ftags\u002F1.9.14","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fenvo-extra.1.9.14.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fenvo-extra\u002Ftags"]