[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fAytB194xJ6KzKQPadf2p9CwTO9WUslSheIi-_NIRohg":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":22,"research_verified":23,"research_rounds_completed":24,"research_plan":25,"research_summary":26,"research_vulnerable_code":9,"research_fix_diff":9,"research_exploit_outline":27,"research_model_used":28,"research_started_at":29,"research_completed_at":30,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":23,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":23,"source_links":31},"CVE-2025-69354","better-business-reviews-missing-authorization","Better Business Reviews \u003C= 0.1.1 - Missing Authorization","The Better Business Reviews – Trustpilot WordPress Plugin plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in all versions up to, and including, 0.1.1. This makes it possible for authenticated attackers, with Subscriber-level access and above, to perform an unauthorized action.","better-business-reviews",null,"\u003C=0.1.1","0.1.2","medium",4.3,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:L\u002FUI:N\u002FS:U\u002FC:N\u002FI:L\u002FA:N","Missing Authorization","2026-01-09 00:00:00","2026-01-14 14:55:35",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F4d7b8c5f-3e3d-4ccc-8598-fcb4503c25ea?source=api-prod",6,[],"researched",false,3,"This plan outlines the steps to identify and exploit CVE-2025-69354, a missing authorization vulnerability in the **Better Business Reviews** plugin.\n\n### 1. Vulnerability Summary\nThe \"Better Business Reviews – Trustpilot WordPress Plugin\" (\u003C= 0.1.1) fails to implement capability checks (e.g., `current_user_can()`) in one or more of its AJAX handlers registered via `wp_ajax_*`. While these handlers may use nonces for CSRF protection, the lack of authorization allows any authenticated user—including those with the **Subscriber** role—to perform administrative actions, such as modifying plugin settings or triggering data synchronization.\n\n### 2. Attack Vector Analysis\n- **Endpoint:** `\u002Fwp-admin\u002Fadmin-ajax.php`\n- **Authentication:** Authenticated, Subscriber-level (Low privilege).\n- **Vulnerable Action:** (Inferred) Likely related to saving settings, such as `bbr_save_settings` or `better_business_reviews_update`.\n- **Payload Parameter:** Typically `action`, `security` (or `nonce`), and a data array (e.g., `settings`).\n\n### 3. Code Flow (Discovery Phase)\nSince the exact function name is not provided in the summary, the agent must first locate it:\n1. **Entry Point Identification:** Search the plugin directory for AJAX registrations:\n   `grep -r \"wp_ajax_\" wp-content\u002Fplugins\u002Fbetter-business-reviews\u002F`\n2. **Authorization Audit:** For each found action, trace the callback function and check for the absence of `current_user_can('manage_options')` or similar.\n3. **Common Sinks:** Look for functions that call `update_option()` or `update_site_option()` without proper permission checks.\n\n### 4. Nonce Acquisition Strategy\nThe plugin likely uses `wp_localize_script` to pass a nonce to the admin dashboard. Since Subscribers can access `wp-admin\u002Fprofile.php`, any script enqueued on all admin pages will leak the nonce to them.\n\n1. **Locate Nonce Registration:**\n   `grep -r \"wp_create_nonce\" wp-content\u002Fplugins\u002Fbetter-business-reviews\u002F`\n   `grep -r \"wp_localize_script\" wp-content\u002Fplugins\u002Fbetter-business-reviews\u002F`\n2. **Identify JavaScript Key:** Look for the object name (e.g., `bbr_ajax_obj`) and the nonce key (e.g., `nonce` or `security`).\n3. **Retrieval via Browser:**\n   - Create a Subscriber user.\n   - Use `browser_navigate` to go to `http:\u002F\u002Flocalhost:8080\u002Fwp-admin\u002Fprofile.php` as the Subscriber.\n   - Use `browser_eval` to extract the nonce:\n     `browser_eval(\"window.bbr_ajax_obj?.nonce\")` (Replace `bbr_ajax_obj` and `nonce` with discovered names).\n\n### 5. Test Data Setup\n1. **Install Plugin:** Ensure `better-business-reviews` version 0.1.1 is active.\n2. **Create Attacker User:**\n   `wp user create attacker attacker@example.com --role=subscriber --user_pass=password`\n3. **Identify Target Setting:** Determine a setting the plugin controls (e.g., `bbr_trustpilot_business_id`).\n\n### 6. Exploitation Strategy\nOnce the AJAX action (e.g., `bbr_save_settings`) and the nonce key are identified, perform the following:\n\n**HTTP Request (via `http_request` tool):**\n- **Method:** POST\n- **URL:** `http:\u002F\u002Flocalhost:8080\u002Fwp-admin\u002Fadmin-ajax.php`\n- **Headers:** `Content-Type: application\u002Fx-www-form-urlencoded`, `Cookie: [Subscriber Cookies]`\n- **Body:**\n  ```\n  action=bbr_save_settings&\n  security=[EXTRACTED_NONCE]&\n  settings[business_id]=malicious_id_1337&\n  settings[another_option]=injected_value\n  ```\n*(Note: Parameter names like `settings` or `business_id` must be confirmed during the discovery phase.)*\n\n### 7. Expected Results\n- **Response:** A `200 OK` status with a JSON body indicating success (e.g., `{\"success\":true}` or `1`).\n- **Impact:** The plugin settings in the WordPress database are modified despite the request coming from a Subscriber.\n\n### 8. Verification Steps\n1. **Database Check:** Verify the option was changed via WP-CLI:\n   `wp option get bbr_settings`\n2. **UI Verification:** Check if the new values appear in the plugin's admin settings page (as an admin user).\n\n### 9. Alternative Approaches\nIf the plugin does not enqueue the script on all admin pages:\n1. **Shortcode Method:** Check if the plugin provides a shortcode:\n   `grep -r \"add_shortcode\" wp-content\u002Fplugins\u002Fbetter-business-reviews\u002F`\n2. **Public Nonce:** If a `wp_ajax_nopriv_` handler exists, the nonce might be available on the frontend. Create a page with the shortcode and extract the nonce from the site's homepage:\n   `wp post create --post_type=page --post_status=publish --post_content='[trustpilot_reviews]'`\n   Navigate to the new page and extract the nonce via `browser_eval`.\n\n### 10. Potential Action Strings to Search For\nDuring the discovery phase, prioritize looking for these common patterns:\n- `bbr_save_api_key`\n- `bbr_update_settings`\n- `bbr_fetch_reviews`\n- `trustpilot_settings_save`\n- `better_business_reviews_action`","The Better Business Reviews – Trustpilot WordPress Plugin (up to and including version 0.1.1) fails to perform a capability check (e.g., current_user_can()) within its AJAX handlers. This oversight allows authenticated attackers with low-privileged Subscriber access to execute administrative actions, such as modifying plugin settings, provided they can obtain a valid security nonce.","1. Access the WordPress admin dashboard as a Subscriber-level user (e.g., via \u002Fwp-admin\u002Fprofile.php).\n2. Locate the AJAX security nonce (likely named 'security' or 'nonce') localized within the page's JavaScript objects (e.g., bbr_ajax_obj).\n3. Prepare an AJAX POST request to '\u002Fwp-admin\u002Fadmin-ajax.php'.\n4. Set the 'action' parameter to the vulnerable handler (e.g., 'bbr_save_settings') and include the extracted nonce in the appropriate parameter.\n5. Include a payload containing modified settings (e.g., 'settings[business_id]=malicious_id') to overwrite the plugin configuration.\n6. Execute the request and verify the settings change via the database or the administrative settings UI.","gemini-3-flash-preview","2026-05-05 12:49:31","2026-05-05 12:50:20",{"type":32,"vulnerable_version":33,"fixed_version":11,"vulnerable_browse":34,"vulnerable_zip":35,"fixed_browse":36,"fixed_zip":37,"all_tags":38},"plugin","0.1.1","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fbetter-business-reviews\u002Ftags\u002F0.1.1","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fbetter-business-reviews.0.1.1.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fbetter-business-reviews\u002Ftags\u002F0.1.2","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fbetter-business-reviews.0.1.2.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fbetter-business-reviews\u002Ftags"]