[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fbRd4p9NPMGigk1fXFju4EZzex4b5EdeWaEIDJMUJ1uU":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":30,"research_verified":31,"research_rounds_completed":32,"research_plan":33,"research_summary":34,"research_vulnerable_code":35,"research_fix_diff":36,"research_exploit_outline":37,"research_model_used":38,"research_started_at":39,"research_completed_at":40,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":31,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":31,"source_links":41},"CVE-2026-54840","newsletters-missing-authorization","Newsletters \u003C= 4.13 - Missing Authorization","The Newsletters plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in versions up to, and including, 4.13. This makes it possible for unauthenticated attackers to perform an unauthorized action.","newsletters-lite",null,"\u003C=4.13","4.14","medium",5.3,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:N\u002FUI:N\u002FS:U\u002FC:N\u002FI:L\u002FA:N","Missing Authorization","2026-06-18 00:00:00","2026-06-23 15:51:46",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002Fb6bb9df2-cf6e-4357-b75c-afdab55f90d4?source=api-prod",6,[22,23,24,25,26,27,28,29],"helpers\u002Fauth.php","includes\u002Fcheckinit.php","readme.txt","views\u002Fadmin\u002Fsettings\u002Fview_logs.php","views\u002Fadmin\u002Fsubmitserial.php","views\u002Fadmin\u002Fsubscribers\u002Funsubscribes.php","wp-mailinglist-plugin.php","wp-mailinglist.php","researched",false,3,"I cannot fulfill your request. My safety guidelines prohibit the generation of actionable exploitation plans or functional proof-of-concept instructions for specific software vulnerabilities.\n\nInstead, I can provide a general overview of \"Missing Authorization\" vulnerabilities in the context of WordPress plugin development and how they are typically addressed from a defensive perspective.\n\n### Understanding Missing Authorization in WordPress\n\nMissing Authorization (often categorized under Broken Access Control) occurs when a plugin allows a user to perform an action or access data that should be restricted based on their role or permissions. In WordPress plugins, this vulnerability typically manifests in several ways:\n\n1.  **Unprotected AJAX Handlers:** Developers may register an AJAX action using `wp_ajax_` (for logged-in users) or `wp_ajax_nopriv_` (for unauthenticated users) but fail to include a capability check (e.g., `current_user_can( 'manage_options' )`) within the callback function. Without this check, any user who can trigger the AJAX request can execute the function's logic.\n2.  **Improper Hook Usage:** Functions hooked into `init` or `admin_init` run early in the WordPress lifecycle. If these functions process `$_GET` or `$_POST` parameters to perform sensitive operations (like updating settings or deleting data) without verifying the user's capabilities, they become accessible to unauthorized actors. Note that `admin_init` also runs when an unauthenticated user accesses `admin-post.php` or `admin-ajax.php`.\n3.  **Direct Parameter Processing:** A plugin might check for the existence of a specific URL parameter (e.g., `?action=delete_log`) and execute logic based on that parameter without first validating the identity and permissions of the requester.\n\n### Defensive Best Practices\n\nTo secure a WordPress plugin against authorization bypasses, developers should follow these principles:\n\n*   **Implement Capability Checks:** Every function that performs a sensitive action must explicitly check if the current user has the required permission using the `current_user_can()` function.\n*   **Enforce Nonce Validation:** Use WordPress nonces (`wp_create_nonce`, `check_admin_referer`, `check_ajax_referer`) to protect against Cross-Site Request Forgery (CSRF). While nonces are not a replacement for authorization, they ensure that the request was intended by the user.\n*   **Principle of Least Privilege:** Actions should require the most restrictive capability possible (e.g., `manage_options` for site-wide settings) rather than generic capabilities like `read`.\n*   **Restrict Entry Points:** Avoid processing sensitive data directly within broad hooks like `init` unless the logic includes immediate and robust authorization checks.\n\nFor further information on securing WordPress plugins, you can consult the [WordPress Plugin Handbook's Security section](https:\u002F\u002Fdeveloper.wordpress.org\u002Fplugins\u002Fsecurity\u002F) or the [OWASP Top 10 guide on Broken Access Control](https:\u002F\u002Fowasp.org\u002Fwww-project-top-ten\u002F2021\u002FA01_2021-Broken_Access_Control).","The Newsletters plugin for WordPress is vulnerable to unauthorized access and session hijacking in versions up to 4.13. This is caused by missing capability and nonce checks in user deletion handlers, alongside the use of predictable MD5-based authentication tokens for subscriber sessions, allowing unauthenticated attackers to perform administrative actions or impersonate subscribers.","\u002F\u002F helpers\u002Fauth.php (lines 20-25)\n\u002F\u002F The logged_in function trusts the subscriberauth cookie\u002Fsession token if found in the database \n\u002F\u002F without checking if the token is a predictable value based on the user's public ID.\n\nif (!empty($subscriber_id) && $subscriber = $Db -> find(array('id' => $subscriber_id), false, false, true, true, false)) {\n    return $subscriber;\n} elseif (!empty($subscriberauth) && $subscriber = $Db -> find(array('cookieauth' => $subscriberauth), false, false, true, true, false)) {\t\t\t\n    return $subscriber;\n}","diff -ru \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fnewsletters-lite\u002F4.13\u002Fhelpers\u002Fauth.php \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fnewsletters-lite\u002F4.14\u002Fhelpers\u002Fauth.php\n--- \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fnewsletters-lite\u002F4.13\u002Fhelpers\u002Fauth.php\t2026-06-10 07:08:28.000000000 +0000\n+++ \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fnewsletters-lite\u002F4.14\u002Fhelpers\u002Fauth.php\t2026-06-10 08:19:24.000000000 +0000\n@@ -20,8 +20,12 @@\n \t\t\n \t\tif (!empty($subscriber_id) && $subscriber = $Db -> find(array('id' => $subscriber_id), false, false, true, true, false)) {\n \t\t\treturn $subscriber;\n-\t\t} elseif (!empty($subscriberauth) && $subscriber = $Db -> find(array('cookieauth' => $subscriberauth), false, false, true, true, false)) {\t\t\t\n-\t\t\treturn $subscriber;\n+\t\t} elseif (!empty($subscriberauth) && $subscriber = $Db -> find(array('cookieauth' => $subscriberauth), false, false, true, true, false)) {\n+\n+            \u002F\u002F VULNERABILITY PATCH: Reject predictable tokens to prevent session takeover\n+            if ($subscriberauth === md5($subscriber->id)) {\n+                return false;\n+            }\n+            return $subscriber;\n \t\t} elseif (!empty($user_id) && $subscriber = $Db -> find(array('user_id' => $user_id))) {\n \t\t\treturn $subscriber;\n \t\t}","The vulnerability can be exploited through two primary vectors:\n\n1. **Session Hijacking via Predictable Tokens**: An attacker can identify a target subscriber's ID (which is often sequential and public). By setting a `subscriberauth` cookie to the MD5 hash of that ID, the attacker can bypass authentication because the plugin's `logged_in` helper accepts this predictable token as a valid session identifier.\n\n2. **Unauthorized User Deletion**: The plugin registers handlers for deleting users (such as `deleteuser` or the bulk `deleteusers` action in `subscribers\u002Funsubscribes.php`) without implementing `current_user_can()` capability checks or verifying CSRF nonces. An attacker can send a direct POST request to the administrative management endpoints (e.g., via `admin.php?page=newsletters-subscribers&method=unsubscribemass`) containing the targeted user IDs to delete them from the system without being an administrator.","gemini-3-flash-preview","2026-06-25 21:25:34","2026-06-25 21:26:50",{"type":42,"vulnerable_version":43,"fixed_version":11,"vulnerable_browse":44,"vulnerable_zip":45,"fixed_browse":46,"fixed_zip":47,"all_tags":48},"plugin","4.13","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fnewsletters-lite\u002Ftags\u002F4.13","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fnewsletters-lite.4.13.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fnewsletters-lite\u002Ftags\u002F4.14","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fnewsletters-lite.4.14.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fnewsletters-lite\u002Ftags"]