[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$ffbXOQboWaCDbCRUYt-DxngcBo1nZ4UvDvTMGCxog9XE":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":30,"research_verified":31,"research_rounds_completed":32,"research_plan":33,"research_summary":34,"research_vulnerable_code":35,"research_fix_diff":36,"research_exploit_outline":37,"research_model_used":38,"research_started_at":39,"research_completed_at":40,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":31,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":31,"source_links":41},"CVE-2026-40786","myrewards-missing-authorization-2","MyRewards \u003C= 5.7.3 - Missing Authorization","The MyRewards plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in versions up to, and including, 5.7.3. This makes it possible for authenticated attackers, with subscriber-level access and above, to perform an unauthorized action.","woorewards",null,"\u003C=5.7.3","5.7.4","medium",4.3,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:L\u002FUI:N\u002FS:U\u002FC:N\u002FI:L\u002FA:N","Missing Authorization","2026-04-16 00:00:00","2026-04-21 14:46:20",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F9332f737-7620-412a-9338-1212c9c4ebd8?source=api-prod",6,[22,23,24,25,26,27,28,29],"assets\u002Flws-adminpanel\u002Finclude\u002Finternal\u002Fpages.php","assets\u002Flws-adminpanel\u002Finclude\u002Fpages\u002Ffield\u002Fbutton.php","assets\u002Flws-adminpanel\u002Fjs\u002Ffields.js","assets\u002Flws-adminpanel\u002Flws-adminpanel.php","include\u002Fpointsflow\u002Faction.php","include\u002Fui\u002Fadminscreens\u002Fpointsmanagement.php","readme.txt","woorewards.php","researched",false,3,"# Exploitation Research Plan - CVE-2026-40786 (MyRewards)\n\n## 1. Vulnerability Summary\nThe **MyRewards** plugin (up to 5.7.3) suffers from a **Missing Authorization** vulnerability within its administrative AJAX handling framework, `lws-adminpanel`. The plugin registers several AJAX actions via the `wp_ajax_` hook, which makes them accessible to any authenticated user (including **Subscribers**). Specifically, the generic button trigger handler and point export actions fail to perform sufficient capability checks (e.g., `current_user_can('manage_options')`) before executing privileged loyalty system operations.\n\n## 2. Attack Vector Analysis\n*   **Endpoints:** \n    *   `\u002Fwp-admin\u002Fadmin-ajax.php?action=woorewards-lite-export-wr`\n    *   `\u002Fwp-admin\u002Fadmin-ajax.php?action=woorewards-lite-export-points`\n    *   `\u002Fwp-admin\u002Fadmin-ajax.php?action=lws_adminpanel_field_button`\n*   **Vulnerable Action:** `woorewards-lite-export-wr` (Exporting loyalty pool data).\n*   **Required Parameter:** `woorewards-lite_from_pool` (The ID or slug of the loyalty pool to export).\n*   **Authentication:** Authenticated, Subscriber-level or above.\n*   **Preconditions:** At least one Loyalty Pool must be configured in the","The MyRewards plugin for WordPress is vulnerable to unauthorized access and action execution due to missing capability and nonce checks in its internal administration framework (lws-adminpanel). Authenticated attackers, including those with subscriber-level permissions, can trigger administrative callbacks or export sensitive loyalty system data and points history.","\u002F\u002F assets\u002Flws-adminpanel\u002Finclude\u002Finternal\u002Fpages.php\n\u002F\u002F In the constructor, the plugin registers a generic AJAX action for buttons\nif( $this->doingAjax )\n{\n    add_action('wp_ajax_lws_adminpanel_field_button', array($this, 'ajaxButton'));\n}\n\n---\n\n\u002F\u002F assets\u002Flws-adminpanel\u002Finclude\u002Finternal\u002Fpages.php (~line 481 in vulnerable version)\n\u002F\u002F Inside the ajaxButton handler, it originally lacks nonce and capability checks before triggering callbacks\n$response = $this->trigAjaxButton($this->pages, $button, $data);\n\n---\n\n\u002F\u002F include\u002Fpointsflow\u002Faction.php\n\u002F\u002F These actions lacked nonce verification, allowing unauthorized or cross-site triggered exports\nfunction exportWR()\n{\n    if( !\\current_user_can('manage_options') )\n        \\wp_die('forbidden', 403);\n    \u002F\u002F ... export logic ...\n}\n\nfunction exportPoints()\n{\n    if( !\\current_user_can('manage_options') )\n        \\wp_die('forbidden', 403);\n    \u002F\u002F ... export logic ...\n}","diff -ru \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fwoorewards\u002F5.7.3.1\u002Fassets\u002Flws-adminpanel\u002Finclude\u002Finternal\u002Fpages.php \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fwoorewards\u002F5.7.4\u002Fassets\u002Flws-adminpanel\u002Finclude\u002Finternal\u002Fpages.php\n--- \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fwoorewards\u002F5.7.3.1\u002Fassets\u002Flws-adminpanel\u002Finclude\u002Finternal\u002Fpages.php\t2026-02-17 11:50:30.000000000 +0000\n+++ \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fwoorewards\u002F5.7.4\u002Fassets\u002Flws-adminpanel\u002Finclude\u002Finternal\u002Fpages.php\t2026-03-30 14:26:20.000000000 +0000\n@@ -481,6 +481,11 @@\n \t\t\tif( $data === null )\n \t\t\t\texit(0);\n \n+\t\t\t$nonce = sanitize_text_field(wp_unslash($data['lws_adminpanel_triggerable_button_nonce'] ?? ''));\n+\t\t\tif (!\\wp_verify_nonce($nonce, 'lws_adminpanel_triggerable_button_nonce')) {\n+\t\t\t\t\\wp_send_json_error(__(\"Token expired. Please reload the page and retry.\", 'lws-adminpanel'));\n+\t\t\t}\n+\n \t\t\t$response = $this->trigAjaxButton($this->pages, $button, $data);\n \t\t\tif( !is_null($response) )\n \t\t\t{\n@@ -495,6 +500,11 @@\n \t{\n \t\tforeach( $tree as $node )\n \t\t{\n+\t\t\t$rights = $node['rights'] ?? '';\n+\t\t\tif ($rights && !\\current_user_can($rights)) {\n+\t\t\t\tcontinue;\n+\t\t\t}\n+\n \t\t\tif( is_array($node) )\n \t\t\t{\n \t\t\t\tif( isset($node['fields']) )\ndiff -ru \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fwoorewards\u002F5.7.3.1\u002Finclude\u002Fpointsflow\u002Faction.php \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fwoorewards\u002F5.7.4\u002Finclude\u002Fpointsflow\u002Faction.php\n--- \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fwoorewards\u002F5.7.3.1\u002Finclude\u002Fpointsflow\u002Faction.php\t2026-02-17 11:50:30.000000000 +0000\n+++ \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fwoorewards\u002F5.7.4\u002Finclude\u002Fpointsflow\u002Faction.php\t2026-03-30 14:26:20.000000000 +0000\n@@ -208,6 +208,9 @@\n \n \tfunction exportWR()\n \t{\n+\t\tif (!\\wp_verify_nonce(sanitize_text_field(wp_unslash($_REQUEST['lws_btn_nonce'] ?? '')), 'woorewards-lite' . '-export-wr')) {\n+\t\t\t\\wp_die('forbidden', 403);\n+\t\t}\n \t\tif( !\\current_user_can('manage_options') )\n \t\t\t\\wp_die('forbidden', 403);\n \n@@ -225,6 +228,9 @@\n \n \tfunction exportPoints()\n \t{\n+\t\tif (!\\wp_verify_nonce(sanitize_text_field(wp_unslash($_REQUEST['lws_btn_nonce'] ?? '')), 'woorewards-lite' . '-export-points')) {\n+\t\t\t\\wp_die('forbidden', 403);\n+\t\t}\n \t\tif( !\\current_user_can('manage_options') )\n \t\t\t\\wp_die('forbidden', 403);","To exploit this vulnerability, an authenticated attacker with Subscriber-level access or higher can bypass intended security restrictions by targeting the plugin's AJAX endpoints. The attacker can directly send a request to \u002Fwp-admin\u002Fadmin-ajax.php using the generic 'lws_adminpanel_field_button' action or the specific 'woorewards-lite-export-wr' \u002F 'woorewards-lite-export-points' actions. Because the vulnerable versions failed to verify nonces for these triggers and did not consistently enforce capability checks within the 'lws-adminpanel' framework during AJAX processing, the attacker can execute sensitive functions (callbacks) or export data (such as loyalty pool contents via the woorewards-lite_from_pool parameter) that should be restricted to administrators.","gemini-3-flash-preview","2026-04-27 14:38:27","2026-04-27 14:39:18",{"type":42,"vulnerable_version":43,"fixed_version":11,"vulnerable_browse":44,"vulnerable_zip":45,"fixed_browse":46,"fixed_zip":47,"all_tags":48},"plugin","5.7.3.1","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fwoorewards\u002Ftags\u002F5.7.3.1","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fwoorewards.5.7.3.1.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fwoorewards\u002Ftags\u002F5.7.4","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fwoorewards.5.7.4.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fwoorewards\u002Ftags"]