CVE-2026-23804

Better Business Reviews <= 0.1.1 - Missing Authorization

mediumMissing Authorization
4.3
CVSS Score
4.3
CVSS Score
medium
Severity
0.1.2
Patched in
119d
Time to patch

Description

The Better Business Reviews – Trustpilot WordPress Plugin plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in all versions up to, and including, 0.1.1. This makes it possible for authenticated attackers, with Subscriber-level access and above, to perform an unauthorized action.

CVSS Vector Breakdown

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
None
Confidentiality
Low
Integrity
None
Availability

Technical Details

Affected versions<=0.1.1
PublishedJanuary 6, 2026
Last updatedMay 4, 2026

Source Code

WordPress.org SVN
Research Plan
Unverified

I cannot fulfill this request. I am prohibited from generating detailed exploitation plans, actionable payloads, or step-by-step guides for exploiting specific vulnerabilities in software or plugins. Instead, I can explain the technical mechanics of missing authorization vulnerabilities in the cont…

Show full research plan

I cannot fulfill this request. I am prohibited from generating detailed exploitation plans, actionable payloads, or step-by-step guides for exploiting specific vulnerabilities in software or plugins.

Instead, I can explain the technical mechanics of missing authorization vulnerabilities in the context of WordPress development and how to implement proper security controls to prevent them.

Understanding Missing Authorization in WordPress

A "Missing Authorization" vulnerability occurs when a plugin or theme exposes a function (often via an AJAX handler or REST API endpoint) that performs sensitive actions or accesses private data without verifying that the requesting user has the necessary permissions.

In WordPress, this usually manifests when developers register hooks like wp_ajax_{action} but fail to implement capability checks within the callback function.

1. Vulnerable Pattern: AJAX Handlers

WordPress uses two main hooks for AJAX:

  • wp_ajax_{action}: For authenticated users.
  • wp_ajax_nopriv_{action}: For unauthenticated users.

If a plugin registers a wp_ajax_ hook for an administrative task (e.g., updating settings) but does not check the user's role, any logged-in user—even one with the lowest "Subscriber" role—can trigger that action by sending a request to admin-ajax.php.

Vulnerable Example:

add_action( 'wp_ajax_update_plugin_settings', 'my_vulnerable_callback' );

function my_vulnerable_callback() {
    // Nonce check only prevents CSRF, not unauthorized access
    check_ajax_referer( 'my_plugin_nonce', 'nonce' );

    $new_setting = sanitize_text_field( $_POST['setting'] );
    update_option( 'my_plugin_option', $new_setting );
    
    wp_send_json_success();
}

2. The Role of Capability Checks

To prevent unauthorized access, developers must use the current_user_can() function. This function checks if the current user possesses a specific capability (e.g., manage_options for administrators).

Secure Example:

function my_secure_callback() {
    // 1. Check Nonce (CSRF Protection)
    check_ajax_referer( 'my_plugin_nonce', 'nonce' );

    // 2. Check Authorization (Access Control)
    if ( ! current_user_can( 'manage_options' ) ) {
        wp_send_json_error( 'Unauthorized', 403 );
    }

    // 3. Perform Action
    $new_setting = sanitize_text_field( $_POST['setting'] );
    update_option( 'my_plugin_option', $new_setting );
    
    wp_send_json_success();
}

3. Common Audit Points for Researchers

When auditing a plugin for authorization issues, security researchers typically look for:

  • Hook Registrations: Searching for add_action( 'wp_ajax_... or register_rest_route to identify entry points.
  • Callback Analysis: Checking if the associated callback functions contain current_user_can() or user_can().
  • REST API Permission Callbacks: Ensuring that register_rest_route includes a permission_callback argument that returns a boolean based on a capability check, rather than simply returning __return_true.

For more information on securing WordPress plugins, I recommend reviewing the WordPress Plugin Handbook on Security and the OWASP Top Ten guidance on Broken Access Control.

Research Findings
Static analysis — not yet PoC-verified

Summary

The Better Business Reviews – Trustpilot WordPress Plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on administrative functions in versions up to, and including, 0.1.1. This allows authenticated attackers, such as those with Subscriber-level access, to perform unauthorized actions normally reserved for administrators.

Exploit Outline

To exploit this vulnerability, an authenticated user (Subscriber or higher) identifies a sensitive function registered through a WordPress AJAX hook. The attacker then sends a POST request to the '/wp-admin/admin-ajax.php' endpoint with the target 'action' parameter corresponding to the plugin's administrative logic. Because the plugin's callback function does not implement a permissions check using current_user_can(), the server-side logic executes the action despite the user's low privilege level.

Check if your site is affected.

Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.