Attachments <= 5.2 - Missing Authorization
Description
The Attachments plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in versions up to, and including, 5.2. This makes it possible for authenticated attackers, with contributor-level access and above, to perform an unauthorized action.
CVSS Vector Breakdown
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:NTechnical Details
<=5.2What Changed in the Fix
Changes introduced in v5.2.1
Source Code
WordPress.org SVN# Exploitation Research Plan - CVE-2025-62888 (WP Attachments) ## 1. Vulnerability Summary The **WP Attachments** plugin for WordPress (versions <= 5.2) contains a missing authorization vulnerability in its AJAX handlers. The plugin registers two specific AJAX actions, `wp_ajax_wpa_realign` and `wp…
Show full research plan
Exploitation Research Plan - CVE-2025-62888 (WP Attachments)
1. Vulnerability Summary
The WP Attachments plugin for WordPress (versions <= 5.2) contains a missing authorization vulnerability in its AJAX handlers. The plugin registers two specific AJAX actions, wp_ajax_wpa_realign and wp_ajax_wpa_attach_media, intended for administrative use in the post-editor metabox. However, these handlers lack proper capability checks (e.g., current_user_can()), allowing any authenticated user with Contributor level permissions or higher to manipulate media attachments on posts they do not own or have permission to edit.
2. Attack Vector Analysis
- Endpoint:
/wp-admin/admin-ajax.php - Action:
wpa_attach_mediaorwpa_realign - Payload Parameter:
post_id(the target post),attachment_id(the media to attach/realign), andnonce. - Authentication: Authenticated; Contributor role or higher.
- Preconditions:
- The plugin must be active.
- The attacker must have a valid login with at least Contributor permissions.
- The attacker needs a valid nonce, which is exposed to any user who can access a post editor page where the metabox is loaded (including their own posts).
3. Code Flow
- Registration: In
inc/meta-box.php, theWP_Attachmentsclass registers AJAX hooks in the__constructmethod:private $actions = array( 'add_meta_boxes', 'admin_enqueue_scripts', 'wp_ajax_wpa_realign', 'wp_ajax_wpa_attach_media' ); - Script Localization: In
admin_enqueue_scripts(), the plugin provides a nonce and the current post ID to the frontend:wp_localize_script('wp-attachments', 'WP_Attachments_Vars', array( // ... 'postID' => get_the_ID(), 'ajaxurl' => admin_url('admin-ajax.php'), 'nonce' => wp_create_nonce('wpa-attachments-nonce') )); - Vulnerable Sink: The handler functions
wp_ajax_wpa_attach_media(orwpa_realign) ininc/meta-box.php(truncated in source but confirmed by vulnerability type) receive apost_idfrom the request. While they likely verify thewpa-attachments-nonce, they fail to verify if the current user has theedit_postcapability for the providedpost_id.
4. Nonce Acquisition Strategy
Because this is an authenticated vulnerability for Contributors, the attacker can obtain a valid nonce from the WordPress admin dashboard.
- Identify Trigger: The metabox is added to all public post types (like
postorpage) by default inadd_meta_boxes(). - Access Editor: The attacker (Contributor) logs into
/wp-admin/and creates a new post or edits one of their existing posts. - Extraction: Navigate to the post edit screen.
- Execute JavaScript: Use the
browser_evaltool to extract the localized nonce:window.WP_Attachments_Vars?.nonce
5. Exploitation Strategy
The goal is to demonstrate that a Contributor can attach a media file to an Administrator's post.
- Step 1: Login as Contributor: Authenticate as the low-privileged user.
- Step 2: Get Nonce: Navigate to
wp-admin/post-new.phpand extract thewpa-attachments-nonceusingbrowser_eval. - Step 3: Identify Target: Note the
post_idof an Administrator's post (e.g., ID1) and a Mediaattachment_id(e.g., ID5). - Step 4: Execute Unauthorized Action: Send a POST request to
admin-ajax.phpto attach the media to the Admin's post.
Example HTTP Request (via http_request tool)
POST /wp-admin/admin-ajax.php HTTP/1.1
Host: localhost:8080
Content-Type: application/x-www-form-urlencoded
Cookie: [Contributor Session Cookies]
action=wpa_attach_media&nonce=[EXTRACTED_NONCE]&post_id=1&attachment_id=5
6. Test Data Setup
- Admin Post: Create a post as an Administrator (e.g.,
Post ID 1, title "Top Secret Project"). - Media Item: Upload an image or file to the Media Library (e.g.,
Attachment ID 5). - Contributor User: Create a user with the
contributorrole. - Plugin Config: Ensure the plugin is active and metaboxes are enabled for the 'post' type (default).
7. Expected Results
- The AJAX request should return a success status (likely
1or a JSON success message). - The
post_parentof the attachment (ID 5) will be updated in thewp_poststable to match the targetpost_id(ID 1). - The attachment will now appear in the "Media Attachments" metabox and the frontend list for the Administrator's post.
8. Verification Steps
After performing the exploit, verify using WP-CLI:
# Check the parent ID of the attachment
wp post get 5 --field=post_parent
# Expected output: 1 (The Admin Post ID)
9. Alternative Approaches
If wpa_attach_media is strictly validated, try wpa_realign. This action typically updates the menu_order of attachments for a specific post. If the handler only takes a list of IDs and a post_id without checking edit_post capabilities for that post_id, it is equally vulnerable to unauthorized modification of post content structure.
Payload for wpa_realign (Inferred):
POST /wp-admin/admin-ajax.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
action=wpa_realign&nonce=[NONCE]&post_id=1&attachments[]=5&attachments[]=6
Summary
The WP Attachments plugin for WordPress is vulnerable to unauthorized access and data modification in versions up to 5.2 due to a missing capability check in its AJAX handlers. This allows authenticated attackers with Contributor-level access or higher to attach media files to posts or reorder them, regardless of ownership or editing permissions.
Vulnerable Code
// inc/meta-box.php lines 5-8 private $actions = array( 'add_meta_boxes', 'admin_enqueue_scripts', 'wp_ajax_wpa_realign', 'wp_ajax_wpa_attach_media' // renamed from ij_ ); --- // inc/meta-box.php around line 387 if (!$attachment_id || !$post_id) { wp_send_json_error('Missing data'); } wp_update_post(array( 'ID' => $attachment_id, 'post_parent' => $post_id ));
Security Fix
@@ -387,6 +387,15 @@ if (!$attachment_id || !$post_id) { wp_send_json_error('Missing data'); } + + // Object-level authorization: verify user can edit both the target post and the attachment + if (!current_user_can('edit_post', $post_id)) { + wp_send_json_error('Permission denied: cannot edit target post'); + } + if (!current_user_can('edit_post', $attachment_id)) { + wp_send_json_error('Permission denied: cannot edit attachment'); + } + wp_update_post(array( 'ID' => $attachment_id, 'post_parent' => $post_id
Exploit Outline
The vulnerability is exploited by an authenticated attacker (Contributor level or higher) through the WordPress AJAX endpoint. First, the attacker retrieves a valid security nonce from the 'WP_Attachments_Vars' object found on any post editor page where the plugin's metabox is active. The attacker then sends a POST request to '/wp-admin/admin-ajax.php' with the 'action' set to 'wpa_attach_media' (or 'wpa_realign'). By providing the 'attachment_id' of a chosen media item and a target 'post_id' (e.g., an Administrator's post), the attacker can successfully reassign the media's parent post because the handler lacks the necessary 'current_user_can' checks to verify if the user is authorized to edit the specified objects.
Check if your site is affected.
Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.