[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fZMQwiBWNWuDw0GPqAUhHYAsvK-u4WIVsFzrofVVFE7Y":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":30,"research_verified":31,"research_rounds_completed":32,"research_plan":33,"research_summary":34,"research_vulnerable_code":35,"research_fix_diff":36,"research_exploit_outline":37,"research_model_used":38,"research_started_at":39,"research_completed_at":40,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":31,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":31,"source_links":41},"CVE-2026-32394","publishpress-capabilities-missing-authorization","PublishPress Capabilities \u003C= 2.31.0 - Missing Authorization","The PublishPress Capabilities plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in versions up to, and including, 2.31.0. This makes it possible for authenticated attackers, with subscriber-level access and above, to perform an unauthorized action.","capability-manager-enhanced",null,"\u003C=2.31.0","2.32.0","medium",4.3,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:L\u002FUI:N\u002FS:U\u002FC:N\u002FI:L\u002FA:N","Missing Authorization","2026-02-20 00:00:00","2026-04-15 21:11:40",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F04cd7528-65af-4280-a683-ffedf66a6940?source=api-prod",55,[22,23,24,25,26,27,28,29],"CHANGELOG.md","capsman-enhanced.php","common\u002Fcss\u002Fadmin.css","common\u002Fjs\u002Fadmin.dev.js","common\u002Fjs\u002Fadmin.js","includes\u002Fadmin-load.php","includes\u002Ffeatures\u002Fadmin-styles\u002Fadmin-styles-css.php","includes\u002Ffeatures\u002Fadmin-styles\u002Fadmin-styles-ui.php","researched",false,3,"s write the plan.\n\n    *Self-Correction on Nonce*: In PublishPress, the nonce for AJAX is often named `security` in the POST body but localized as `nonce` in the JS object.\n\n    *Identifier check*:\n    `saveDashboardFeature`\n    `ajaxUpdateAdminFeatureSettings`\n    Both in `PP_Capabilities_Admin_UI`.\n    Registered in `includes\u002Fadmin-load.php`.\n\n    The `saveDashboardFeature` is the most impactful for a \"Missing Authorization\" (enabling\u002Fdisabling entire modules).\n\n    *One final check on the version*:\n    Vulnerable \u003C= 2.31.0.\n    In 2.31.0, \"Admin Styles\" is disabled by default.\n    So an exploit would be to *enable* it via `save_dashboard_feature_by_ajax`.\n\n    *What is the option?*\n    It's likely `cme_features_status`.\n\n    Wait, let's look at `includes\u002Fadmin-load.php` around line 50.\n    It calls `new \\PublishPress\\Capabilities\\CoreAdmin();`.\n    CoreAdmin likely handles the save logic.\n\n    I'll structure the plan to find the nonce on the profile page and then hit the AJAX endpoint.# Vulnerability Research Plan: CVE-2026-32394 (PublishPress Capabilities \u003C= 2.31.0)\n\n## 1. Vulnerability Summary\nThe **PublishPress","The PublishPress Capabilities plugin for WordPress fails to perform authorization checks on several AJAX endpoints in versions up to and including 2.31.0. This allows authenticated attackers with subscriber-level access to perform unauthorized actions, such as enabling or disabling plugin features and modules.","\u002F\u002F includes\u002Fadmin-load.php lines 38-42\nif (is_admin()) {\n    \u002F\u002F Redirect on plugin activation\n    add_action('admin_init', [$this, 'redirect_on_activate'], 2000);\n\n    add_action('admin_init', [$this, 'featureRestrictionsClassic'], PHP_INT_MAX - 1);\n    add_action('wp_ajax_save_dashboard_feature_by_ajax', [$this, 'saveDashboardFeature']);\n\n    \u002F\u002F Admin feature settings update ajax callback\n    add_action('wp_ajax_ppc_update_admin_feature_settings', [$this, 'ajaxUpdateAdminFeatureSettings']);","diff -ru \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fcapability-manager-enhanced\u002F2.31.0\u002Fcapsman-enhanced.php \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fcapability-manager-enhanced\u002F2.32.0\u002Fcapsman-enhanced.php\n--- \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fcapability-manager-enhanced\u002F2.31.0\u002Fcapsman-enhanced.php\t2026-01-29 14:27:02.000000000 +0000\n+++ \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fcapability-manager-enhanced\u002F2.32.0\u002Fcapsman-enhanced.php\t2026-02-18 16:50:52.000000000 +0000\n@@ -3,7 +3,7 @@\n  * Plugin Name: PublishPress Capabilities\n  * Plugin URI: https:\u002F\u002Fpublishpress.com\u002Fcapability-manager\u002F\n  * Description: PublishPress Capabilities is the access control plugin for WordPress. You can manage all your WordPress user roles, from Administrators to Subscribers.\n- * Version: 2.31.0\n+ * Version: 2.32.0\n  * Author: PublishPress\n  * Author URI: https:\u002F\u002Fpublishpress.com\u002F\n  * Text Domain: capability-manager-enhanced\n@@ -69,7 +69,7 @@\n add_action('plugins_loaded', function () {\n \n \tif (!defined('CAPSMAN_VERSION')) {\n-\t\tdefine('CAPSMAN_VERSION', '2.31.0');\n+\t\tdefine('CAPSMAN_VERSION', '2.32.0');\n \t\tdefine('CAPSMAN_ENH_VERSION', CAPSMAN_VERSION);\n \t\tdefine('PUBLISHPRESS_CAPS_VERSION', CAPSMAN_VERSION);\n \t}","To exploit this vulnerability, an attacker first authenticates to the WordPress site as a low-privileged user (e.g., Subscriber). Since the plugin enqueues scripts that expose nonces to authenticated users in the admin dashboard or profile pages, the attacker extracts a valid nonce (typically localized in the JavaScript object for the plugin). The attacker then sends a POST request to the `\u002Fwp-admin\u002Fadmin-ajax.php` endpoint with the `action` parameter set to `save_dashboard_feature_by_ajax` or `ppc_update_admin_feature_settings`. By supplying specific feature keys and status values in the payload, the attacker can toggle critical plugin modules, such as enabling the 'Admin Styles' or 'Admin Features' modules, which are intended to be restricted to administrators.","gemini-3-flash-preview","2026-04-19 02:07:31","2026-04-19 02:08:22",{"type":42,"vulnerable_version":43,"fixed_version":11,"vulnerable_browse":44,"vulnerable_zip":45,"fixed_browse":46,"fixed_zip":47,"all_tags":48},"plugin","2.31.0","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fcapability-manager-enhanced\u002Ftags\u002F2.31.0","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fcapability-manager-enhanced.2.31.0.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fcapability-manager-enhanced\u002Ftags\u002F2.32.0","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fcapability-manager-enhanced.2.32.0.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fcapability-manager-enhanced\u002Ftags"]