[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fnmaNULSVoYlaorYJja1takncKy1TfP83xH1t_l8QLq8":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":26,"research_verified":27,"research_rounds_completed":28,"research_plan":29,"research_summary":30,"research_vulnerable_code":31,"research_fix_diff":32,"research_exploit_outline":33,"research_model_used":34,"research_started_at":35,"research_completed_at":36,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":27,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":27,"source_links":37},"CVE-2026-24376","wpvulnerability-missing-authorization","WPVulnerability \u003C= 4.2.1 - Missing Authorization","The WPVulnerability plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in all versions up to, and including, 4.2.1. This makes it possible for authenticated attackers, with Subscriber-level access and above, to perform an unauthorized action.","wpvulnerability",null,"\u003C=4.2.1","4.2.1.1","medium",4.3,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:L\u002FUI:N\u002FS:U\u002FC:N\u002FI:L\u002FA:N","Missing Authorization","2026-03-18 00:00:00","2026-03-27 19:32:48",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F14e00e65-32ce-4bd3-b118-5f92af6aa979?source=api-prod",10,[22,23,24,25],"changelog.txt","readme.txt","wpvulnerability-api.php","wpvulnerability.php","researched",false,3,"vulnerability_nonce` or `wpvulnerability_settings_nonce`.\n\n    Wait, I'll search for the localization in the source first.\n    `wp_localize_script( 'wpvulnerability-admin', 'wpvulnerability', ... )`\n\n    Actually, looking at `wpvulnerability.php`, it loads `wpvulnerability-admin.php`.\n    I will instruct the agent to grep for `add_action.*wp_ajax` and `wp_create_nonce`.\n\n    *Update on Nonce*: In WP, nonces are often placed in the `_wpnonce` or `nonce` field.\n    I'll tell the agent to look for the nonce in the settings page.\n\n    -   Subscriber account.\n    -   Settings must be at default.\n\n    -   `wp option get wpvulnerability_settings` shows the modified value.\n\n    -   The CVE is about \"Missing Authorization\".\n    -   The function is likely `wpvulnerability_save_settings`.\n    -   The vulnerability allows a Subscriber to change settings.\n    -   I've provided the trace and the logic.\n\n    One final detail: The `changelog` mentions \"Clear legacy WPVulnerability cron events\".\n    And `wpvulnerability.php` calls `wpvulnerability_expired_database_data()`.\n    If a Subscriber can trigger `wpvulnerability_expired_database_data` and it does more than just checking time, it might be the \"unauthorized action\". But","The WPVulnerability plugin for WordPress is vulnerable to unauthorized data disclosure due to missing capability checks in its REST API permission callback. Authenticated users, including those with low privileges like Subscribers, can access sensitive site security information—such as lists of vulnerable plugins, themes, and server configurations—by authenticating with an Application Password.","\u002F\u002F wpvulnerability-api.php line 437\n\u002F**\n * Custom permission check for the WPVulnerability REST API.\n *\n * This function checks if the request is authenticated using an Application Password.\n *\n * @since 3.3.0\n *\n * @return bool True if authenticated, false otherwise.\n *\u002F\nfunction wpvulnerability_rest_api_permissions_check() {\n\t\u002F\u002F Check if the Authorization header is present.\n\tif ( isset( $_SERVER['PHP_AUTH_USER'] ) && isset( $_SERVER['PHP_AUTH_PW'] ) ) {\n\t\t$user     = $_SERVER['PHP_AUTH_USER'];\n\t\t$password = $_SERVER['PHP_AUTH_PW'];\n\t} elseif ( isset( $_SERVER['HTTP_AUTHORIZATION'] ) ) {\n\t\t\u002F\u002F Handle other ways to get the Authorization header.\n\t\t$auth_header = $_SERVER['HTTP_AUTHORIZATION'];\n\t\tif ( 0 === strpos( $auth_header, 'Basic ' ) ) {\n\t\t\t$auth_string = base64_decode( substr( $auth_header, 6 ) );\n\t\t\tlist( $user, $password ) = explode( ':', $auth_string );\n\n\t\t\t\u002F\u002F Authenticate the user using the application password.\n\t\t\tif ( wp_authenticate_application_password( null, $user, $password ) instanceof WP_User ) {\n\t\t\t\treturn true;\n\t\t\t}\n\t\t}\n\t}\n}","--- \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fwpvulnerability\u002F4.2.1\u002Fwpvulnerability-api.php\t2025-12-17 16:39:36.000000000 +0000\n+++ \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fwpvulnerability\u002F4.2.1.1\u002Fwpvulnerability-api.php\t2026-01-16 13:10:58.000000000 +0000\n@@ -7,6 +7,8 @@\n  * @since 3.3.0\n  *\u002F\n \n+defined( 'ABSPATH' ) || die( 'No script kiddies please!' );\n+\n \u002F**\n  * Handle the core vulnerabilities REST API request.\n  *\n@@ -437,7 +439,8 @@\n \u002F**\n  * Custom permission check for the WPVulnerability REST API.\n  *\n- * This function checks if the request is authenticated using an Application Password.\n+ * This function checks if the request is authenticated using an Application Password\n+ * and verifies that the user has the required capabilities to access vulnerability data.\n  *\n  * @since 3.3.0\n  *\n@@ -457,8 +460,17 @@\n \t\t\tlist( $user, $password ) = explode( ':', $auth_string );\n \n \t\t\t\u002F\u002F Authenticate the user using the application password.\n-\t\t\tif ( wp_authenticate_application_password( null, $user, $password ) instanceof WP_User ) {\n-\t\t\t\treturn true;\n+\t\t\t$authenticated_user = wp_authenticate_application_password( null, $user, $password );\n+\n+\t\t\tif ( $authenticated_user instanceof WP_User ) {\n+\t\t\t\t\u002F\u002F Check if user has the required capability.\n+\t\t\t\t\u002F\u002F For multisite, require manage_network_options.\n+\t\t\t\t\u002F\u002F For single site, require manage_options.\n+\t\t\t\tif ( is_multisite() ) {\n+\t\t\t\t\treturn user_can( $authenticated_user, 'manage_network_options' );\n+\t\t\t\t}\n+\n+\t\t\t\treturn user_can( $authenticated_user, 'manage_options' );\n \t\t\t}\n \t\t}\n \t}","To exploit this vulnerability, an attacker needs a valid login for a user with any role (e.g., Subscriber). The attacker first generates a WordPress Application Password via the user's profile settings. They then perform a GET request to any of the plugin's REST API endpoints (such as \u002Fwp-json\u002Fwpvulnerability\u002Fv1\u002Fplugins, \u002Fwp-json\u002Fwpvulnerability\u002Fv1\u002Fthemes, or \u002Fwp-json\u002Fwpvulnerability\u002Fv1\u002Fcore) while providing the credentials in the Authorization header. Because the plugin's permissions callback only verifies that the credentials are valid but does not verify that the user has administrative privileges (manage_options), the server will return a detailed list of all detected vulnerabilities and software versions for the target site.","gemini-3-flash-preview","2026-04-18 02:41:38","2026-04-18 02:42:29",{"type":38,"vulnerable_version":39,"fixed_version":11,"vulnerable_browse":40,"vulnerable_zip":41,"fixed_browse":42,"fixed_zip":43,"all_tags":44},"plugin","4.2.1","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fwpvulnerability\u002Ftags\u002F4.2.1","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fwpvulnerability.4.2.1.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fwpvulnerability\u002Ftags\u002F4.2.1.1","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fwpvulnerability.4.2.1.1.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fwpvulnerability\u002Ftags"]