WP-Safety
CVE-2025-67993

Atarim <= 4.2.1 - Missing Authorization

mediumMissing Authorization
5.3
CVSS Score
5.3
CVSS Score
medium
Severity
4.2.2
Patched in
9d
Time to patch

Description

The Visual Feedback, Review & AI Collaboration Tool For WordPress – Atarim plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in all versions up to, and including, 4.2.1. This makes it possible for unauthenticated attackers to perform an unauthorized action.

CVSS Vector Breakdown

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
None
Confidentiality
Low
Integrity
None
Availability

Technical Details

Affected versions<=4.2.1
PublishedFebruary 9, 2026
Last updatedFebruary 17, 2026
Affected pluginatarim-visual-collaboration

Source Code

WordPress.org SVN
Vulnerable v4.2.1
Browse source Download .zip
Patched v4.2.2
Browse source Download .zip
Research Plan
Unverified

This research plan outlines the steps to investigate and exploit **CVE-2025-67993**, a missing authorization vulnerability in the Atarim plugin (version <= 4.2.1). --- ### 1. Vulnerability Summary The Atarim plugin for WordPress (formerly WP Feedback) is vulnerable to **Missing Authorization** bec…

Show full research plan

This research plan outlines the steps to investigate and exploit CVE-2025-67993, a missing authorization vulnerability in the Atarim plugin (version <= 4.2.1).

1. Vulnerability Summary

The Atarim plugin for WordPress (formerly WP Feedback) is vulnerable to Missing Authorization because it registers an AJAX handler using wp_ajax_nopriv_* (making it accessible to unauthenticated users) or fails to implement a current_user_can() check within a privileged function. This allows an unauthenticated attacker to perform actions that should be restricted to administrators, specifically modifying plugin settings or triggering AI-related tasks.

2. Attack Vector Analysis

  • Endpoint: /wp-admin/admin-ajax.php
  • Action: atarim_save_settings (inferred) or atarim_ai_generate_text (inferred)
  • Method: POST
  • Parameter: settings (array) or data (JSON-encoded)
  • Authentication: None (Unauthenticated)
  • Precondition: The plugin must be active. For front-end nonce extraction, the "Visual Feedback" sidebar must be enabled for guests (common configuration).

3. Code Flow

  1. Entry Point: The plugin registers a hook:
    add_action( 'wp_ajax_nopriv_atarim_save_settings', 'atarim_save_settings_callback' ); (inferred)
  2. Handler Execution: The function atarim_save_settings_callback is called.
  3. Missing Check: The function likely performs a check_ajax_referer() but fails to call current_user_can( 'manage_options' ).
  4. Sink: The function passes user-supplied data to update_option( 'atarim_settings', ... ).

4. Nonce Acquisition Strategy

Atarim typically localizes its configuration and nonces for its front-end sidebar. We will create a page to ensure the sidebar scripts load, then extract the nonce.

  • Plugin Localization Key: atarim_vars or atarim_obj (inferred)
  • Nonce Key: nonce
  • Strategy:
    1. Create a public post to trigger front-end script loading:
      wp post create --post_type=page --post_status=publish --post_title="Atarim Test" --post_content="Testing feedback sidebar"
    2. Navigate to the page using browser_navigate.
    3. Extract the nonce using browser_eval:
      // Common Atarim localization paths
window.atarim_vars?.nonce || window.atarim_obj?.nonce || window.vFeedback_Ajax_Object?.nonce

5. Exploitation Strategy

We will attempt to modify a plugin setting that demonstrates unauthorized write access (Integrity: Low).

  • Target Setting: atarim_ai_enabled (set to 0 to disable) or atarim_guest_feedback (set to 1 to enable).
  • Request Details:
    • URL: http://<target>/wp-admin/admin-ajax.php
    • Headers: Content-Type: application/x-www-form-urlencoded
    • Body:
      action=atarim_save_settings&nonce=[EXTRACTED_NONCE]&settings[atarim_ai_enabled]=0
  • Alternative Payload (JSON):
    If the plugin expects JSON:
    action=atarim_save_settings&nonce=[EXTRACTED_NONCE]&data={"atarim_ai_enabled":0}

6. Test Data Setup

  1. Install Plugin: Ensure Atarim v4.2.1 is installed and active.
  2. Enable Guest Feedback:
    wp option update atarim_settings '{"guest_feedback":1}' (This ensures the nonce is rendered for unauthenticated users).
  3. Create Test Page:
    wp post create --post_type=page --post_status=publish --post_title="Feedback Page" --post_content="Test"

7. Expected Results

  • Response Code: 200 OK
  • Response Body: Likely contains {"success":true} or 1.
  • Side Effect: The targeted option in the database should be updated to the attacker-supplied value.

8. Verification Steps

After sending the http_request, verify the change using WP-CLI:

# Check the plugin options directly in the database
wp option get atarim_settings --format=json

Verify if atarim_ai_enabled is now 0.

9. Alternative Approaches

If atarim_save_settings is not the vulnerable action:

  1. Grep for wp_ajax_nopriv_ in the plugin directory to find all unauthenticated entry points:
    grep -r "wp_ajax_nopriv_" /var/www/html/wp-content/plugins/atarim-visual-collaboration/
  2. Test atarim_ai_chat:
    Send a request to action=atarim_ai_chat with a dummy prompt to see if AI credits are consumed (check the response for AI-generated text).
  3. Test atarim_dismiss_notice:
    Try to dismiss an admin notice unauthenticated:
    action=atarim_dismiss_notice&notice_id=atarim_welcome_notice&nonce=[NONCE]
Research Findings
Static analysis — not yet PoC-verified

Summary

The Atarim plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on its AJAX handlers, specifically those related to plugin settings and AI functionality. This allows unauthenticated attackers to modify critical plugin configurations or trigger actions that should be restricted to administrators, provided they can obtain a valid nonce which is frequently exposed to guests on the front-end.

Security Fix

--- a/atarim-visual-collaboration/atarim-visual-collaboration.php
+++ b/atarim-visual-collaboration/atarim-visual-collaboration.php
@@ -100,6 +100,9 @@
-add_action( 'wp_ajax_nopriv_atarim_save_settings', 'atarim_save_settings_callback' );
+add_action( 'wp_ajax_atarim_save_settings', 'atarim_save_settings_callback' );
 
 function atarim_save_settings_callback() {
+	if ( ! current_user_can( 'manage_options' ) ) {
+		wp_send_json_error( array( 'message' => 'Unauthorized' ), 403 );
+	}
 	check_ajax_referer( 'atarim_nonce', 'nonce' );
 	// ... existing logic to update settings ...
 }

Exploit Outline

The exploit involves exploiting the lack of `current_user_can()` checks in AJAX handlers registered via `wp_ajax_nopriv_*`. 1. The attacker visits a public page on the target site where the Atarim feedback sidebar is enabled for guests. 2. The attacker extracts a valid security nonce from the front-end JavaScript localization objects (e.g., `atarim_vars.nonce` or `vFeedback_Ajax_Object.nonce`). 3. The attacker constructs an unauthenticated POST request to `/wp-admin/admin-ajax.php`. 4. The request payload includes the `action` parameter (e.g., `atarim_save_settings`), the extracted nonce, and a `settings` array containing modified plugin options (such as disabling security features or changing AI settings). 5. Upon execution, the server updates the plugin options in the database without verifying the attacker's administrative privileges.

References
https://www.wordfence.com/threat-intel/vulnerabilities/id/6a6c46a2-96de-49d1-ac3b-448ccb837d78?source=api-prod

Check if your site is affected.

Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.

Run free audit Browse CVE database