WP-Safety
CVE-2026-1103

AIKTP <= 5.0.04 - Missing Authorization to Authenticated (Subscriber+) Multiple Administrator Actions

mediumMissing Authorization
5.4
CVSS Score
5.4
CVSS Score
medium
Severity
5.0.05
Patched in
1d
Time to patch

Description

The AIKTP plugin for WordPress is vulnerable to unauthorized modification of data due to missing authorization checks on the /aiktp/getToken REST API endpoint in all versions up to, and including, 5.0.04. The endpoint uses the 'verify_user_logged_in' as a permission callback, which only checks if a user is logged in, but fails to verify if the user has administrative capabilities. This makes it possible for authenticated attackers with Subscriber-level access and above to retrieve the administrator's 'aiktpz_token' access token, which can then be used to create posts, upload media library files, and access private content as the administrator.

CVSS Vector Breakdown

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Low
Confidentiality
Low
Integrity
None
Availability

Technical Details

Affected versions<=5.0.04
PublishedJanuary 23, 2026
Last updatedJanuary 24, 2026
Affected pluginaiktp

Source Code

WordPress.org SVN
Vulnerable v5.0.04
Browse source Download .zip
Patched

Patched version not available.

Research Plan
Unverified

# Exploitation Research Plan: CVE-2026-1103 (AIKTP Token Exposure) ## 1. Vulnerability Summary The AIKTP plugin for WordPress (versions <= 5.0.04) contains a missing authorization vulnerability in its REST API implementation. The endpoint responsible for retrieving the plugin's access token, `/aikt…

Show full research plan

Exploitation Research Plan: CVE-2026-1103 (AIKTP Token Exposure)

1. Vulnerability Summary

The AIKTP plugin for WordPress (versions <= 5.0.04) contains a missing authorization vulnerability in its REST API implementation. The endpoint responsible for retrieving the plugin's access token, /aiktp/getToken, uses a permission callback that only verifies if a user is logged in, but does not verify if the user has administrative privileges. This allows any authenticated user (starting from the Subscriber role) to retrieve the aiktpz_token, which provides administrative access to the AIKTP service, effectively allowing them to manage posts and media as the site administrator.

2. Attack Vector Analysis

  • Endpoint: /wp-json/aiktp/getToken (Namespace: aiktp, Route: getToken).
  • HTTP Method: GET (inferred, standard for "get" operations).
  • Authentication Required: Authenticated user with at least Subscriber role.
  • Vulnerable Parameter: None (the endpoint itself is unauthorized).
  • Permission Callback: verify_user_logged_in (fails to check for manage_options).

3. Code Flow

  1. Route Registration: The plugin calls register_rest_route during the rest_api_init hook.
  2. Permission Check: The permission_callback is set to a function named verify_user_logged_in.
  3. Vulnerable Callback: Inside verify_user_logged_in, the code likely performs a check like return is_user_logged_in(); rather than return current_user_can('manage_options');.
  4. Data Retrieval: Upon successful (but unauthorized) permission check, the endpoint handler retrieves the option aiktpz_token (or similar, based on the description) from the WordPress database using get_option().
  5. Response: The token is returned in a JSON response to the subscriber.

4. Nonce Acquisition Strategy

Accessing the WordPress REST API via cookie authentication requires a wp_rest nonce to be sent in the X-WP-Nonce header.

  1. Login: The agent will log in to the WordPress site as a user with the Subscriber role.
  2. Navigate: Navigate to the WordPress dashboard (/wp-admin/profile.php).
  3. Extraction: Use the browser_eval tool to extract the REST nonce from the global WordPress JavaScript objects.
    • JavaScript: window.wpApiSettings.nonce or window.restVars.nonce (inferred common patterns).
    • Command: browser_eval("window.wpApiSettings.nonce")

5. Exploitation Strategy

  1. Setup Account: Create a subscriber-level user for exploitation.
  2. Set Target Data: Ensure a dummy token exists in the database so the leak can be verified.
  3. Authentication: Log in as the subscriber using the browser_navigate and browser_type/click tools.
  4. Grab Nonce: Extract the wp_rest nonce as described in section 4.
  5. Execute Attack: Use the http_request tool to perform a GET request to the vulnerable endpoint.
    • URL: http://localhost:8080/wp-json/aiktp/getToken
    • Headers:
      • X-WP-Nonce: [EXTRACTED_NONCE]
      • Content-Type: application/json
    • Method: GET
  6. Analyze Response: Inspect the JSON body for the presence of the aiktpz_token.

6. Test Data Setup

  1. Plugin Installation: Ensure AIKTP version 5.0.04 or lower is active.
  2. Administrative Token: Create a dummy token for the plugin.
    • wp option update aiktpz_token "VULN_EXPOSED_TOKEN_12345" (Key name aiktpz_token from description).
  3. Attacker Account: Create a subscriber user.
    • wp user create attacker attacker@example.com --role=subscriber --user_pass=password123

7. Expected Results

  • The REST API call should return a 200 OK status code.
  • The response body should be a JSON object containing the token:
    {
    "aiktpz_token": "VULN_EXPOSED_TOKEN_12345"
}
  • The Subscriber user should successfully receive this data despite lacking manage_options capabilities.

8. Verification Steps

  1. Confirm Identity: Verify the logged-in user is indeed a subscriber.
    • wp user get attacker --field=roles
  2. Compare Tokens: Verify the token retrieved via the REST API matches the one stored in the database.
    • wp option get aiktpz_token
  3. Check Capabilities: Confirm that a direct attempt to access admin pages (e.g., AIKTP settings page) returns a "You do not have sufficient permissions" error, while the REST API remains open.

9. Alternative Approaches

  • Endpoint Discovery: If /wp-json/aiktp/getToken returns a 404, search for the route registration in the plugin files:
    • grep -r "register_rest_route" wp-content/plugins/aiktp/
  • Nonce Bypassing: Check if the plugin erroneously allows unauthenticated access by testing the endpoint without the X-WP-Nonce header (though verify_user_logged_in suggests authentication is checked).
  • POST Method: If GET fails, attempt a POST request, as some REST handlers are registered for multiple methods.
Research Findings
Static analysis — not yet PoC-verified

Summary

The AIKTP plugin for WordPress is vulnerable to unauthorized information disclosure due to a missing capability check on its /aiktp/getToken REST API endpoint. Authenticated users with Subscriber-level access can retrieve the plugin's administrative access token, which can then be used to perform administrative actions such as creating posts and uploading media.

Vulnerable Code

// aiktp/includes/rest-api.php (approximate location)
register_rest_route('aiktp', '/getToken', array(
    'methods'  => 'GET',
    'callback' => 'aiktp_get_token_callback',
    'permission_callback' => 'verify_user_logged_in',
));

---

// aiktp/includes/permissions.php
function verify_user_logged_in() {
    return is_user_logged_in();
}

---

// aiktp/includes/callbacks.php
function aiktp_get_token_callback() {
    $token = get_option('aiktpz_token');
    return new WP_REST_Response(array('aiktpz_token' => $token), 200);
}

Security Fix

--- a/aiktp/includes/permissions.php
+++ b/aiktp/includes/permissions.php
@@ -1,4 +1,4 @@
 function verify_user_logged_in() {
-    return is_user_logged_in();
+    return current_user_can('manage_options');
 }

Exploit Outline

The exploit target is the REST API endpoint `/wp-json/aiktp/getToken`. An attacker follows these steps: 1. Authenticate with the WordPress site as a Subscriber-level user. 2. Obtain the valid REST API nonce (wp_rest nonce) from the WordPress dashboard, typically found in the global JavaScript variable `wpApiSettings.nonce`. 3. Send a GET request to `/wp-json/aiktp/getToken` including the `X-WP-Nonce` header. 4. The server responds with a JSON object containing the `aiktpz_token` because the `verify_user_logged_in` callback only checks if the user is authenticated, not their permission level. 5. Use the leaked token to authenticate against the AIKTP backend service to manage the site's content as an administrator.

References
https://www.wordfence.com/threat-intel/vulnerabilities/id/84846d95-792d-4569-b0eb-876d82d0beee?source=api-prod

Check if your site is affected.

Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.

Run free audit Browse CVE database