WordPress Plugin Flaw Exposes Admin Security Notices to Any Subscriber-Level User

A critical access control failure in a WordPress plugin allows any authenticated user with Subscriber privileges to retrieve all admin-level notices, including those containing sensitive security information. The vulnerability, cataloged as [VULN-1-001], exposes plugin vulnerability alerts, failed login summaries, database error logs, and server file path disclosures to users who should never have access to such data. The flaw carries a CVSS score of 5.3, classified as medium severity, but the nature of the exposed content elevates its practical risk profile significantly.

The root cause lies in how the plugin handles notice storage and AJAX requests. All notices are consolidated into a single global WordPress option (`wpnm_notices`) without per-user isolation. The plugin's AJAX endpoint (`ajax_get_notices`) can be called by any logged-in user with `read` capability. Worse, the required security nonce (`wpnm_ajax_nonce`) is embedded in the page source of all admin pages, including user-facing pages like `/wp-admin/profile.php`. This means a Subscriber visiting their own profile page receives the nonce needed to craft the request that retrieves every stored notice—including those captured from Administrator sessions. The vulnerable code path is documented in `class-notice-popup.php` lines 106–114, where the AJAX handler processes requests without verifying the caller holds administrative privileges.

The information at risk includes plugin-specific vulnerability announcements that could reveal unpatched attack surfaces, database error messages exposing schema details, file path disclosures aiding in targeted exploitation, and version information for installed plugins and themes. Site administrators running this plugin face elevated risk of reconnaissance attacks where low-privilege accounts—including compromised subscriber accounts—can harvest operational intelligence previously visible only to admin-level users. The underlying weakness, CWE-284 (Improper Access Control), indicates a fundamental authorization gap rather than an implementation quirk. Patching priority should be elevated for sites with untrusted user registrations or multi-author environments.