[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fkSL8w9e_3iMqJNJOA4hfpje_jRkVk_Ns4m7jiraljVE":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":29,"research_verified":30,"research_rounds_completed":31,"research_plan":32,"research_summary":33,"research_vulnerable_code":34,"research_fix_diff":35,"research_exploit_outline":36,"research_model_used":37,"research_started_at":38,"research_completed_at":39,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":30,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":30,"source_links":40},"CVE-2026-25308","simple-membership-missing-authorization-2","Simple Membership \u003C= 4.6.9 - Missing Authorization","The Simple Membership plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in all versions up to, and including, 4.6.9. This makes it possible for authenticated attackers, with Subscriber-level access and above, to perform an unauthorized action.","simple-membership",null,"\u003C=4.6.9","4.7.0","medium",4.3,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:L\u002FUI:N\u002FS:U\u002FC:N\u002FI:L\u002FA:N","Missing Authorization","2026-01-19 00:00:00","2026-05-04 15:26:09",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F6b7ce040-32b7-4440-be4f-d33fe9c49e51?source=api-prod",106,[22,23,24,25,26,27,28],"classes\u002Fclass.simple-wp-membership.php","classes\u002Fclass.swpm-front-registration.php","css\u002Fswpm.common.css","readme.txt","simple-wp-membership.php","views\u002Fadmin_add_level.php","views\u002Fadmin_edit_level.php","researched",false,3,"# Research Plan: CVE-2026-25308 Missing Authorization in Simple Membership\n\n## 1. Vulnerability Summary\nThe **Simple Membership** plugin for WordPress (up to and including version 4.6.9) contains a missing authorization vulnerability. This flaw allows authenticated users with **Subscriber-level** privileges to perform actions intended for administrators. Specifically, the plugin fails to perform a `current_user_can('manage_options')` check on several AJAX handlers and self-action processing routines, relying solely on nonce verification. Because certain nonces are exposed to all authenticated users or the checks are missing entirely, Subscribers can modify membership levels or manipulate member data.\n\n## 2. Attack Vector Analysis\n- **Vulnerable Endpoints**: \n    1. `wp-admin\u002Fadmin-ajax.php` via various `swpm_` prefixed actions.\n    2. Frontend pages containing the `[swpm_profile_form]` shortcode (which triggers member data updates).\n- **Vulnerable Action**: `swpm_save_membership_level` or the profile update handler in `SwpmFrontRegistration` (and its parent `SwpmRegistration`).\n- **Payload Parameters**:\n    - `action`: `swpm_admin_save_membership_level` (AJAX) OR the form submission via `swpm_edit_profile_submit`.\n    - `membership_level`: The target ID to elevate the account to.\n    - `account_status`: `active`.\n- **Authentication**: Required (Subscriber","The Simple Membership plugin for WordPress is vulnerable to unauthorized privilege escalation via the frontend profile update form. Due to a missing field whitelist and insufficient authorization checks, authenticated users with Subscriber-level access can modify sensitive account fields, such as their membership level and account status, by injecting extra parameters into the profile update request.","\u002F* classes\u002Fclass.swpm-front-registration.php (approx line 459 in v4.6.9) *\u002F\n\n\t\t\t\u002F\u002F ... [The code populates $member_info from $_POST data earlier] ...\n\n\t\t\t\u002F\u002FUpdate the data in the swpm database.\n\t\t\t$swpm_id = $auth->get( 'member_id' );\n\t\t\t\u002F\u002FSwpmLog::log_simple_debug(\"Updating member profile data with SWPM ID: \" . $swpm_id, true);\n\t\t\t$swpm_user_data = array_filter( $member_info );\n\t\t\t$wp_user_info = array();\n\n\u002F* The vulnerability is the lack of filtering on $member_info before it is used to update the database record. *\u002F","diff -ru \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fsimple-membership\u002F4.6.9\u002Fclasses\u002Fclass.simple-wp-membership.php \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fsimple-membership\u002F4.7.0\u002Fclasses\u002Fclass.simple-wp-membership.php\n--- \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fsimple-membership\u002F4.6.9\u002Fclasses\u002Fclass.simple-wp-membership.php\t2025-08-31 06:58:32.000000000 +0000\n+++ \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fsimple-membership\u002F4.7.0\u002Fclasses\u002Fclass.simple-wp-membership.php\t2026-01-21 09:27:20.000000000 +0000\n@@ -903,7 +903,7 @@\n \twp_register_style(\"swpm.stripe.style\", \"https:\u002F\u002Fcheckout.stripe.com\u002Fv3\u002Fcheckout\u002Fbutton.css\", array(), SIMPLE_WP_MEMBERSHIP_VER);\n     }\n \n-    public static function enqueue_validation_scripts_v2($handle, $params = null){\n+    public static function enqueue_validation_scripts_v2($handle, $params = array()){\n \n         if ( ! wp_script_is( $handle, 'registered' ) ) {\n             wp_register_script($handle, SIMPLE_WP_MEMBERSHIP_URL . \"\u002Fjs\u002F\".$handle.\".js\", null, SIMPLE_WP_MEMBERSHIP_VER, true);\n@@ -947,14 +947,19 @@\n             ),\n             \"pp\" => array(\n                 \"required\" => __(\"You must accept the privacy policy\", \"simple-membership\")\n-            )\n+            ),\n+\n+\t        \u002F\u002F Membership Level related:\n+            \"membershipLevelAlias\" => array(\n+\t            \"required\" => __(\"Membership level name is required\", \"simple-membership\")\n+            ),\n         );\n \n         $ajax_url =  admin_url('admin-ajax.php');\n \n         wp_add_inline_script($handle, \"var swpmFormValidationAjax = \".wp_json_encode(array(\n             'ajax_url' => $ajax_url,\n-            'query_args' => $params['query_args'],\n+            'query_args' => isset($params['query_args']) ? $params['query_args'] : array(),\n         )), \"before\");\n        \n         wp_add_inline_script($handle, \"var form_id = '\".$params['form_id'].\"';\", \"before\");\n@@ -982,7 +987,7 @@\n             wp_add_inline_script($handle, \"var strong_password_enabled = \".$params['is_strong_password_enabled'].\";\", \"before\");\n         }\n \n-        wp_localize_script($handle, \"validationMsg\",$validation_messages);\n+        wp_localize_script($handle, \"validationMsg\", $validation_messages);\n \n         wp_enqueue_script($handle);\n     }  \ndiff -ru \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fsimple-membership\u002F4.6.9\u002Fclasses\u002Fclass.swpm-front-registration.php \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fsimple-membership\u002F4.7.0\u002Fclasses\u002Fclass.swpm-front-registration.php\n--- \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fsimple-membership\u002F4.6.9\u002Fclasses\u002Fclass.swpm-front-registration.php\t2025-06-29 03:16:48.000000000 +0000\n+++ \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fsimple-membership\u002F4.7.0\u002Fclasses\u002Fclass.swpm-front-registration.php\t2026-01-21 09:27:20.000000000 +0000\n@@ -459,6 +459,24 @@\n \t\t\t\t$password_also_changed = true;\n \t\t\t}\n \n+\t\t\t\u002F\u002F Only these fields are whitelisted for front end profile update.\n+\t\t\t$accepted_fields = array(\n+    \t\t\t'email',\n+\t\t\t\t'password',\n+    \t\t\t'first_name',\n+    \t\t\t'last_name',\n+    \t\t\t'phone',\n+    \t\t\t'address_street',\n+    \t\t\t'address_city',\n+    \t\t\t'address_state',\n+    \t\t\t'address_zipcode',\n+    \t\t\t'country',\n+    \t\t\t'company_name',\n+\t\t\t);\n+\n+\t\t\t\u002F\u002F Remove unwanted fields:\n+\t\t\t$member_info = array_intersect_key($member_info, array_flip($accepted_fields));\n+\n \t\t\t\u002F\u002FUpdate the data in the swpm database.\n \t\t\t$swpm_id = $auth->get( 'member_id' );\n \t\t\t\u002F\u002FSwpmLog::log_simple_debug(\"Updating member profile data with SWPM ID: \" . $swpm_id, true);","1. Login to the WordPress site as a low-privileged user (e.g., Subscriber).\n2. Navigate to the frontend profile edit page, which is typically rendered via the [swpm_profile_form] shortcode.\n3. Prepare a POST request to update the profile (triggered by the 'swpm_edit_profile_submit' action).\n4. In the POST payload, include standard fields (like first_name) but also append unauthorized administrative parameters, such as 'membership_level' set to the ID of a premium level and 'account_status' set to 'active'.\n5. Submit the request. Because the vulnerable version (\u003C= 4.6.9) lacks a whitelist for profile fields and doesn't check capabilities for specific field updates, the plugin will process the 'membership_level' change, effectively elevating the attacker's privileges.","gemini-3-flash-preview","2026-05-05 06:33:50","2026-05-05 06:35:01",{"type":41,"vulnerable_version":42,"fixed_version":11,"vulnerable_browse":43,"vulnerable_zip":44,"fixed_browse":45,"fixed_zip":46,"all_tags":47},"plugin","4.6.9","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fsimple-membership\u002Ftags\u002F4.6.9","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fsimple-membership.4.6.9.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fsimple-membership\u002Ftags\u002F4.7.0","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fsimple-membership.4.7.0.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fsimple-membership\u002Ftags"]