[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$f7NFt-zNicctMvuekslfzXGELm_eBbyqF--ERSuTH5TA":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":30,"research_verified":31,"research_rounds_completed":32,"research_plan":33,"research_summary":34,"research_vulnerable_code":35,"research_fix_diff":36,"research_exploit_outline":37,"research_model_used":38,"research_started_at":39,"research_completed_at":40,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":31,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":31,"source_links":41},"CVE-2026-24364","user-frontend-ai-powered-frontend-posting-user-directory-profile-membership-user-registration-missing-authorization","User Frontend: AI Powered Frontend Posting, User Directory, Profile, Membership & User Registration \u003C= 4.2.5 - Missing Authorization","The User Frontend: AI Powered Frontend Posting, User Directory, Profile, Membership & User Registration plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in all versions up to, and including, 4.2.5. This makes it possible for authenticated attackers, with Subscriber-level access and above, to perform an unauthorized action.","wp-user-frontend",null,"\u003C=4.2.5","4.2.6","medium",4.3,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:L\u002FUI:N\u002FS:U\u002FC:N\u002FI:L\u002FA:N","Missing Authorization","2026-03-10 00:00:00","2026-03-19 13:58:35",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F09e5391d-2671-4bb4-9adc-29b5fdb59240?source=api-prod",10,[22,23,24,25,26,27,28,29],"Lib\u002FGateway\u002FPaypal.php","Lib\u002FWeDevs_Settings_API.php","assets\u002Fcss\u002Fadmin.css","assets\u002Fcss\u002Fadmin\u002Fform-builder.css","assets\u002Fcss\u002Fadmin\u002Fsubscriptions.min.css","assets\u002Fcss\u002Fai-form-builder.css","assets\u002Fcss\u002Fai-form-builder.min.css","assets\u002Fcss\u002Fforms-list.min.css","researched",false,3,"# Research Plan: CVE-2026-24364 - Missing Authorization in WP User Frontend\n\n## 1. Vulnerability Summary\nThe **WP User Frontend** plugin (up to 4.2.5) suffers from a missing authorization vulnerability. While the plugin implements nonce checks for certain administrative AJAX actions, it fails to perform secondary capability checks (e.g., `current_user_can('manage_options')`). This allows authenticated users with Subscriber-level access to execute these actions if they can obtain or bypass the nonce.\n\nThe primary target identified in the source is the `wpuf_dismiss_paypal_notice` AJAX action, handled by the `Paypal::dismiss_paypal_notice()` function. This action modifies site options (specifically dismissing an admin-only notice), representing an unauthorized integrity change.\n\n## 2. Attack Vector Analysis\n- **Endpoint**: `wp-admin\u002Fadmin-ajax.php`\n- **Action**: `wpuf_dismiss_paypal_notice`\n- **HTTP Method**: POST\n- **Parameters**:\n  - `action`: `wpuf_dismiss_paypal_notice`\n  - `nonce`: A valid nonce for the `wpuf_dismiss_paypal_notice` action.\n- **Authentication**: Required (Subscriber level or above).\n- **Precondition**: The attacker must be logged in as a Subscriber.\n\n## 3. Code Flow\n1.  **Entry Point**: A Subscriber sends a POST request to `admin-ajax.php` with `action=wpuf_dismiss_","The WP User Frontend plugin is vulnerable to unauthorized modification of site settings due to a missing capability check in its PayPal admin notice dismissal logic. Authenticated attackers with Subscriber-level permissions can dismiss important administrative notifications by exploiting the `wpuf_dismiss_paypal_notice` AJAX action.","\u002F\u002F Lib\u002FGateway\u002FPaypal.php\n\nadd_action( 'wp_ajax_wpuf_dismiss_paypal_notice', [ $this, 'dismiss_paypal_notice' ] );\n\n---\n\n\u002F\u002F Lib\u002FGateway\u002FPaypal.php (dismiss_paypal_notice function logic)\n\npublic function dismiss_paypal_notice() {\n    \u002F\u002F Verify nonce\n    if ( ! isset( $_POST['nonce'] ) || ! wp_verify_nonce( sanitize_text_field( wp_unslash( $_POST['nonce'] ) ), 'wpuf_dismiss_paypal_notice' ) ) {\n        wp_send_json_error( esc_html__( 'Invalid nonce', 'wp-user-frontend' ) );\n    }\n\n    \u002F\u002F Missing capability check here (e.g., current_user_can( 'manage_options' ))\n\n    update_option( 'wpuf_paypal_settings_notice_dismissed', true );\n    wp_send_json_success();\n}","--- Lib\u002FGateway\u002FPaypal.php\n+++ Lib\u002FGateway\u002FPaypal.php\n@@ -172,6 +172,10 @@\n         if ( ! isset( $_POST['nonce'] ) || ! wp_verify_nonce( sanitize_text_field( wp_unslash( $_POST['nonce'] ) ), 'wpuf_dismiss_paypal_notice' ) ) {\n             wp_send_json_error( esc_html__( 'Invalid nonce', 'wp-user-frontend' ) );\n         }\n+\n+        if ( ! current_user_can( 'manage_options' ) ) {\n+            wp_send_json_error( esc_html__( 'Unauthorized', 'wp-user-frontend' ) );\n+        }\n \n         update_option( 'wpuf_paypal_settings_notice_dismissed', true );\n         wp_send_json_success();","The exploit target is the PayPal configuration notice dismissal mechanism. An authenticated attacker needs to:\n1. Log into the WordPress site with Subscriber-level access or higher.\n2. Obtain a valid WordPress nonce for the action 'wpuf_dismiss_paypal_notice'. While the plugin attempts to restrict the notice visibility to admins, WordPress nonces are often accessible to all logged-in users if rendered in common scripts or leaked via other vulnerabilities.\n3. Send an authenticated POST request to \u002Fwp-admin\u002Fadmin-ajax.php with the following parameters: action=wpuf_dismiss_paypal_notice and nonce=[VALID_NONCE].\n4. Because the server fails to check for administrative capabilities, it will update the 'wpuf_paypal_settings_notice_dismissed' option in the database, affecting site-wide administrative UI state.","gemini-3-flash-preview","2026-04-18 05:04:07","2026-04-18 05:04:59",{"type":42,"vulnerable_version":43,"fixed_version":11,"vulnerable_browse":44,"vulnerable_zip":45,"fixed_browse":46,"fixed_zip":47,"all_tags":48},"plugin","4.2.5","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fwp-user-frontend\u002Ftags\u002F4.2.5","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fwp-user-frontend.4.2.5.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fwp-user-frontend\u002Ftags\u002F4.2.6","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fwp-user-frontend.4.2.6.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fwp-user-frontend\u002Ftags"]