[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fQOoyT-0T82N5GHnJqiJyQcVnK64y7jMb_0jAbc7ZZrw":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":26,"research_verified":27,"research_rounds_completed":28,"research_plan":29,"research_summary":30,"research_vulnerable_code":31,"research_fix_diff":32,"research_exploit_outline":33,"research_model_used":34,"research_started_at":35,"research_completed_at":36,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":27,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":27,"source_links":37},"CVE-2026-25420","mailerlite-signup-forms-official-missing-authorization-2","MailerLite – Signup forms (official) \u003C= 1.7.18 - Missing Authorization","The MailerLite – Signup forms (official) plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in all versions up to, and including, 1.7.18. This makes it possible for authenticated attackers, with Contributor-level access and above, to perform an unauthorized action.","official-mailerlite-sign-up-forms",null,"\u003C=1.7.18","1.7.19","medium",4.3,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:L\u002FUI:N\u002FS:U\u002FC:N\u002FI:L\u002FA:N","Missing Authorization","2026-01-28 00:00:00","2026-05-04 15:47:10",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002Ffc7e68e7-6792-419d-800b-f1bc340f23fb?source=api-prod",97,[22,23,24,25],"mailerlite.php","readme.txt","src\u002FControllers\u002FAdminController.php","src\u002FModules\u002FForm.php","researched",false,3,"# CVE-2026-25420 - MailerLite Signup Forms Authorization Bypass Research Plan\n\n## 1. Vulnerability Summary\nThe **MailerLite – Signup forms (official)** plugin (\u003C= 1.7.18) contains a missing authorization vulnerability. While the plugin aims to allow specific roles to manage forms (introduced in version 1.7.0), it fails to properly enforce capability checks on administrative functions, particularly those handled in `src\u002FControllers\u002FAdminController.php`. This allows authenticated users with **Contributor-level** permissions to perform unauthorized actions such as creating or modifying signup forms, which should typically be restricted to administrators or specific authorized roles.\n\n## 2. Attack Vector Analysis\n*   **Endpoint**: `\u002Fwp-admin\u002Fadmin.php?page=mailerlite_main`\n*   **Trigger**: The `AdminController::forms()` method is used to process form creation and editing. If this logic is hooked to `admin_init` or if the menu page registration uses a broad capability (like `edit_posts` or `read`), Contributors can trigger the processing logic.\n*   **Payload Parameters**:\n    *   `view=create` (GET)\n    *   `create_signup_form=1` (POST)\n    *   `form_type=1` (POST - Custom) or `2` (POST - Embedded)\n*   **Authentication**: Authenticated, Contributor-level access.\n*   **Preconditions**: A valid MailerLite API key must be","The MailerLite – Signup forms (official) plugin for WordPress fails to implement proper capability checks within its AdminController, specifically in the form management logic. This allows authenticated users with Contributor-level permissions or higher to perform unauthorized actions, such as deleting existing signup forms.","\u002F\u002F src\u002FControllers\u002FAdminController.php line 323\n        } \u002F\u002F Delete signup form view\n        elseif ( isset( $_GET['view'] ) && isset( $_GET['id'] )\n                 && $_GET['view'] == 'delete'\n                 && absint( $_GET['id'] ) ) {\n            $wpdb->delete(\n                $wpdb->base_prefix . 'mailerlite_forms', [ 'id' => absint( $_GET['id'] ) ]\n            );\n--- \n\u002F\u002F src\u002FControllers\u002FAdminController.php line 345\n        \u002F\u002F Create new signup form view\n        if ( isset( $_GET['view'] ) && $_GET['view'] == 'create' ) {\n\n            if ( isset( $_POST['create_signup_form'] ) ) {\n\n                ( new Form() )->create_new_form( $_POST );\n\n                wp_redirect(\n                    'admin.php?page=mailerlite_main&view=edit&id='\n                    . $wpdb->insert_id\n                );","diff -ru \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fofficial-mailerlite-sign-up-forms\u002F1.7.18\u002Fsrc\u002FControllers\u002FAdminController.php \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fofficial-mailerlite-sign-up-forms\u002F1.7.19\u002Fsrc\u002FControllers\u002FAdminController.php\n--- \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fofficial-mailerlite-sign-up-forms\u002F1.7.18\u002Fsrc\u002FControllers\u002FAdminController.php\\t2025-12-10 08:22:54.000000000 +0000\n+++ \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fofficial-mailerlite-sign-up-forms\u002F1.7.19\u002Fsrc\u002FControllers\u002FAdminController.php\\t2026-02-17 12:18:46.000000000 +0000\n@@ -323,7 +323,8 @@\n         } \u002F\u002F Delete signup form view\n         elseif ( isset( $_GET['view'] ) && isset( $_GET['id'] )\n                  && $_GET['view'] == 'delete'\n-                 && absint( $_GET['id'] ) ) {\n+                 && absint( $_GET['id'] )\n+                 && current_user_can( 'manage_options' )) {\n             $wpdb->delete(\n                 $wpdb->base_prefix . 'mailerlite_forms', [ 'id' => absint( $_GET['id'] ) ]\n             );","The exploit target is the AdminController::forms() method, which is accessible via the WordPress admin dashboard. An attacker with Contributor-level access (which typically has limited admin menu access) can bypass intended restrictions by sending requests directly to the MailerLite management page. To delete a form, the attacker sends a GET request to \u002Fwp-admin\u002Fadmin.php?page=mailerlite_main&view=delete&id={FORM_ID}. Because the plugin (prior to 1.7.19) lacks a capability check (current_user_can) in the delete logic branch, the database operation is executed regardless of the user's actual administrative privileges.","gemini-3-flash-preview","2026-05-04 21:42:17","2026-05-04 21:43:09",{"type":38,"vulnerable_version":39,"fixed_version":11,"vulnerable_browse":40,"vulnerable_zip":41,"fixed_browse":42,"fixed_zip":43,"all_tags":44},"plugin","1.7.18","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fofficial-mailerlite-sign-up-forms\u002Ftags\u002F1.7.18","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fofficial-mailerlite-sign-up-forms.1.7.18.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fofficial-mailerlite-sign-up-forms\u002Ftags\u002F1.7.19","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fofficial-mailerlite-sign-up-forms.1.7.19.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fofficial-mailerlite-sign-up-forms\u002Ftags"]