WP-Safety
CVE-2025-69354

Better Business Reviews <= 0.1.1 - Missing Authorization

mediumMissing Authorization
4.3
CVSS Score
4.3
CVSS Score
medium
Severity
0.1.2
Patched in
6d
Time to patch

Description

The Better Business Reviews – Trustpilot WordPress Plugin plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in all versions up to, and including, 0.1.1. This makes it possible for authenticated attackers, with Subscriber-level access and above, to perform an unauthorized action.

CVSS Vector Breakdown

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
None
Confidentiality
Low
Integrity
None
Availability

Technical Details

Affected versions<=0.1.1
PublishedJanuary 9, 2026
Last updatedJanuary 14, 2026
Affected pluginbetter-business-reviews

Source Code

WordPress.org SVN
Vulnerable v0.1.1
Browse source Download .zip
Patched v0.1.2
Browse source Download .zip
Research Plan
Unverified

This plan outlines the steps to identify and exploit CVE-2025-69354, a missing authorization vulnerability in the **Better Business Reviews** plugin. ### 1. Vulnerability Summary The "Better Business Reviews – Trustpilot WordPress Plugin" (<= 0.1.1) fails to implement capability checks (e.g., `curr…

Show full research plan

This plan outlines the steps to identify and exploit CVE-2025-69354, a missing authorization vulnerability in the Better Business Reviews plugin.

1. Vulnerability Summary

The "Better Business Reviews – Trustpilot WordPress Plugin" (<= 0.1.1) fails to implement capability checks (e.g., current_user_can()) in one or more of its AJAX handlers registered via wp_ajax_*. While these handlers may use nonces for CSRF protection, the lack of authorization allows any authenticated user—including those with the Subscriber role—to perform administrative actions, such as modifying plugin settings or triggering data synchronization.

2. Attack Vector Analysis

  • Endpoint: /wp-admin/admin-ajax.php
  • Authentication: Authenticated, Subscriber-level (Low privilege).
  • Vulnerable Action: (Inferred) Likely related to saving settings, such as bbr_save_settings or better_business_reviews_update.
  • Payload Parameter: Typically action, security (or nonce), and a data array (e.g., settings).

3. Code Flow (Discovery Phase)

Since the exact function name is not provided in the summary, the agent must first locate it:

  1. Entry Point Identification: Search the plugin directory for AJAX registrations:
    grep -r "wp_ajax_" wp-content/plugins/better-business-reviews/
  2. Authorization Audit: For each found action, trace the callback function and check for the absence of current_user_can('manage_options') or similar.
  3. Common Sinks: Look for functions that call update_option() or update_site_option() without proper permission checks.

4. Nonce Acquisition Strategy

The plugin likely uses wp_localize_script to pass a nonce to the admin dashboard. Since Subscribers can access wp-admin/profile.php, any script enqueued on all admin pages will leak the nonce to them.

  1. Locate Nonce Registration:
    grep -r "wp_create_nonce" wp-content/plugins/better-business-reviews/
    grep -r "wp_localize_script" wp-content/plugins/better-business-reviews/
  2. Identify JavaScript Key: Look for the object name (e.g., bbr_ajax_obj) and the nonce key (e.g., nonce or security).
  3. Retrieval via Browser:
    • Create a Subscriber user.
    • Use browser_navigate to go to http://localhost:8080/wp-admin/profile.php as the Subscriber.
    • Use browser_eval to extract the nonce:
      browser_eval("window.bbr_ajax_obj?.nonce") (Replace bbr_ajax_obj and nonce with discovered names).

5. Test Data Setup

  1. Install Plugin: Ensure better-business-reviews version 0.1.1 is active.
  2. Create Attacker User:
    wp user create attacker attacker@example.com --role=subscriber --user_pass=password
  3. Identify Target Setting: Determine a setting the plugin controls (e.g., bbr_trustpilot_business_id).

6. Exploitation Strategy

Once the AJAX action (e.g., bbr_save_settings) and the nonce key are identified, perform the following:

HTTP Request (via http_request tool):

  • Method: POST
  • URL: http://localhost:8080/wp-admin/admin-ajax.php
  • Headers: Content-Type: application/x-www-form-urlencoded, Cookie: [Subscriber Cookies]
  • Body:
    action=bbr_save_settings&
security=[EXTRACTED_NONCE]&
settings[business_id]=malicious_id_1337&
settings[another_option]=injected_value

(Note: Parameter names like settings or business_id must be confirmed during the discovery phase.)

7. Expected Results

  • Response: A 200 OK status with a JSON body indicating success (e.g., {"success":true} or 1).
  • Impact: The plugin settings in the WordPress database are modified despite the request coming from a Subscriber.

8. Verification Steps

  1. Database Check: Verify the option was changed via WP-CLI:
    wp option get bbr_settings
  2. UI Verification: Check if the new values appear in the plugin's admin settings page (as an admin user).

9. Alternative Approaches

If the plugin does not enqueue the script on all admin pages:

  1. Shortcode Method: Check if the plugin provides a shortcode:
    grep -r "add_shortcode" wp-content/plugins/better-business-reviews/
  2. Public Nonce: If a wp_ajax_nopriv_ handler exists, the nonce might be available on the frontend. Create a page with the shortcode and extract the nonce from the site's homepage:
    wp post create --post_type=page --post_status=publish --post_content='[trustpilot_reviews]'
    Navigate to the new page and extract the nonce via browser_eval.

10. Potential Action Strings to Search For

During the discovery phase, prioritize looking for these common patterns:

  • bbr_save_api_key
  • bbr_update_settings
  • bbr_fetch_reviews
  • trustpilot_settings_save
  • better_business_reviews_action
Research Findings
Static analysis — not yet PoC-verified

Summary

The Better Business Reviews – Trustpilot WordPress Plugin (up to and including version 0.1.1) fails to perform a capability check (e.g., current_user_can()) within its AJAX handlers. This oversight allows authenticated attackers with low-privileged Subscriber access to execute administrative actions, such as modifying plugin settings, provided they can obtain a valid security nonce.

Exploit Outline

1. Access the WordPress admin dashboard as a Subscriber-level user (e.g., via /wp-admin/profile.php). 2. Locate the AJAX security nonce (likely named 'security' or 'nonce') localized within the page's JavaScript objects (e.g., bbr_ajax_obj). 3. Prepare an AJAX POST request to '/wp-admin/admin-ajax.php'. 4. Set the 'action' parameter to the vulnerable handler (e.g., 'bbr_save_settings') and include the extracted nonce in the appropriate parameter. 5. Include a payload containing modified settings (e.g., 'settings[business_id]=malicious_id') to overwrite the plugin configuration. 6. Execute the request and verify the settings change via the database or the administrative settings UI.

References
https://www.wordfence.com/threat-intel/vulnerabilities/id/4d7b8c5f-3e3d-4ccc-8598-fcb4503c25ea?source=api-prod

Check if your site is affected.

Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.

Run free audit Browse CVE database