[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$f89qFS8omp-sTkQIAH65vWSRdhabG2LwNiCPvIjqBJXI":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":26,"research_verified":27,"research_rounds_completed":28,"research_plan":29,"research_summary":30,"research_vulnerable_code":31,"research_fix_diff":32,"research_exploit_outline":33,"research_model_used":34,"research_started_at":35,"research_completed_at":36,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":27,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":27,"source_links":37},"CVE-2026-25026","team-team-members-showcase-plugin-missing-authorization","Team – Team Members Showcase Plugin \u003C= 5.0.11 - Missing Authorization","The Team – Team Members Showcase Plugin plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in all versions up to, and including, 5.0.11. This makes it possible for unauthenticated attackers to perform an unauthorized action.","tlp-team",null,"\u003C=5.0.11","5.0.12","medium",5.3,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:N\u002FUI:N\u002FS:U\u002FC:N\u002FI:L\u002FA:N","Missing Authorization","2026-03-23 00:00:00","2026-04-02 14:59:12",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F613da6f3-3bc1-43f6-a565-bff1d6bc9b74?source=api-prod",11,[22,23,24,25],"README.txt","app\u002FControllers\u002FFrontend\u002FAjax\u002FSmartPopup.php","languages\u002Ftlp-team.pot","tlp-team.php","researched",false,3,"# Research Plan: CVE-2026-25026 - Missing Authorization in Team Members Showcase Plugin\n\n## 1. Vulnerability Summary\nThe **Team – Team Members Showcase Plugin** (up to version 5.0.11) is vulnerable to **Missing Authorization** and **Insecure Direct Object Reference (IDOR)**. The AJAX handler `tlp_team_smart_popup`, registered for both authenticated and unauthenticated users, fails to validate the `id` parameter. Specifically, it does not check if the requested ID belongs to the expected `team` post type or if the user has permission to view the content of that specific ID. \n\nThis allows an unauthenticated attacker to retrieve the content and metadata of arbitrary posts (including private posts, pages, or sensitive metadata from other plugins) by providing their numeric ID.\n\n## 2. Attack Vector Analysis\n- **Endpoint**: `\u002Fwp-admin\u002Fadmin-ajax.php`\n- **Action**: `tlp_team_smart_popup`\n- **Vulnerable Parameter**: `id` (The ID of the post to retrieve)\n- **Nonce Parameter**: `rt_nonce` (verified via `Fns::getNonce()`)\n- **Authentication**: Unauthenticated (via `wp_ajax_nopriv_tlp_team_smart_popup`)\n- **Preconditions**: \n    1. The plugin must be active.\n    2. An attacker needs a valid WordPress nonce for the `tlp-team-nonce` action (obtainable from any page rendering a Team shortcode).\n    3. The attacker needs to guess or discover the ID of a target private post\u002Fpage.\n\n## 3. Code Flow\n1. **Entry Point**: The plugin registers the AJAX actions in `app\u002FControllers\u002FFrontend\u002FAjax\u002FSmartPopup.php`:\n   ```php\n   add_action( 'wp_ajax_tlp_team_smart_popup', [ $this, 'response' ] );\n   add_action( 'wp_ajax_nopriv_tlp_team_smart_popup', [ $this, 'response' ] );\n   ```\n2. **Nonce Check**: The `response()` method first verifies a nonce:\n   ```php\n   if ( ! wp_verify_nonce( Fns::getNonce(), Fns::nonceText() ) ) { ... }\n   ```\n3. **Object Retrieval**: It then fetches a post object directly from the user-supplied `id`:\n   ```php\n   $post = get_post( absint( $_REQUEST['id'] ) );\n   setup_postdata( $post );\n   ```\n4. **Data Extraction**: It extracts the post title and content:\n   ```php\n   $name = $post->post_title;\n   $tlp_member_content = wpautop( get_the_content() );\n   ```\n   *Note: `get_the_content()` inside `setup_postdata` will return the content of the post object even if it is private, as long as the object was successfully retrieved by ID.*\n5. **Metadata Leakage**: It also attempts to fetch various meta fields (e.g., `email`, `telephone`, `ttp_my_resume`). While these are specific to the \"team\" type, an attacker can also see the main content of any post type.\n6. **Response**: The gathered data is returned in a JSON response:\n   ```php\n   wp_send_json( [ 'data' => wp_kses_post( $html ), ... ] );\n   ```\n\n## 4. Nonce Acquisition Strategy\nThe plugin enqueues its scripts and localizes the required nonce on pages where the team showcase is displayed.\n- **Trigger**: The shortcode `[tlpteam]` (as inferred from `README.txt`).\n- **JS Variable**: `rt_team_ajax` (standard for RadiusTheme\u002FTLP plugins).\n- **Nonce Key**: `rt_nonce`.\n- **Extraction Steps**:\n    1. Create a \"Team Member\" post so the shortcode has something to render.\n    2. Create a public page containing the `[tlpteam]` shortcode.\n    3. Use the `browser_navigate` tool to visit that page.\n    4. Use `browser_eval` to extract the nonce: `window.rt_team_ajax?.rt_nonce`.\n\n## 5. Exploitation Strategy\n1. **Target Identification**: Determine the ID of a private post or page (e.g., ID 123).\n2. **AJAX Request**: Use the `http_request` tool to send a POST request to `admin-ajax.php`.\n    - **Method**: POST\n    - **URL**: `http:\u002F\u002Flocalhost:8080\u002Fwp-admin\u002Fadmin-ajax.php`\n    - **Headers**: `Content-Type: application\u002Fx-www-form-urlencoded`\n    - **Body**:\n      ```text\n      action=tlp_team_smart_popup&id=123&rt_nonce=[EXTRACTED_NONCE]\n      ```\n3. **Response Parsing**: Check the `data` field in the JSON response for the title and content of the private post.\n\n## 6. Test Data Setup\n1. **Target Content**: Create a private post containing sensitive information:\n   ```bash\n   wp post create --post_type=post --post_title=\"Confidential Internal Note\" --post_content=\"The secret password is: Flag{IDOR_DATA_LEAK}\" --post_status=private\n   # Note the returned ID (e.g., 5)\n   ```\n2. **Plugin Setup**: Create a dummy team member to ensure shortcode functionality:\n   ```bash\n   wp post create --post_type=team --post_title=\"Visible Member\" --post_status=publish\n   ```\n3. **Nonce Page**: Create a page to expose the nonce:\n   ```bash\n   wp post create --post_type=page --post_title=\"Team Showcase\" --post_content='[tlpteam]' --post_status=publish\n   ```\n\n## 7. Expected Results\n- The AJAX response should have a `success: true` status.\n- The `data` property in the JSON response will contain the HTML markup including the string: `\"The secret password is: Flag{IDOR_DATA_LEAK}\"`.\n- This confirms that an unauthenticated user accessed the content of a `private` post via the vulnerable AJAX endpoint.\n\n## 8. Verification Steps\n1. Execute the HTTP request as described in Section 5.\n2. Verify the response contains the content of the private post created in Section 6.\n3. To confirm the vulnerability is due to missing type checks, attempt to retrieve the content of a `page` or a `shop_order` (if WooCommerce is present) by ID.\n\n## 9. Alternative Approaches\n- **Metadata Enumeration**: If the target post is a \"Team\" member but set to private\u002Fdraft, the exploit can leak their `email`, `telephone`, and `location` meta fields even if they aren't published.\n- **Parameter Variation**: If `rt_nonce` fails, check if the plugin falls back to `_wpnonce` by inspecting the `Fns::getNonce()` logic (if accessible) or trying `_wpnonce` in the request body.\n- **Different Layouts**: If the `[tlpteam]` shortcode doesn't load the script, try more specific variants mentioned in the README like `[tlpteam layout=\"layout1\"]`.","The Team – Team Members Showcase Plugin is vulnerable to unauthorized data disclosure due to a lack of authorization and post-status validation in its AJAX popup handler. Unauthenticated attackers can exploit this to retrieve the title, content, and metadata of any WordPress post or page, including those set to private or belonging to other post types, by supplying a numeric post ID.","\u002F\u002F app\u002FControllers\u002FFrontend\u002FAjax\u002FSmartPopup.php lines 38-55\npublic function response() {\n    $html    = $htmlCInfo = null;\n    $success = false;\n    $error   = true;\n    if ( ! wp_verify_nonce( Fns::getNonce(), Fns::nonceText() ) ) {\n        wp_send_json_error( [\n            'data'  => __('Security Issue','tlp-team'),\n            'error' => $error,\n        ] );\n    }\n    if ( ! empty( $_REQUEST['id'] ) ) {\n        global $post;\n        $post = get_post( absint( $_REQUEST['id'] ) );\n        setup_postdata( $post );\n        $settings     = get_option( rttlp_team()->options['settings'] );\n        $resume_btn_text = isset( $settings['resume_btn_text'] ) ? $settings['resume_btn_text'] : \"Resume\";","--- \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Ftlp-team\u002F5.0.11\u002Fapp\u002FControllers\u002FFrontend\u002FAjax\u002FSmartPopup.php\t2025-12-09 12:12:34.000000000 +0000\n+++ \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Ftlp-team\u002F5.0.12\u002Fapp\u002FControllers\u002FFrontend\u002FAjax\u002FSmartPopup.php\t2026-01-21 08:39:08.000000000 +0000\n@@ -45,6 +45,14 @@\n \t\t\t\t'error' => $error,\n \t\t\t] );\n \t\t}\n+\n+        $member_post = get_post(absint($_REQUEST['id']) );\n+        if (\n+            !$member_post ||\n+            $member_post->post_type !== rttlp_team()->post_type ||\n+            $member_post->post_status !== 'publish'\n+        ) {\n+            wp_send_json_error(array('error' => __('Unauthorized or member not found','tlp-team')), 403);\n+        }\n+\n \t\tif ( ! empty( $_REQUEST['id'] ) ) {\n \t\t\tglobal $post;\n \t\t\t$post = get_post( absint( $_REQUEST['id'] ) );","1. Locate a public page on the target site that uses the plugin's team showcase (e.g., via the `[tlpteam]` shortcode) to extract a valid nonce.\n2. Extract the security nonce from the global JavaScript object `rt_team_ajax.rt_nonce` found in the page source.\n3. Identify the target post ID (e.g., a private post or sensitive page) via enumeration or discovery.\n4. Send a POST request to `\u002Fwp-admin\u002Fadmin-ajax.php` with the action set to `tlp_team_smart_popup`, the `id` parameter set to the target post ID, and the `rt_nonce` parameter set to the extracted nonce.\n5. The server will respond with a JSON object where the `data` field contains the rendered HTML of the targeted post, revealing its title and content regardless of its visibility status or post type.","gemini-3-flash-preview","2026-04-17 23:55:45","2026-04-17 23:56:17",{"type":38,"vulnerable_version":39,"fixed_version":11,"vulnerable_browse":40,"vulnerable_zip":41,"fixed_browse":42,"fixed_zip":43,"all_tags":44},"plugin","5.0.11","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Ftlp-team\u002Ftags\u002F5.0.11","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Ftlp-team.5.0.11.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Ftlp-team\u002Ftags\u002F5.0.12","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Ftlp-team.5.0.12.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Ftlp-team\u002Ftags"]