– Proof of Concept - Atomic Edge

Atomic Edge analysis of CVE-2026-24561:
The vulnerability is a Missing Authorization flaw in the FluentBoards WordPress plugin, affecting versions up to and including 1.91.1. The flaw allows authenticated attackers with Subscriber-level access or higher to perform unauthorized actions by accessing a user information endpoint without proper capability checks. This constitutes a CWE-862 (Missing Authorization) vulnerability with a CVSS score of 4.3.

Atomic Edge research identifies the root cause in the `getMemberInfo` function within the `UserController` class. The vulnerable code, located at `fluent-boards/app/Http/Controllers/UserController.php`, line 113, lacked any authorization check before processing the request. The function accepted a user ID parameter and directly fetched user information via `User::findOrFail($user_id)` without verifying if the requesting user had permission to access that specific member’s data.

Exploitation requires an authenticated WordPress user with at least Subscriber privileges. Attackers send a GET request to the REST API endpoint `/wp-json/fluent-boards/v2/member-associated-users/{user_id}` or `/wp-json/fluent-boards/v2/get-member-info/{user_id}`. The `{user_id}` parameter can be manipulated to target any WordPress user ID, including administrators. No special parameters or payloads are needed beyond a valid user session cookie and the target user ID in the URL path.

The patch adds a capability check at the beginning of the `getMemberInfo` function. The fix inserts a call to `PermissionManager::isFluentBoardsUser($user_id)` on line 113, which verifies the requesting user has appropriate FluentBoards permissions for the target user ID. If this check fails, the function returns a 403 error response with an unauthorized message. Before the patch, any authenticated user could access any other user’s information through this endpoint. After the patch, only users with proper FluentBoards permissions can access the data.

Successful exploitation allows attackers to retrieve sensitive information about other WordPress users within the FluentBoards system. This includes user details, potentially exposing email addresses, display names, and other profile information. While the vulnerability doesn’t grant direct privilege escalation or code execution, it enables unauthorized data access that could facilitate social engineering, targeted attacks, or reconnaissance for further exploitation within the project management context.