WP-Safety
CVE-2026-32394

PublishPress Capabilities <= 2.31.0 - Missing Authorization

mediumMissing Authorization
4.3
CVSS Score
4.3
CVSS Score
medium
Severity
2.32.0
Patched in
55d
Time to patch

Description

The PublishPress Capabilities plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in versions up to, and including, 2.31.0. This makes it possible for authenticated attackers, with subscriber-level access and above, to perform an unauthorized action.

CVSS Vector Breakdown

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
None
Confidentiality
Low
Integrity
None
Availability

Technical Details

Affected versions<=2.31.0
PublishedFebruary 20, 2026
Last updatedApril 15, 2026
Affected plugincapability-manager-enhanced

What Changed in the Fix

Changes introduced in v2.32.0

Loading patch diff...

Source Code

WordPress.org SVN
Vulnerable v2.31.0
Browse source Download .zip
Patched v2.32.0
Browse source Download .zip
Research Plan
Unverified

s write the plan. *Self-Correction on Nonce*: In PublishPress, the nonce for AJAX is often named `security` in the POST body but localized as `nonce` in the JS object. *Identifier check*: `saveDashboardFeature` `ajaxUpdateAdminFeatureSettings` Both in `PP_Capabilities_Admin_UI`…

Show full research plan

s write the plan.

*Self-Correction on Nonce*: In PublishPress, the nonce for AJAX is often named `security` in the POST body but localized as `nonce` in the JS object.

*Identifier check*:
`saveDashboardFeature`
`ajaxUpdateAdminFeatureSettings`
Both in `PP_Capabilities_Admin_UI`.
Registered in `includes/admin-load.php`.

The `saveDashboardFeature` is the most impactful for a "Missing Authorization" (enabling/disabling entire modules).

*One final check on the version*:
Vulnerable <= 2.31.0.
In 2.31.0, "Admin Styles" is disabled by default.
So an exploit would be to *enable* it via `save_dashboard_feature_by_ajax`.

*What is the option?*
It's likely `cme_features_status`.

Wait, let's look at `includes/admin-load.php` around line 50.
It calls `new \PublishPress\Capabilities\CoreAdmin();`.
CoreAdmin likely handles the save logic.

I'll structure the plan to find the nonce on the profile page and then hit the AJAX endpoint.# Vulnerability Research Plan: CVE-2026-32394 (PublishPress Capabilities <= 2.31.0)

1. Vulnerability Summary

The **PublishPress

Research Findings
Static analysis — not yet PoC-verified

Summary

The PublishPress Capabilities plugin for WordPress fails to perform authorization checks on several AJAX endpoints in versions up to and including 2.31.0. This allows authenticated attackers with subscriber-level access to perform unauthorized actions, such as enabling or disabling plugin features and modules.

Vulnerable Code

// includes/admin-load.php lines 38-42
if (is_admin()) {
    // Redirect on plugin activation
    add_action('admin_init', [$this, 'redirect_on_activate'], 2000);

    add_action('admin_init', [$this, 'featureRestrictionsClassic'], PHP_INT_MAX - 1);
    add_action('wp_ajax_save_dashboard_feature_by_ajax', [$this, 'saveDashboardFeature']);

    // Admin feature settings update ajax callback
    add_action('wp_ajax_ppc_update_admin_feature_settings', [$this, 'ajaxUpdateAdminFeatureSettings']);

Security Fix

diff -ru /home/deploy/wp-safety.org/data/plugin-versions/capability-manager-enhanced/2.31.0/capsman-enhanced.php /home/deploy/wp-safety.org/data/plugin-versions/capability-manager-enhanced/2.32.0/capsman-enhanced.php
--- /home/deploy/wp-safety.org/data/plugin-versions/capability-manager-enhanced/2.31.0/capsman-enhanced.php	2026-01-29 14:27:02.000000000 +0000
+++ /home/deploy/wp-safety.org/data/plugin-versions/capability-manager-enhanced/2.32.0/capsman-enhanced.php	2026-02-18 16:50:52.000000000 +0000
@@ -3,7 +3,7 @@
  * Plugin Name: PublishPress Capabilities
  * Plugin URI: https://publishpress.com/capability-manager/
  * Description: PublishPress Capabilities is the access control plugin for WordPress. You can manage all your WordPress user roles, from Administrators to Subscribers.
- * Version: 2.31.0
+ * Version: 2.32.0
  * Author: PublishPress
  * Author URI: https://publishpress.com/
  * Text Domain: capability-manager-enhanced
@@ -69,7 +69,7 @@
 add_action('plugins_loaded', function () {
 
 	if (!defined('CAPSMAN_VERSION')) {
-		define('CAPSMAN_VERSION', '2.31.0');
+		define('CAPSMAN_VERSION', '2.32.0');
 		define('CAPSMAN_ENH_VERSION', CAPSMAN_VERSION);
 		define('PUBLISHPRESS_CAPS_VERSION', CAPSMAN_VERSION);
 	}

Exploit Outline

To exploit this vulnerability, an attacker first authenticates to the WordPress site as a low-privileged user (e.g., Subscriber). Since the plugin enqueues scripts that expose nonces to authenticated users in the admin dashboard or profile pages, the attacker extracts a valid nonce (typically localized in the JavaScript object for the plugin). The attacker then sends a POST request to the `/wp-admin/admin-ajax.php` endpoint with the `action` parameter set to `save_dashboard_feature_by_ajax` or `ppc_update_admin_feature_settings`. By supplying specific feature keys and status values in the payload, the attacker can toggle critical plugin modules, such as enabling the 'Admin Styles' or 'Admin Features' modules, which are intended to be restricted to administrators.

References
https://www.wordfence.com/threat-intel/vulnerabilities/id/04cd7528-65af-4280-a683-ffedf66a6940?source=api-prod

Check if your site is affected.

Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.

Run free audit Browse CVE database