Absolute Addons For Elementor <= 1.0.14 - Missing Authorization
Description
The Absolute Addons For Elementor plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in versions up to, and including, 1.0.14. This makes it possible for authenticated attackers, with subscriber-level access and above, to perform an unauthorized action.
CVSS Vector Breakdown
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:NTechnical Details
<=1.0.14This research plan targets **CVE-2026-22468**, a missing authorization vulnerability in the **Absolute Addons For Elementor** plugin. This vulnerability allows authenticated users (with Subscriber-level permissions or higher) to execute actions typically reserved for administrators. --- ### 1. Vul…
Show full research plan
This research plan targets CVE-2026-22468, a missing authorization vulnerability in the Absolute Addons For Elementor plugin. This vulnerability allows authenticated users (with Subscriber-level permissions or higher) to execute actions typically reserved for administrators.
1. Vulnerability Summary
The vulnerability exists due to the lack of capability checks (e.g., current_user_can( 'manage_options' )) within one or more AJAX handlers registered via wp_ajax_ hooks. While the plugin may implement nonce verification to prevent CSRF, it fails to verify if the authenticated user has the necessary privileges to perform the requested action. This allows any logged-in user, such as a Subscriber, to perform unauthorized modifications, potentially altering plugin settings or site configurations.
2. Attack Vector Analysis
- Endpoint:
/wp-admin/admin-ajax.php - Authentication: Subscriber-level account (
PR:L). - Preconditions: The attacker must be logged into the WordPress site.
- Vulnerable Action (Inferred): Likely an action related to saving settings, such as
absolute_addons_save_admin_settings,absolute_addons_update_options, orabsolute_addons_settings_save. - Payload Parameter: Usually a JSON object or array in a
POSTrequest containing settings keys and values.
3. Code Flow (Trace Path)
- Registration: The plugin registers AJAX handlers during the
initoradmin_inithook.- Search target:
add_action( 'wp_ajax_...inincludes/oradmin/directories.
- Search target:
- Entry Point: An authenticated user sends a
POSTrequest toadmin-ajax.phpwith a vulnerableactionparameter. - Missing Check: The handler function (e.g.,
save_settings_callback) is called. - Inadequate Verification:
- The function likely calls
check_ajax_referer( 'nonce_name', 'security' ). - Crucially, it skips
if ( ! current_user_can( 'manage_options' ) ) { wp_die(); }.
- The function likely calls
- Sink: The function proceeds to call
update_option()orupdate_user_meta()based on user-supplied parameters.
4. Nonce Acquisition Strategy
Because this is a wp_ajax_ (authenticated) vulnerability, the nonce is likely localized for the WordPress dashboard.
- Identify Shortcode/Page: Check if the plugin enqueues scripts globally in the admin dashboard or only on specific pages.
- Create a Page (If needed): If the nonce is only available on pages with an Absolute Addons widget, create one:
wp post create --post_type=page --post_status=publish --post_content='[absolute_addons_widget]' - Navigate and Extract:
- Log in as a Subscriber.
- Navigate to
/wp-admin/or the created page. - Use
browser_evalto search for the localization object. - Likely JS Objects:
absolute_addons_admin,absolute_addons_data, orAA_Settings. - Command:
browser_eval("window.absolute_addons_admin?.nonce")orbrowser_eval("window.absolute_addons_data?.ajax_nonce").
5. Exploitation Strategy
The goal is to use a Subscriber account to change a plugin setting or a core WordPress option.
Step 1: Discovery
Search the plugin code to identify the exact vulnerable action and nonce name.
grep -rn "wp_ajax_" .
# Check the resulting function for missing current_user_can
Step 2: Payload Identification
Identify the parameter name used for settings (often settings, data, or individual option names).
Step 3: Execution
Using the http_request tool, send the malicious request.
- URL:
http://localhost:8080/wp-admin/admin-ajax.php - Method:
POST - Headers:
Content-Type: application/x-www-form-urlencoded - Body:
(Note: Replaceaction=absolute_addons_save_settings_data&security=[NONCE]&settings[some_critical_option]=malicious_valueabsolute_addons_save_settings_dataandsecuritywith the actual action and nonce parameter name found in Step 1.)
6. Test Data Setup
- Install Plugin: Ensure
absolute-addonsversion <= 1.0.14 is active. - Create Subscriber:
wp user create attacker attacker@example.com --role=subscriber --user_pass=password - Identify Target Option: Find a specific setting the plugin manages (e.g.,
absolute_addons_settings).
7. Expected Results
- The server should respond with a
200 OKand likely a JSON success message (e.g.,{"success": true}). - The database state should reflect the unauthorized change despite the request coming from a Subscriber.
8. Verification Steps
After the exploit attempt, verify the change using WP-CLI:
# Check if the targeted option was changed
wp option get absolute_addons_settings
# Or, if the exploit targeted a core WordPress setting via the vulnerability:
wp option get users_can_register
9. Alternative Approaches
- Settings Injection: If the handler allows updating any option (blind
update_option($_POST['key'], $_POST['value'])), attempt to changeusers_can_registerto1anddefault_roletoadministrator. - Information Disclosure: Check if there are AJAX handlers for retrieving settings (
get_settings) that also lack authorization, which could leak sensitive configuration data to a Subscriber. - Nonce Bypass Check: Check if
check_ajax_refereris called with the third parameter asfalseand the return value is not checked:if ( check_ajax_referer( 'action', 'nonce', false ) ) { // logic }vscheck_ajax_referer( 'action', 'nonce', false ); // logic follows anyway.
Summary
The Absolute Addons For Elementor plugin for WordPress is vulnerable to unauthorized data modification due to a missing capability check in an AJAX handler in versions up to, and including, 1.0.14. This allows authenticated attackers with subscriber-level permissions to perform administrative actions, such as updating plugin settings, by crafting a request to the admin-ajax.php endpoint with a valid nonce.
Security Fix
@@ -50,6 +50,10 @@ public function absolute_addons_save_settings_data() { check_ajax_referer( 'absolute_addons_nonce', 'security' ); + if ( ! current_user_can( 'manage_options' ) ) { + wp_send_json_error( array( 'message' => __( 'Permission denied', 'absolute-addons' ) ) ); + } + $settings = isset( $_POST['settings'] ) ? $_POST['settings'] : array(); update_option( 'absolute_addons_settings', $settings ); wp_send_json_success();
Exploit Outline
1. Log in to the WordPress site as a user with Subscriber-level access. 2. Locate and extract the AJAX nonce from the page source or JavaScript console, typically found in localized script objects such as 'absolute_addons_admin' or 'absolute_addons_data'. 3. Send a POST request to /wp-admin/admin-ajax.php with the 'action' parameter set to 'absolute_addons_save_settings_data' (or the equivalent vulnerable action identified in the plugin code). 4. Include the 'security' (or equivalent) parameter with the extracted nonce and a 'settings' parameter containing the desired configuration changes. 5. The server will process the request and update the plugin settings without verifying the user's administrative privileges.
Check if your site is affected.
Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.