[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$frES1mY4O00lTUDjwy1uuIiyEd1ghPM4DCWtldwoNaNQ":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":30,"research_verified":31,"research_rounds_completed":32,"research_plan":33,"research_summary":34,"research_vulnerable_code":35,"research_fix_diff":36,"research_exploit_outline":37,"research_model_used":38,"research_started_at":39,"research_completed_at":40,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":31,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":31,"source_links":41},"CVE-2026-25000","wheel-of-life-missing-authorization-2","Wheel of Life \u003C= 1.2.0 - Missing Authorization","The Wheel of Life: Coaching and Assessment Tool for Life Coach plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in all versions up to, and including, 1.2.0. This makes it possible for unauthenticated attackers to perform an unauthorized action.","wheel-of-life",null,"\u003C=1.2.0","1.2.1","medium",5.3,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:N\u002FUI:N\u002FS:U\u002FC:N\u002FI:L\u002FA:N","Missing Authorization","2026-01-15 00:00:00","2026-05-04 15:19:58",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F4149ee26-86c0-408b-a8e1-976c7fbf6e81?source=api-prod",110,[22,23,24,25,26,27,28,29],"app\u002Fbuild\u002Fblocks.asset.php","app\u002Fbuild\u002Fblocks.js","app\u002Fbuild\u002FglobalApp.asset.php","app\u002Fbuild\u002FglobalApp.js","app\u002Fbuild\u002FuiComponents.asset.php","app\u002Fbuild\u002FuiComponents.js","includes\u002FWheel_Of_Life.php","includes\u002Ffunctions\u002FAjaxFunctions.php","researched",false,3,"# Vulnerability Research Plan: CVE-2026-25000 (Missing Authorization)\n\n## 1. Vulnerability Summary\nThe **Wheel of Life** plugin (up to 1.2.0) is vulnerable to **Missing Authorization**. The `Wheel_Of_Life_Ajax` class registers several AJAX actions that lack proper capability checks or nonce verification for unauthenticated users. Specifically, the `saveWheelReport` action is registered via a helper method `add_ajax`, which makes it accessible to unauthenticated attackers (`wp_ajax_nopriv_`).\n\nIf the callback `save_my_wheel_report` fails to perform authorization or robust nonce verification, an unauthenticated attacker can perform unauthorized actions, such as creating arbitrary submissions in the `wheel-submissions` custom post type.\n\n## 2. Attack Vector Analysis\n- **Endpoint:** `\u002Fwp-admin\u002Fadmin-ajax.php`\n- **Action:** `saveWheelReport` (and potentially `sendMyWheelEmail`)\n- **HTTP Method:** POST\n- **Payload Parameters:**\n    - `action`: `saveWheelReport`\n    - `security`: The AJAX nonce (if checked)\n    - `data`: (Inferred) JSON string or array containing submission details (scores, email, name, etc.)\n- **Authentication:** Unauthenticated (`nopriv`)\n- **Preconditions:** The `wheeloflife_ajax_nonce` must be obtained if the function checks it.\n\n## 3. Code Flow\n1. **Entry Point:** `includes\u002Ffunctions\u002F","The Wheel of Life plugin for WordPress is vulnerable to unauthorized access and potential data injection due to missing capability checks on its AJAX handlers. This allows unauthenticated attackers to trigger actions such as creating arbitrary assessment submissions or sending unauthorized emails by interacting with functions registered for public access without proper authorization controls.","\u002F\u002F includes\u002Ffunctions\u002FAjaxFunctions.php:72\n\tprivate function init_hooks() {\n\t\t\u002F\u002F Register pages\n\t\tadd_action( 'wp_ajax_addNewPost', array( $this, 'add_new_wheel_of_life' ) );\n\t\tadd_action( 'wp_ajax_editPost', array( $this, 'edit_wheel_of_life' ) );\n\t\tadd_action( 'wp_ajax_viewPost', array( $this, 'view_submission_wheel_of_life' ) );\n\t\tadd_action( 'wp_ajax_duplicatePost', array( $this, 'copy_wheel_of_life' ) );\n\t\tadd_action( 'wp_ajax_trashPost', array( $this, 'trash_wheel_of_life' ) );\n\t\tadd_action( 'wp_ajax_restorePost', array( $this, 'restore_wheel_of_life' ) );\n\t\tadd_action( 'wp_ajax_deletePost', array( $this, 'delete_wheel_of_life' ) );\n\t\tadd_action( 'wp_ajax_saveSocialShare', array( $this, 'save_social_share' ) );\n\t\tadd_action( 'wp_ajax_saveData', array( $this, 'save_wheel_of_life_setting' ) );\n\t\tadd_action( 'wp_ajax_getFormOption', array( $this, 'get_all_wheel' ) );\n\t\tadd_action( 'wp_ajax_saveCTA', array( $this, 'save_call_to_action' ) );\n\n\t\t\u002F\u002F Public ajax functions\n\t\t$this->add_ajax( 'getSocialShare', array( $this, 'get_social_share' ) );\n\t\t$this->add_ajax( 'sendMyWheelEmail', array( $this, 'send_my_wheel_email' ) );\n\t\t$this->add_ajax( 'saveWheelReport', array( $this, 'save_my_wheel_report' ) );\n\t\t$this->add_ajax( 'getCTA', array( $this, 'get_call_to_action' ) );\n\t}\n\n\u002F\u002F includes\u002Ffunctions\u002FAjaxFunctions.php:100\n\tpublic function add_ajax( $action = false, $callback = false ) {\n\t\tif ( ! $action || ! $callback ) {\n\t\t\treturn;\n\t\t}\n\n\t\tadd_action( \"wp_ajax_{$action}\", $callback );\n\t\tadd_action( \"wp_ajax_nopriv_{$action}\", $callback );\n\t}","--- a\u002Fincludes\u002Ffunctions\u002FAjaxFunctions.php\n+++ b\u002Fincludes\u002Ffunctions\u002FAjaxFunctions.php\n@@ -101,6 +101,9 @@\n \tpublic function save_my_wheel_report() {\n+\t\tif ( ! check_ajax_referer( 'wheeloflife_ajax_nonce', 'security', false ) ) {\n+\t\t\twp_send_json_error( __( 'Unauthorized access.', 'wheel-of-life' ) );\n+\t\t}\n \n \t\t$data = isset( $_POST[ 'data' ] ) ? json_decode( stripslashes_deep( $_POST[ 'data' ] ), true ) : '';","An unauthenticated attacker can exploit this vulnerability by sending a POST request to the WordPress AJAX endpoint (`\u002Fwp-admin\u002Fadmin-ajax.php`). By specifying the `action` parameter as `saveWheelReport` or `sendMyWheelEmail`, the attacker can trigger the plugin's submission or email logic. To bypass nonce checks (if present on the unauthenticated actions), the attacker can first visit the site's frontend where the Wheel of Life block is rendered to extract the valid `wheeloflife_ajax_nonce` from the localized script data. The attacker then provides a `data` parameter containing a JSON-encoded payload representing arbitrary scores and metadata, which the plugin will save into the `wheel-submissions` custom post type without verifying if the user is authorized to perform such an action.","gemini-3-flash-preview","2026-05-05 09:19:42","2026-05-05 09:20:33",{"type":42,"vulnerable_version":43,"fixed_version":11,"vulnerable_browse":44,"vulnerable_zip":45,"fixed_browse":46,"fixed_zip":47,"all_tags":48},"plugin","1.2.0","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fwheel-of-life\u002Ftags\u002F1.2.0","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fwheel-of-life.1.2.0.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fwheel-of-life\u002Ftags\u002F1.2.1","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fwheel-of-life.1.2.1.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fwheel-of-life\u002Ftags"]