CVE-2025-62888

Attachments <= 5.2 - Missing Authorization

mediumMissing Authorization
4.3
CVSS Score
4.3
CVSS Score
medium
Severity
5.2.1
Patched in
28d
Time to patch

Description

The Attachments plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in versions up to, and including, 5.2. This makes it possible for authenticated attackers, with contributor-level access and above, to perform an unauthorized action.

CVSS Vector Breakdown

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
None
Confidentiality
Low
Integrity
None
Availability

Technical Details

Affected versions<=5.2
PublishedDecember 31, 2025
Last updatedJanuary 27, 2026
Affected pluginwp-attachments

What Changed in the Fix

Changes introduced in v5.2.1

Loading patch diff...

Source Code

WordPress.org SVN
Research Plan
Unverified

# Exploitation Research Plan - CVE-2025-62888 (WP Attachments) ## 1. Vulnerability Summary The **WP Attachments** plugin for WordPress (versions <= 5.2) contains a missing authorization vulnerability in its AJAX handlers. The plugin registers two specific AJAX actions, `wp_ajax_wpa_realign` and `wp…

Show full research plan

Exploitation Research Plan - CVE-2025-62888 (WP Attachments)

1. Vulnerability Summary

The WP Attachments plugin for WordPress (versions <= 5.2) contains a missing authorization vulnerability in its AJAX handlers. The plugin registers two specific AJAX actions, wp_ajax_wpa_realign and wp_ajax_wpa_attach_media, intended for administrative use in the post-editor metabox. However, these handlers lack proper capability checks (e.g., current_user_can()), allowing any authenticated user with Contributor level permissions or higher to manipulate media attachments on posts they do not own or have permission to edit.

2. Attack Vector Analysis

  • Endpoint: /wp-admin/admin-ajax.php
  • Action: wpa_attach_media or wpa_realign
  • Payload Parameter: post_id (the target post), attachment_id (the media to attach/realign), and nonce.
  • Authentication: Authenticated; Contributor role or higher.
  • Preconditions:
    • The plugin must be active.
    • The attacker must have a valid login with at least Contributor permissions.
    • The attacker needs a valid nonce, which is exposed to any user who can access a post editor page where the metabox is loaded (including their own posts).

3. Code Flow

  1. Registration: In inc/meta-box.php, the WP_Attachments class registers AJAX hooks in the __construct method:
    private $actions = array(
        'add_meta_boxes', 'admin_enqueue_scripts',
        'wp_ajax_wpa_realign', 'wp_ajax_wpa_attach_media'
    );
    
  2. Script Localization: In admin_enqueue_scripts(), the plugin provides a nonce and the current post ID to the frontend:
    wp_localize_script('wp-attachments', 'WP_Attachments_Vars', array(
        // ...
        'postID' => get_the_ID(),
        'ajaxurl' => admin_url('admin-ajax.php'),
        'nonce' => wp_create_nonce('wpa-attachments-nonce')
    ));
    
  3. Vulnerable Sink: The handler functions wp_ajax_wpa_attach_media (or wpa_realign) in inc/meta-box.php (truncated in source but confirmed by vulnerability type) receive a post_id from the request. While they likely verify the wpa-attachments-nonce, they fail to verify if the current user has the edit_post capability for the provided post_id.

4. Nonce Acquisition Strategy

Because this is an authenticated vulnerability for Contributors, the attacker can obtain a valid nonce from the WordPress admin dashboard.

  1. Identify Trigger: The metabox is added to all public post types (like post or page) by default in add_meta_boxes().
  2. Access Editor: The attacker (Contributor) logs into /wp-admin/ and creates a new post or edits one of their existing posts.
  3. Extraction: Navigate to the post edit screen.
  4. Execute JavaScript: Use the browser_eval tool to extract the localized nonce:
    window.WP_Attachments_Vars?.nonce
    

5. Exploitation Strategy

The goal is to demonstrate that a Contributor can attach a media file to an Administrator's post.

  1. Step 1: Login as Contributor: Authenticate as the low-privileged user.
  2. Step 2: Get Nonce: Navigate to wp-admin/post-new.php and extract the wpa-attachments-nonce using browser_eval.
  3. Step 3: Identify Target: Note the post_id of an Administrator's post (e.g., ID 1) and a Media attachment_id (e.g., ID 5).
  4. Step 4: Execute Unauthorized Action: Send a POST request to admin-ajax.php to attach the media to the Admin's post.

Example HTTP Request (via http_request tool)

POST /wp-admin/admin-ajax.php HTTP/1.1
Host: localhost:8080
Content-Type: application/x-www-form-urlencoded
Cookie: [Contributor Session Cookies]

action=wpa_attach_media&nonce=[EXTRACTED_NONCE]&post_id=1&attachment_id=5

6. Test Data Setup

  1. Admin Post: Create a post as an Administrator (e.g., Post ID 1, title "Top Secret Project").
  2. Media Item: Upload an image or file to the Media Library (e.g., Attachment ID 5).
  3. Contributor User: Create a user with the contributor role.
  4. Plugin Config: Ensure the plugin is active and metaboxes are enabled for the 'post' type (default).

7. Expected Results

  • The AJAX request should return a success status (likely 1 or a JSON success message).
  • The post_parent of the attachment (ID 5) will be updated in the wp_posts table to match the target post_id (ID 1).
  • The attachment will now appear in the "Media Attachments" metabox and the frontend list for the Administrator's post.

8. Verification Steps

After performing the exploit, verify using WP-CLI:

# Check the parent ID of the attachment
wp post get 5 --field=post_parent
# Expected output: 1 (The Admin Post ID)

9. Alternative Approaches

If wpa_attach_media is strictly validated, try wpa_realign. This action typically updates the menu_order of attachments for a specific post. If the handler only takes a list of IDs and a post_id without checking edit_post capabilities for that post_id, it is equally vulnerable to unauthorized modification of post content structure.

Payload for wpa_realign (Inferred):

POST /wp-admin/admin-ajax.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded

action=wpa_realign&nonce=[NONCE]&post_id=1&attachments[]=5&attachments[]=6
Research Findings
Static analysis — not yet PoC-verified

Summary

The WP Attachments plugin for WordPress is vulnerable to unauthorized access and data modification in versions up to 5.2 due to a missing capability check in its AJAX handlers. This allows authenticated attackers with Contributor-level access or higher to attach media files to posts or reorder them, regardless of ownership or editing permissions.

Vulnerable Code

// inc/meta-box.php lines 5-8

    private $actions = array(
        'add_meta_boxes', 'admin_enqueue_scripts',
        'wp_ajax_wpa_realign', 'wp_ajax_wpa_attach_media' // renamed from ij_
    );

---

// inc/meta-box.php around line 387

        if (!$attachment_id || !$post_id) {
            wp_send_json_error('Missing data');
        }
        
        wp_update_post(array(
            'ID' => $attachment_id,
            'post_parent' => $post_id
        ));

Security Fix

diff -ru /home/deploy/wp-safety.org/data/plugin-versions/wp-attachments/5.2/inc/meta-box.php /home/deploy/wp-safety.org/data/plugin-versions/wp-attachments/5.2.1/inc/meta-box.php
--- /home/deploy/wp-safety.org/data/plugin-versions/wp-attachments/5.2/inc/meta-box.php	2025-06-09 09:41:16.000000000 +0000
+++ /home/deploy/wp-safety.org/data/plugin-versions/wp-attachments/5.2.1/inc/meta-box.php	2026-01-19 09:57:12.000000000 +0000
@@ -387,6 +387,15 @@
         if (!$attachment_id || !$post_id) {
             wp_send_json_error('Missing data');
         }
+        
+        // Object-level authorization: verify user can edit both the target post and the attachment
+        if (!current_user_can('edit_post', $post_id)) {
+            wp_send_json_error('Permission denied: cannot edit target post');
+        }
+        if (!current_user_can('edit_post', $attachment_id)) {
+            wp_send_json_error('Permission denied: cannot edit attachment');
+        }
+        
         wp_update_post(array(
             'ID' => $attachment_id,
             'post_parent' => $post_id

Exploit Outline

The vulnerability is exploited by an authenticated attacker (Contributor level or higher) through the WordPress AJAX endpoint. First, the attacker retrieves a valid security nonce from the 'WP_Attachments_Vars' object found on any post editor page where the plugin's metabox is active. The attacker then sends a POST request to '/wp-admin/admin-ajax.php' with the 'action' set to 'wpa_attach_media' (or 'wpa_realign'). By providing the 'attachment_id' of a chosen media item and a target 'post_id' (e.g., an Administrator's post), the attacker can successfully reassign the media's parent post because the handler lacks the necessary 'current_user_can' checks to verify if the user is authorized to edit the specified objects.

Check if your site is affected.

Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.