BizPrint <= 4.6.7 - Missing Authorization
Description
The Print Anywhere & Create PDFs of Order Receipts, Invoices, Labels & More. plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in all versions up to, and including, 4.6.7. This makes it possible for authenticated attackers, with Contributor-level access and above, to perform an unauthorized action.
CVSS Vector Breakdown
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:NTechnical Details
<=4.6.7Source Code
WordPress.org SVNThis research plan outlines the steps to identify and exploit the Missing Authorization vulnerability (CVE-2025-69024) in the **BizPrint** (print-google-cloud-print-gcp-woocommerce) plugin. ## 1. Vulnerability Summary The vulnerability is a **Missing Authorization** flaw in versions up to and inclu…
Show full research plan
This research plan outlines the steps to identify and exploit the Missing Authorization vulnerability (CVE-2025-69024) in the BizPrint (print-google-cloud-print-gcp-woocommerce) plugin.
1. Vulnerability Summary
The vulnerability is a Missing Authorization flaw in versions up to and including 4.6.7. It occurs when an AJAX or admin-side action handler fails to perform a capability check (e.g., current_user_can( 'manage_options' )). This allows authenticated users with low-level privileges (Contributor and above) to execute functions intended for Administrators, such as modifying plugin settings or triggering print actions.
2. Attack Vector Analysis
- Endpoint:
/wp-admin/admin-ajax.php - Vulnerable Action: An AJAX handler (likely registered via
add_action( 'wp_ajax_...' )). - Required Privilege: Contributor-level account (can access
wp-admin, but should not have plugin management rights). - Precondition: The attacker must be logged in.
3. Identification Phase (Locating the Sink)
Since the source code is not provided, the agent must first identify the specific vulnerable action.
- Scan for AJAX Handlers:
Search for all AJAX actions registered by the plugin:grep -rn "add_action.*wp_ajax_" wp-content/plugins/print-google-cloud-print-gcp-woocommerce/ - Audit for Authorization:
For each identified handler function, check if it contains acurrent_user_can()check. Look specifically for handlers that:- Update settings (e.g.,
update_option,update_post_meta). - Trigger external requests (SSRF potential).
- Manage print jobs.
- Update settings (e.g.,
- Target Candidate (Inferred):
Likely actions includebizprint_save_settings,wpgcp_save_settings, orbizprint_test_print.
Example logic check:// VULNERABLE PATTERN public function handle_save_settings() { // Missing: if (!current_user_can('manage_options')) wp_die(); $settings = $_POST['settings']; update_option('bizprint_settings', $settings); wp_send_json_success(); }
4. Nonce Acquisition Strategy
If the handler uses check_ajax_referer or wp_verify_nonce, the nonce must be retrieved. These nonces are usually localized to the admin dashboard.
- Identify the Nonce Variable:
Search forwp_localize_scriptin the plugin code to find the JS object name and the nonce key.
Likely Inferred Variable:grep -rn "wp_localize_script" wp-content/plugins/print-google-cloud-print-gcp-woocommerce/window.bizprint_vars?.nonceorwindow.wpgcp_ajax?.nonce. - Retrieve Nonce via Browser:
As the Contributor user, navigate to the dashboard and extract the value:// To be run via browser_eval return window.bizprint_vars ? window.bizprint_vars.nonce : "not_found";
5. Test Data Setup
- Create Contributor User:
wp user create attacker attacker@example.com --role=contributor --user_pass=password123 - Identify Current Settings:
Check the current state of a plugin setting (e.g., the BizPrint API key or print status) to verify the change later.wp option get bizprint_settings --format=json
6. Exploitation Strategy
We will attempt to modify a plugin setting (Unauthorized Data Modification).
- Target Action: Assume the vulnerable action is
bizprint_save_settings(Verify via grep). - HTTP Request:
- Method: POST
- URL:
http://localhost:8080/wp-admin/admin-ajax.php - Headers:
Content-Type: application/x-www-form-urlencoded - Cookies: Authenticated Contributor session.
- Body:
action=bizprint_save_settings&nonce=[EXTRACTED_NONCE]&bizprint_api_key=EXPLOITED_KEY&bizprint_debug_mode=1
7. Expected Results
- Response: The server returns a success code (e.g.,
{"success": true}or1). - State Change: The plugin's configuration in the
wp_optionstable is updated with the attacker's values. - Unauthorized Access: The Contributor, who normally cannot access the settings page, has successfully modified site-wide plugin behavior.
8. Verification Steps
After sending the request, use WP-CLI to confirm the database was updated:
# Check if the option was changed to the payload value
wp option get bizprint_settings
9. Alternative Approaches
If no settings update is vulnerable, check for Unauthorized Triggering:
- Action:
bizprint_test_print. - Payload: Attempt to trigger a print job to an arbitrary printer ID.
- Verification: Check plugin logs or the printing queue for an unauthorized entry created by the Contributor user.
Summary
The Print Anywhere & Create PDFs of Order Receipts, Invoices, Labels & More (BizPrint) plugin for WordPress is vulnerable to unauthorized access in versions up to 4.6.7 because it lacks a capability check on its AJAX handlers. This allows authenticated attackers with Contributor-level permissions or higher to execute administrative functions, such as modifying plugin settings or triggering print jobs.
Vulnerable Code
// Inferred from research plan identification phase // wp-content/plugins/print-google-cloud-print-gcp-woocommerce/ (likely AJAX handler file) public function handle_save_settings() { // Missing: if (!current_user_can('manage_options')) wp_die(); $settings = $_POST['settings']; update_option('bizprint_settings', $settings); wp_send_json_success(); }
Security Fix
@@ -10,6 +10,10 @@ public function handle_save_settings() { + if ( ! current_user_can( 'manage_options' ) ) { + wp_send_json_error( 'Unauthorized', 403 ); + wp_die(); + } $settings = $_POST['settings']; update_option('bizprint_settings', $settings); wp_send_json_success(); }
Exploit Outline
To exploit this vulnerability, an attacker must first authenticate as a Contributor or higher. The attacker then retrieves a valid security nonce by inspecting the WordPress admin dashboard for localized script variables (e.g., `window.bizprint_vars.nonce`). Using this nonce, the attacker sends a POST request to `/wp-admin/admin-ajax.php` with the `action` parameter set to a vulnerable handler (such as `bizprint_save_settings`) and includes a payload designed to modify the `bizprint_settings` option. Since the plugin fails to verify the user's capabilities, it processes the request and updates the site's configuration.
Check if your site is affected.
Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.