[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fOp3YViGZ-gTXMWZHB_RtbVRAEfGk76evbyu2S3xA46E":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":30,"research_verified":31,"research_rounds_completed":32,"research_plan":33,"research_summary":34,"research_vulnerable_code":35,"research_fix_diff":36,"research_exploit_outline":37,"research_model_used":38,"research_started_at":39,"research_completed_at":40,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":31,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":31,"source_links":41},"CVE-2026-39709","the-tribal-unauthenticated-information-exposure","The Tribal \u003C= 1.3.4 - Unauthenticated Information Exposure","The The Tribal Plugin plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.3.4. This makes it possible for unauthenticated attackers to extract sensitive user or configuration data.","the-tech-tribe",null,"\u003C=1.3.4","1.3.5","medium",5.3,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:N\u002FUI:N\u002FS:U\u002FC:L\u002FI:N\u002FA:N","Exposure of Sensitive Information to an Unauthorized Actor","2026-03-02 00:00:00","2026-05-05 15:46:22",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F293260d1-84a3-4af7-a293-8466624c86cc?source=api-prod",65,[22,23,24,25,26,27,28,29],"README.txt","admin\u002Fclass-the-tribal-plugin-admin.php","admin\u002Fjs\u002Fthe-tribal-plugin-admin.js","admin\u002Fpartials\u002Fdashboard\u002Fapi.php","admin\u002Fpartials\u002Fdashboard\u002Fimport.php","admin\u002Fpartials\u002Fdashboard\u002Fsettings.php","app\u002FAjaxImportPost.php","app\u002FAuthenticate.php","researched",false,3,"# Exploitation Research Plan: CVE-2026-39709 (The Tribal Plugin)\n\n## 1. Vulnerability Summary\nThe Tribal Plugin (slug: `the-tech-tribe`) is vulnerable to **Unauthenticated Information Exposure** in versions up to and including 1.3.4. The vulnerability stems from an AJAX handler `ttt_import_post` that is registered (or accessible) without proper authorization checks (`current_user_can`) or nonce verification (`check_ajax_referer`). This allows an unauthenticated actor to trigger a manual post import and receive a JSON response containing internal site metadata, including synchronization timestamps and a summary of content imported from the Tech Tribe portal. Additionally, the plugin uses a custom logging mechanism (`tttCustomLogs`) that may expose sensitive API responses in a publicly accessible log file.\n\n## 2. Attack Vector Analysis\n- **Endpoint:** `\u002Fwp-admin\u002Fadmin-ajax.php`\n- **Action:** `ttt_import_post`\n- **Method:** `POST`\n- **Authentication:** None (Unauthenticated)\n- **Preconditions:** The plugin must be installed and activated. An API key may need to be present for the \"Information\" to be populated, though the metadata leak occurs even with failed imports.\n\n## 3. Code Flow\n1. **Entry Point:** The attacker sends a request to `admin-ajax.php` with the parameter `action=ttt_import_post`.\n2. **Hook Registration:** In `app\u002FAjaxImportPost.php`, the","The Tribal Plugin for WordPress exposes sensitive information through an unprotected AJAX handler and a custom logging system that writes full API responses, including API keys and internal site metadata, to the file system. Unauthenticated attackers can trigger manual synchronization processes and retrieve internal metadata, while also potentially accessing sensitive API details via publicly accessible log files.","\u002F* app\u002FAjaxImportPost.php:40 *\u002F\n    public function init()\n    {\n        add_action('wp_ajax_ttt_import_post', [$this, 'import']);\n        \u002F\u002Fadd_action('wp_ajax_ttt_import_post', [$this, 'import']);\n    }\n\n    public function import()\n    {\n\t\ttttCustomLogs(\"start import posts : \");\n\t\ttttCustomLogs(\"manual import \");\n\n        $ret =  \\TheTribalPlugin\\ImportPost::get_instance()->import();\n\n---\n\n\u002F* app\u002FAuthenticate.php:64 *\u002F\n\t\t$response = wp_remote_post( $url, [\n\t\t\t'timeout'     => 45,\n\t\t\t'body'        => [\n\t\t\t\t'user_domain'\t=> $userDomain,\n\t\t\t\t'user_api_key'\t=> $apiKey,\n\t\t\t],\n\t\t]);\n\t\t\n\t\ttttCustomLogs(\"start auth api : \");\n\t\t\n\t\ttttCustomLogs(\"api reponse var : \");\n\t\ttttCustomLogs($response);\n\n---\n\n\u002F* admin\u002Fpartials\u002Fdashboard\u002Fapi.php:4 *\u002F\n        \u003Clabel class=\"form-label\">API Key\u003C\u002Flabel>\n        \u003Cinput type=\"password\" class=\"form-control\" name=\"ttt_api_key\" value=\"\u003C?php echo esc_attr($apiKey);?>\">","diff -ru \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fthe-tech-tribe\u002F1.3.4\u002Fapp\u002FAjaxImportPost.php \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fthe-tech-tribe\u002F1.3.5\u002Fapp\u002FAjaxImportPost.php\n--- \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fthe-tech-tribe\u002F1.3.4\u002Fapp\u002FAjaxImportPost.php\t2025-10-06 03:19:34.000000000 +0000\n+++ \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fthe-tech-tribe\u002F1.3.5\u002Fapp\u002FAjaxImportPost.php\t2026-04-13 07:03:34.000000000 +0000\n@@ -46,13 +46,13 @@\n \n     public function import()\n     {\n-\t\ttttCustomLogs(\"start import posts : \");\n-\t\ttttCustomLogs(\"manual import \");\n+\t\tcheck_ajax_referer( 'ttt_import_post_nonce', 'nonce' );\n+\n+\t\tif ( ! current_user_can( 'manage_options' ) ) {\n+\t\t\twp_die( -1 );\n+\t\t}\n \n         $ret =  \\TheTribalPlugin\\ImportPost::get_instance()->import();\n-\t\ttttCustomLogs(\"manual import ret\");\n-\t\ttttCustomLogs($ret);\n-\t\ttttCustomLogs(\"manual import ret\");\n \t\t\n \t\t$returnCode = $ret->data['code'];\n \t\t$returnMsg = $ret->data['msg'];\n@@ -106,11 +106,6 @@\n \t\t\t'last_successfull_import' \t=> $dateGetLastImport\n \t\t];\n \n-\t\ttttCustomLogs(\"return import posts : \");\n-        tttCustomLogs($ret);\n-\n-\t\ttttCustomLogs(\"end import posts\");\n-\n \t\twp_send_json_error($arrReturnMsg);\n     }\n \ndiff -ru \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fthe-tech-tribe\u002F1.3.4\u002Fapp\u002FAuthenticate.php \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fthe-tech-tribe\u002F1.3.5\u002Fapp\u002FAuthenticate.php\n--- \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fthe-tech-tribe\u002F1.3.4\u002Fapp\u002FAuthenticate.php\t2023-10-12 04:06:08.000000000 +0000\n+++ \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fthe-tech-tribe\u002F1.3.5\u002Fapp\u002FAuthenticate.php\t2026-04-13 07:03:34.000000000 +0000\n@@ -61,19 +61,9 @@\n \t\t\t],\n \t\t]);\n \t\t\n-\t\ttttCustomLogs(\"start auth api : \");\n-\t\t\n-\t\ttttCustomLogs(\"api reponse var : \");\n-\t\ttttCustomLogs($response);\n-\t\t\n \t\t$resCode = wp_remote_retrieve_response_code($response);\n-\t\ttttCustomLogs(\"api return code : \" . $resCode);\n \t\t\n \t\t$resBody = wp_remote_retrieve_body($response);\n-\t\ttttCustomLogs(\"api return body : \");\n-\t\ttttCustomLogs($resBody);\n-\n-\t\ttttCustomLogs(\"end auth api : \");\n \n \t\t$toArrayBody = json_decode($resBody, 1);","1. **AJAX Metadata Leak**: An attacker can send a POST request to `\u002Fwp-admin\u002Fadmin-ajax.php` with the parameter `action=ttt_import_post`. In vulnerable versions, this handler does not check for authorization or valid nonces. The JSON response will reveal internal site synchronization state, including the timestamps of the last successful content import and a summary of content retrieved from the external portal.\n\n2. **Sensitive Log Exposure**: The plugin utilizes a custom logging function `tttCustomLogs` which, in affected versions, logs full API responses from the Tech Tribe portal. These responses often contain sensitive authentication keys and internal configuration. An attacker can attempt to access the plugin's log files (typically located in the plugin directory if not moved) to extract these secrets.\n\n3. **API Key Exposure**: The site administrator dashboard renders the raw API key directly in the HTML source code of the settings page, making it susceptible to shoulder surfing or extraction via XSS\u002Funauthorized dashboard access.","gemini-3-flash-preview","2026-05-20 21:56:08","2026-05-20 21:57:02",{"type":42,"vulnerable_version":43,"fixed_version":11,"vulnerable_browse":44,"vulnerable_zip":45,"fixed_browse":46,"fixed_zip":47,"all_tags":48},"plugin","1.3.4","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fthe-tech-tribe\u002Ftags\u002F1.3.4","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fthe-tech-tribe.1.3.4.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fthe-tech-tribe\u002Ftags\u002F1.3.5","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fthe-tech-tribe.1.3.5.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fthe-tech-tribe\u002Ftags"]