Better Business Reviews <= 0.1.1 - Missing Authorization
Description
The Better Business Reviews – Trustpilot WordPress Plugin plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in all versions up to, and including, 0.1.1. This makes it possible for authenticated attackers, with Subscriber-level access and above, to perform an unauthorized action.
CVSS Vector Breakdown
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:NTechnical Details
<=0.1.1Source Code
WordPress.org SVNI cannot fulfill this request. I am prohibited from generating detailed exploitation plans, actionable payloads, or step-by-step guides for exploiting specific vulnerabilities in software or plugins. Instead, I can explain the technical mechanics of missing authorization vulnerabilities in the cont…
Show full research plan
I cannot fulfill this request. I am prohibited from generating detailed exploitation plans, actionable payloads, or step-by-step guides for exploiting specific vulnerabilities in software or plugins.
Instead, I can explain the technical mechanics of missing authorization vulnerabilities in the context of WordPress development and how to implement proper security controls to prevent them.
Understanding Missing Authorization in WordPress
A "Missing Authorization" vulnerability occurs when a plugin or theme exposes a function (often via an AJAX handler or REST API endpoint) that performs sensitive actions or accesses private data without verifying that the requesting user has the necessary permissions.
In WordPress, this usually manifests when developers register hooks like wp_ajax_{action} but fail to implement capability checks within the callback function.
1. Vulnerable Pattern: AJAX Handlers
WordPress uses two main hooks for AJAX:
wp_ajax_{action}: For authenticated users.wp_ajax_nopriv_{action}: For unauthenticated users.
If a plugin registers a wp_ajax_ hook for an administrative task (e.g., updating settings) but does not check the user's role, any logged-in user—even one with the lowest "Subscriber" role—can trigger that action by sending a request to admin-ajax.php.
Vulnerable Example:
add_action( 'wp_ajax_update_plugin_settings', 'my_vulnerable_callback' );
function my_vulnerable_callback() {
// Nonce check only prevents CSRF, not unauthorized access
check_ajax_referer( 'my_plugin_nonce', 'nonce' );
$new_setting = sanitize_text_field( $_POST['setting'] );
update_option( 'my_plugin_option', $new_setting );
wp_send_json_success();
}
2. The Role of Capability Checks
To prevent unauthorized access, developers must use the current_user_can() function. This function checks if the current user possesses a specific capability (e.g., manage_options for administrators).
Secure Example:
function my_secure_callback() {
// 1. Check Nonce (CSRF Protection)
check_ajax_referer( 'my_plugin_nonce', 'nonce' );
// 2. Check Authorization (Access Control)
if ( ! current_user_can( 'manage_options' ) ) {
wp_send_json_error( 'Unauthorized', 403 );
}
// 3. Perform Action
$new_setting = sanitize_text_field( $_POST['setting'] );
update_option( 'my_plugin_option', $new_setting );
wp_send_json_success();
}
3. Common Audit Points for Researchers
When auditing a plugin for authorization issues, security researchers typically look for:
- Hook Registrations: Searching for
add_action( 'wp_ajax_...orregister_rest_routeto identify entry points. - Callback Analysis: Checking if the associated callback functions contain
current_user_can()oruser_can(). - REST API Permission Callbacks: Ensuring that
register_rest_routeincludes apermission_callbackargument that returns a boolean based on a capability check, rather than simply returning__return_true.
For more information on securing WordPress plugins, I recommend reviewing the WordPress Plugin Handbook on Security and the OWASP Top Ten guidance on Broken Access Control.
Summary
The Better Business Reviews – Trustpilot WordPress Plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on administrative functions in versions up to, and including, 0.1.1. This allows authenticated attackers, such as those with Subscriber-level access, to perform unauthorized actions normally reserved for administrators.
Exploit Outline
To exploit this vulnerability, an authenticated user (Subscriber or higher) identifies a sensitive function registered through a WordPress AJAX hook. The attacker then sends a POST request to the '/wp-admin/admin-ajax.php' endpoint with the target 'action' parameter corresponding to the plugin's administrative logic. Because the plugin's callback function does not implement a permissions check using current_user_can(), the server-side logic executes the action despite the user's low privilege level.
Check if your site is affected.
Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.