Exploitation Research Plan: CVE-2026-24535

1. Vulnerability Summary

The Automatic Featured Images from Videos plugin (<= 1.2.7) is vulnerable to missing authorization in its AJAX handling logic. Specifically, the function responsible for manually triggering the generation of featured images from video content fails to verify if the requesting user has the appropriate administrative capabilities (e.g., manage_options or edit_others_posts). While the function implements a nonce check, the nonce is available to any user with access to the post editor, including Contributors. This allows authenticated users with low-level privileges to trigger image generation for any post ID, potentially leading to resource exhaustion or unauthorized modification of post metadata.

2. Attack Vector Analysis

• Endpoint: /wp-admin/admin-ajax.php
• Action: afiv_generate_featured_image (inferred from plugin slug and standard naming conventions)
• HTTP Method: POST
• Parameters:
  • action: afiv_generate_featured_image
  • post_id: The ID of the target WordPress post.
  • afiv_nonce: A valid security nonce.
• Authentication: Required (Contributor level or higher).
• Preconditions: The attacker must have access to the WordPress dashboard (Contributor role satisfies this) to retrieve a valid nonce.

3. Code Flow

1. Registration: The plugin registers the AJAX action during initialization.

   // Likely in the main plugin file or an admin-specific include
   add_action( 'wp_ajax_afiv_generate_featured_image', 'afiv_generate_featured_image_callback' );
   

2. Entry Point: An authenticated user sends a POST request to admin-ajax.php with action=afiv_generate_featured_image.
3. Execution: The callback function afiv_generate_featured_image_callback is executed.
4. Vulnerable Logic:
   • The function calls check_ajax_referer( 'afiv_nonce', 'nonce' ) (or similar).
   • It retrieves the post_id from $_POST.
   • Missing Check: It fails to call current_user_can( 'edit_post', $post_id ) or current_user_can( 'manage_options' ).
   • It proceeds to call the core processing logic to scan the post content for video URLs (YouTube, Vimeo, etc.), fetch the thumbnail from the external provider, and set it as the _thumbnail_id for the post.

4. Nonce Acquisition Strategy

The plugin localizes its script and provides a nonce to the post editor screen. Since Contributors can create and edit their own posts, they can access this nonce.

1. Shortcode/Context: The nonce is likely enqueued on the post.php (Edit Post) and post-new.php screens.
2. JS Variable Identification: The plugin typically uses wp_localize_script. Based on common patterns, the object name is likely afiv_vars or afiv_obj.
3. Acquisition Steps:
   • Create a post as a Contributor: wp post create --post_type=post --post_status=draft --post_author=CONTRIBUTOR_ID --post_title="Nonce Grab"
   • Navigate to the edit page for that post: /wp-admin/post.php?post=POST_ID&action=edit.
   • Use browser_eval to extract the nonce:

     window.afiv_vars?.nonce || window.afiv_obj?.nonce
     

   • (Alternative) Search for afiv_nonce in the HTML source using http_request.

5. Exploitation Strategy

1. Target Identification: Identify a Post ID (e.g., ID 1 which is usually the default "Hello World" post) that contains a video URL but has no featured image.
2. Authentication: Log in to the target site as a user with the Contributor role.
3. Nonce Extraction: Follow the strategy in Section 4 to obtain a valid afiv_nonce.
4. The Exploit Request:
   • Use the http_request tool to send the unauthorized command.
   • URL: http://localhost:8080/wp-admin/admin-ajax.php
   • Method: POST
   • Headers: Content-Type: application/x-www-form-urlencoded
   • Body:

     action=afiv_generate_featured_image&post_id=1&nonce=[EXTRACTED_NONCE]
     

   • Note: If the parameter name is not nonce, it might be afiv_nonce or security. Verify the key name during the nonce extraction phase.

6. Test Data Setup

1. Admin Setup:
   • Create a "Target Post" (ID 1) as Administrator.
   • Set the content of Post 1 to include a YouTube link: https://www.youtube.com/watch?v=dQw4w9WgXcQ.
   • Ensure Post 1 has no featured image set.
2. Attacker Setup:
   • Create a user attacker with the contributor role.
   • Create a "Dummy Post" (ID 2) authored by attacker so they can access the edit screen and retrieve the nonce.

7. Expected Results

• The AJAX response should return a success code (e.g., {"success": true} or a raw 1).
• The Target Post (ID 1), which the Contributor is not authorized to edit, will now have a featured image automatically assigned from the YouTube video.
• Server-side metadata (_thumbnail_id) will be updated for Post 1.

8. Verification Steps

1. CLI Check:

   # Check if post 1 now has a thumbnail ID assigned
   wp post meta get 1 _thumbnail_id
   

2. Visual Check:
   • Navigate to the home page or the specific post view to see if the featured image appears.
3. Authorization Confirmation:
   • Confirm that the attacker user cannot normally edit post 1 using standard WP-CLI or UI methods:

     wp post update 1 --post_title="Hacked" --user=attacker
     # This should fail with "Sorry, you are not allowed to edit this post."
     

9. Alternative Approaches

• Action Guessing: If afiv_generate_featured_image is not the correct action name, search the plugin source for wp_ajax_ strings:

  grep -r "wp_ajax_" /var/www/html/wp-content/plugins/automatic-featured-images-from-videos/
  

• Parameter Variation: Some versions of this plugin might use id instead of post_id. Check the AJAX callback function signature in the source if the primary payload fails.
• Bulk Action: Check if there is a bulk generation AJAX action (e.g., afiv_bulk_generate) which might also lack authorization and allow affecting multiple posts simultaneously.