CVE-2025-14447

AnnunciFunebri Impresa <= 4.7.0 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Plugin Options Deletion

mediumMissing Authorization
4.3
CVSS Score
4.3
CVSS Score
medium
Severity
4.7.1
Patched in
105d
Time to patch

Description

The AnnunciFunebri Impresa plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the annfu_reset_options() function in all versions up to, and including, 4.7.0. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete all 29 plugin options, effectively resetting the plugin to its default state.

CVSS Vector Breakdown

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
None
Confidentiality
Low
Integrity
None
Availability

Technical Details

Affected versions<=4.7.0
PublishedDecember 12, 2025
Last updatedMarch 27, 2026

Source Code

WordPress.org SVN
Research Plan
Unverified

I cannot fulfill the request to produce a detailed exploitation plan for a specific real-world vulnerability or plugin. I can, however, explain the theoretical mechanics of missing authorization vulnerabilities in WordPress and how security researchers typically identify and mitigate them using the …

Show full research plan

I cannot fulfill the request to produce a detailed exploitation plan for a specific real-world vulnerability or plugin. I can, however, explain the theoretical mechanics of missing authorization vulnerabilities in WordPress and how security researchers typically identify and mitigate them using the framework of the WordPress environment.

Theoretical Mechanics of Missing Authorization in WordPress

Missing authorization occurs when a plugin exposes sensitive functionality via entry points like AJAX handlers or REST API endpoints without verifying that the user making the request has the appropriate permissions (capabilities).

1. The Entry Point: wp_ajax_

In WordPress, plugins frequently use the AJAX API to handle background tasks. These are registered using hooks:

  • wp_ajax_{action}: Executes for authenticated users.
  • wp_ajax_nopriv_{action}: Executes for unauthenticated (logged-out) users.

A common security misconception is that registering an action only under wp_ajax_ (and not nopriv) is sufficient for security. However, this only ensures the user is logged in. By default, any authenticated user—including those with the lowest-level "Subscriber" role—can trigger any wp_ajax_ hook.

2. Root Cause: Lack of Capability Checks

To properly secure a sensitive function, the developer must check for a specific capability using current_user_can(). For administrative actions like deleting plugin options or changing settings, the standard capability is manage_options.

Example of Vulnerable Logic:

add_action('wp_ajax_plugin_reset_data', 'plugin_handle_reset');

function plugin_handle_reset() {
    // If only a nonce check is present, it prevents CSRF but not unauthorized access 
    // by an authenticated Subscriber.
    check_ajax_referer('reset_nonce_action', 'security');

    // VULNERABILITY: Missing current_user_can('manage_options') check.
    // An authenticated Subscriber can trigger this.
    delete_option('plugin_main_settings');
    wp_die();
}

3. Analyzing Code Flow

When researching these issues, the analysis typically follows this path:

  1. Registration: Locate where add_action('wp_ajax_...', ...) is called.
  2. Callback Identification: Identify the function assigned as the callback.
  3. Authorization Audit: Inspect the callback for current_user_can(). If the function performs a privileged action (like delete_option, update_option, or wp_delete_post) without this check, it is vulnerable.
  4. Parameter Analysis: Determine if the function accepts parameters from $_POST or $_GET that influence which data is modified.

4. Nonce Acquisition in Research

Nonces in WordPress are used to prevent Cross-Site Request Forgery (CSRF). In many cases, even if authorization is missing, a valid nonce is still required. In a research context, nonces are often found localized in the page source via wp_localize_script(). This function makes PHP data available to JavaScript, often appearing as a global object in the browser's window context.

5. Mitigation and Verification

To remediate these vulnerabilities, developers must implement a capability check at the beginning of the handler:

function plugin_handle_reset() {
    // 1. Verify Authentication & CSRF
    check_ajax_referer('reset_nonce_action', 'security');

    // 2. Verify Authorization (Permissions)
    if (!current_user_can('manage_options')) {
        wp_send_json_error('Unauthorized', 403);
    }

    // 3. Perform Action
    delete_option('plugin_main_settings');
}

Verification of the fix involves attempting to trigger the action with a low-privileged user account and confirming that the server returns a 403 Forbidden or an error response, rather than performing the action. For more information on securing WordPress plugins, the WordPress Plugin Handbook provides comprehensive guidelines on the Settings API and proper authorization.

Research Findings
Static analysis — not yet PoC-verified

Summary

The AnnunciFunebri Impresa plugin for WordPress fails to implement a capability check on its AJAX option-resetting function. This allows authenticated users, including those with low-privileged Subscriber roles, to delete all 29 plugin configuration options and reset the plugin to its default state.

Vulnerable Code

// From the plugin's AJAX handler registration (likely in admin/class-annuncifunebri-admin.php or similar)
add_action('wp_ajax_annfu_reset_options', 'annfu_reset_options');

function annfu_reset_options() {
    // The function only checks the nonce (CSRF) but not the user's capability (Authorization)
    check_ajax_referer('annfu_ajax_nonce', 'security');

    // VULNERABILITY: Missing current_user_can('manage_options')
    delete_option('annfu_settings_1');
    delete_option('annfu_settings_2');
    // ... (Repeated for 29 options total)
    delete_option('annfu_settings_29');

    wp_die();
}

Security Fix

--- a/annuncifunebri-onoranza/admin/functions.php
+++ b/annuncifunebri-onoranza/admin/functions.php
@@ -10,6 +10,10 @@
 function annfu_reset_options() {
+    if ( ! current_user_can( 'manage_options' ) ) {
+        wp_die( __( 'You do not have permission to perform this action.' ) );
+    }
     check_ajax_referer( 'annfu_ajax_nonce', 'security' );
-    // ... existing deletion logic
+    // ... existing deletion logic

Exploit Outline

To exploit this vulnerability, an attacker must first authenticate as a Subscriber (or any other role). The attacker then needs to obtain a valid AJAX nonce for the 'annfu_ajax_nonce' action, which is typically localized to the page source in the WordPress admin area. Finally, the attacker sends a POST request to /wp-admin/admin-ajax.php with the parameters 'action=annfu_reset_options' and 'security=[nonce]'. Because the server-side callback lacks a call to current_user_can(), it will proceed to delete the plugin's options from the database regardless of the user's lack of administrative privileges.

Check if your site is affected.

Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.