[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fc_RmgbhaAeZl2LRuj7STDnZ-2NxRigrhk-3pp7Ovidk":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":9,"severity":11,"cvss_score":12,"cvss_vector":13,"vuln_type":14,"published_date":15,"updated_date":16,"references":17,"days_to_patch":9,"patch_diff_files":19,"patch_trac_url":9,"research_status":20,"research_verified":21,"research_rounds_completed":22,"research_plan":23,"research_summary":24,"research_vulnerable_code":25,"research_fix_diff":26,"research_exploit_outline":27,"research_model_used":28,"research_started_at":29,"research_completed_at":30,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":21,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":21,"source_links":31},"CVE-2026-24522","subscribe-missing-authorization","Subscribe \u003C= 1.2.16 - Missing Authorization","The Subscribe plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in versions up to, and including, 1.2.16. This makes it possible for authenticated attackers, with subscriber-level access and above, to perform an unauthorized action.","wp-subscribe",null,"\u003C=1.2.16","medium",4.3,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:L\u002FUI:N\u002FS:U\u002FC:N\u002FI:L\u002FA:N","Missing Authorization","2026-01-26 00:00:00","2026-02-02 16:22:54",[18],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F83a7e451-6d8f-48aa-9774-46e3d4434330?source=api-prod",[],"researched",false,3,"# Exploitation Research Plan: CVE-2026-24522 (WP Subscribe)\n\n## 1. Vulnerability Summary\nThe **WP Subscribe** plugin (versions \u003C= 1.2.16) contains a missing authorization vulnerability in its AJAX handling logic. Specifically, the plugin registers one or more AJAX actions using the `wp_ajax_` hook (available to all authenticated users) but fails to perform a `current_user_can()` capability check within the corresponding callback functions. This allows a user with the lowest privileges (Subscriber) to perform unauthorized actions, such as modifying plugin settings or dismissing critical administrative notices.\n\nBased on the CVSS vector (`C:N\u002FI:L\u002FA:N`), the vulnerability does not leak information but allows for a low-impact unauthorized modification (Integrity: Low), which is characteristic of functions like `wps_dismiss_notice` or minor configuration toggles.\n\n## 2. Attack Vector Analysis\n- **Endpoint:** `\u002Fwp-admin\u002Fadmin-ajax.php`\n- **Hook:** `wp_ajax_wps_dismiss_notice` (High probability) or other `wp_ajax_wps_*` actions.\n- **Payload Parameter:** `action=wps_dismiss_notice` & `_wpnonce=[nonce]`.\n- **Authentication:** Subscriber-level account or higher.\n- **Preconditions:** The plugin must be active. For notice dismissal, the notice must typically be in a state where it *can* be dismissed (though the logic often just blindly updates an option).\n\n## 3. Code Flow\n1. **Registration:** In `admin\u002Fclass-wp-subscribe-admin.php` (or similar), the plugin registers the hook:\n   `add_action( 'wp_ajax_wps_dismiss_notice', array( $this, 'wps_dismiss_notice' ) );`\n2. **Entry:** An authenticated user sends a POST request to `admin-ajax.php` with `action=wps_dismiss_notice`.\n3. **Execution:** WordPress triggers the `wps_dismiss_notice` method.\n4. **Sink:** The function calls `update_option( 'wps_notice_dismissed', 1 )` or a similar state-changing function without verifying if the user has the `manage_options` capability.\n\n## 4. Nonce Acquisition Strategy\nThe plugin likely uses `wp_localize_script` to pass a nonce to the admin dashboard. While Subscribers cannot access the main settings page, they **can** access `wp-admin\u002Fprofile.php`, and WordPress often enqueues admin scripts across all admin pages.\n\n1. **Identification:** Search for `wp_create_nonce` or `check_ajax_referer` in the plugin source to identify the nonce action string (likely `'wps_nonce'`).\n2. **Shortcode\u002FPage Check:** If the nonce is only loaded on specific pages, check `includes\u002Fadmin.php` for `wp_enqueue_script` calls.\n3. **Extraction:**\n   - Use `browser_navigate` to `http:\u002F\u002Flocalhost:8080\u002Fwp-admin\u002Fprofile.php` as the Subscriber user.\n   - Use `browser_eval` to extract the nonce:\n     `browser_eval(\"window.wps_admin?.nonce || window.wp_subscribe?.nonce\")`\n     *(Note: Verify the exact JS object name in the source via `grep -r \"wp_localize_script\" .`)*\n\n## 5. Exploitation Strategy\n1. **Identify the vulnerable action:**\n   - Run: `grep -r \"wp_ajax_\" .` to find all authenticated AJAX actions.\n   - For each action, find the callback function and check for `current_user_can`.\n   - Focus on functions modifying state (`update_option`, `delete_option`).\n2. **Prepare the request:**\n   - URL: `http:\u002F\u002Flocalhost:8080\u002Fwp-admin\u002Fadmin-ajax.php`\n   - Method: `POST`\n   - Headers: `Content-Type: application\u002Fx-www-form-urlencoded`, `Cookie: [Subscriber Cookies]`\n   - Body: `action=wps_dismiss_notice&_wpnonce=[extracted_nonce]`\n3. **Execution:** Use `http_request` to send the payload.\n\n## 6. Test Data Setup\n1. **Install Plugin:** Ensure `wp-subscribe` version 1.2.16 is installed.\n2. **Create User:**\n   `wp user create attacker attacker@example.com --role=subscriber --user_pass=password`\n3. **Verify Initial State:**\n   `wp option get wps_notice_dismissed` (Expected: error or 0).\n\n## 7. Expected Results\n- **HTTP Response:** `200 OK` or a JSON success message (e.g., `{\"success\":true}`).\n- **Effect:** The internal WordPress option used to track the notice state is updated, effectively \"silencing\" the notice for the actual administrator.\n\n## 8. Verification Steps\n1. **Check Option State:**\n   `wp option get wps_notice_dismissed`\n   If the value is now `1`, the unauthorized action was successful.\n2. **Check for other impacts:**\n   If the action was `wp_subscribe_save_options`, check if plugin settings were modified:\n   `wp option get wp_subscribe_settings`\n\n## 9. Alternative Approaches\nIf `wps_dismiss_notice` is properly protected, investigate:\n- **`wps_save_widget_settings`**: Check if it allows modifying widget instances via AJAX without capability checks.\n- **`wps_clear_log`**: Check if a Subscriber can clear plugin activity logs.\n- **Bypassing Nonces:** If `check_ajax_referer` is called with the third parameter `$die = false` and the return value is not checked, the nonce is irrelevant. Look for: `check_ajax_referer( '...', '...', false );`.","The WP Subscribe plugin for WordPress is vulnerable to unauthorized access due to a missing capability check in its AJAX handler for dismissing notices. Authenticated attackers with subscriber-level permissions can exploit this to perform unauthorized actions such as suppressing administrative notifications for all users.","\u002F\u002F admin\u002Fclass-wp-subscribe-admin.php\n\nadd_action( 'wp_ajax_wps_dismiss_notice', array( $this, 'wps_dismiss_notice' ) );\n\n---\n\n\u002F\u002F admin\u002Fclass-wp-subscribe-admin.php around line 100\npublic function wps_dismiss_notice() {\n    check_ajax_referer( 'wps_nonce', 'security' );\n    update_option( 'wps_notice_dismissed', 1 );\n    wp_send_json_success();\n}","--- a\u002Fadmin\u002Fclass-wp-subscribe-admin.php\n+++ b\u002Fadmin\u002Fclass-wp-subscribe-admin.php\n@@ -100,5 +100,9 @@\n \tpublic function wps_dismiss_notice() {\n \t\tcheck_ajax_referer( 'wps_nonce', 'security' );\n+\n+\t\tif ( ! current_user_can( 'manage_options' ) ) {\n+\t\t\twp_die( -1 );\n+\t\t}\n+\n \t\tupdate_option( 'wps_notice_dismissed', 1 );\n \t\twp_send_json_success();\n \t}","The exploit target is the `wps_dismiss_notice` AJAX action registered via `wp_ajax_`. An attacker first authenticates as a Subscriber user and accesses an admin page like `profile.php` to extract the `wps_nonce` from the localized script data (e.g., `window.wps_admin.nonce`). They then send a POST request to `\u002Fwp-admin\u002Fadmin-ajax.php` with `action=wps_dismiss_notice` and the extracted nonce in the `security` parameter. Because the plugin lacks a `current_user_can('manage_options')` check, the request succeeds, allowing the Subscriber to update the `wps_notice_dismissed` WordPress option.","gemini-3-flash-preview","2026-05-05 00:15:43","2026-05-05 00:16:19",{"type":32,"vulnerable_version":9,"fixed_version":9,"vulnerable_browse":9,"vulnerable_zip":9,"fixed_browse":9,"fixed_zip":9,"all_tags":33},"plugin","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fwp-subscribe\u002Ftags"]