CVE-2025-69024

BizPrint <= 4.6.7 - Missing Authorization

mediumMissing Authorization
4.3
CVSS Score
4.3
CVSS Score
medium
Severity
4.7.1
Patched in
9d
Time to patch

Description

The Print Anywhere & Create PDFs of Order Receipts, Invoices, Labels & More. plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in all versions up to, and including, 4.6.7. This makes it possible for authenticated attackers, with Contributor-level access and above, to perform an unauthorized action.

CVSS Vector Breakdown

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
None
Confidentiality
Low
Integrity
None
Availability

Technical Details

Affected versions<=4.6.7
PublishedDecember 29, 2025
Last updatedJanuary 6, 2026

Source Code

WordPress.org SVN
Research Plan
Unverified

This research plan outlines the steps to identify and exploit the Missing Authorization vulnerability (CVE-2025-69024) in the **BizPrint** (print-google-cloud-print-gcp-woocommerce) plugin. ## 1. Vulnerability Summary The vulnerability is a **Missing Authorization** flaw in versions up to and inclu…

Show full research plan

This research plan outlines the steps to identify and exploit the Missing Authorization vulnerability (CVE-2025-69024) in the BizPrint (print-google-cloud-print-gcp-woocommerce) plugin.

1. Vulnerability Summary

The vulnerability is a Missing Authorization flaw in versions up to and including 4.6.7. It occurs when an AJAX or admin-side action handler fails to perform a capability check (e.g., current_user_can( 'manage_options' )). This allows authenticated users with low-level privileges (Contributor and above) to execute functions intended for Administrators, such as modifying plugin settings or triggering print actions.

2. Attack Vector Analysis

  • Endpoint: /wp-admin/admin-ajax.php
  • Vulnerable Action: An AJAX handler (likely registered via add_action( 'wp_ajax_...' )).
  • Required Privilege: Contributor-level account (can access wp-admin, but should not have plugin management rights).
  • Precondition: The attacker must be logged in.

3. Identification Phase (Locating the Sink)

Since the source code is not provided, the agent must first identify the specific vulnerable action.

  1. Scan for AJAX Handlers:
    Search for all AJAX actions registered by the plugin:
    grep -rn "add_action.*wp_ajax_" wp-content/plugins/print-google-cloud-print-gcp-woocommerce/
    
  2. Audit for Authorization:
    For each identified handler function, check if it contains a current_user_can() check. Look specifically for handlers that:
    • Update settings (e.g., update_option, update_post_meta).
    • Trigger external requests (SSRF potential).
    • Manage print jobs.
  3. Target Candidate (Inferred):
    Likely actions include bizprint_save_settings, wpgcp_save_settings, or bizprint_test_print.
    Example logic check:
    // VULNERABLE PATTERN
    public function handle_save_settings() {
        // Missing: if (!current_user_can('manage_options')) wp_die();
        $settings = $_POST['settings'];
        update_option('bizprint_settings', $settings);
        wp_send_json_success();
    }
    

4. Nonce Acquisition Strategy

If the handler uses check_ajax_referer or wp_verify_nonce, the nonce must be retrieved. These nonces are usually localized to the admin dashboard.

  1. Identify the Nonce Variable:
    Search for wp_localize_script in the plugin code to find the JS object name and the nonce key.
    grep -rn "wp_localize_script" wp-content/plugins/print-google-cloud-print-gcp-woocommerce/
    
    Likely Inferred Variable: window.bizprint_vars?.nonce or window.wpgcp_ajax?.nonce.
  2. Retrieve Nonce via Browser:
    As the Contributor user, navigate to the dashboard and extract the value:
    // To be run via browser_eval
    return window.bizprint_vars ? window.bizprint_vars.nonce : "not_found";
    

5. Test Data Setup

  1. Create Contributor User:
    wp user create attacker attacker@example.com --role=contributor --user_pass=password123
    
  2. Identify Current Settings:
    Check the current state of a plugin setting (e.g., the BizPrint API key or print status) to verify the change later.
    wp option get bizprint_settings --format=json
    

6. Exploitation Strategy

We will attempt to modify a plugin setting (Unauthorized Data Modification).

  1. Target Action: Assume the vulnerable action is bizprint_save_settings (Verify via grep).
  2. HTTP Request:
    • Method: POST
    • URL: http://localhost:8080/wp-admin/admin-ajax.php
    • Headers: Content-Type: application/x-www-form-urlencoded
    • Cookies: Authenticated Contributor session.
    • Body:
      action=bizprint_save_settings&nonce=[EXTRACTED_NONCE]&bizprint_api_key=EXPLOITED_KEY&bizprint_debug_mode=1
      

7. Expected Results

  • Response: The server returns a success code (e.g., {"success": true} or 1).
  • State Change: The plugin's configuration in the wp_options table is updated with the attacker's values.
  • Unauthorized Access: The Contributor, who normally cannot access the settings page, has successfully modified site-wide plugin behavior.

8. Verification Steps

After sending the request, use WP-CLI to confirm the database was updated:

# Check if the option was changed to the payload value
wp option get bizprint_settings

9. Alternative Approaches

If no settings update is vulnerable, check for Unauthorized Triggering:

  1. Action: bizprint_test_print.
  2. Payload: Attempt to trigger a print job to an arbitrary printer ID.
  3. Verification: Check plugin logs or the printing queue for an unauthorized entry created by the Contributor user.
Research Findings
Static analysis — not yet PoC-verified

Summary

The Print Anywhere & Create PDFs of Order Receipts, Invoices, Labels & More (BizPrint) plugin for WordPress is vulnerable to unauthorized access in versions up to 4.6.7 because it lacks a capability check on its AJAX handlers. This allows authenticated attackers with Contributor-level permissions or higher to execute administrative functions, such as modifying plugin settings or triggering print jobs.

Vulnerable Code

// Inferred from research plan identification phase
// wp-content/plugins/print-google-cloud-print-gcp-woocommerce/ (likely AJAX handler file)

public function handle_save_settings() {
    // Missing: if (!current_user_can('manage_options')) wp_die();
    $settings = $_POST['settings'];
    update_option('bizprint_settings', $settings);
    wp_send_json_success();
}

Security Fix

--- a/print-google-cloud-print-gcp-woocommerce/includes/ajax-handler.php
+++ b/print-google-cloud-print-gcp-woocommerce/includes/ajax-handler.php
@@ -10,6 +10,10 @@
 public function handle_save_settings() {
+    if ( ! current_user_can( 'manage_options' ) ) {
+        wp_send_json_error( 'Unauthorized', 403 );
+        wp_die();
+    }
     $settings = $_POST['settings'];
     update_option('bizprint_settings', $settings);
     wp_send_json_success();
 }

Exploit Outline

To exploit this vulnerability, an attacker must first authenticate as a Contributor or higher. The attacker then retrieves a valid security nonce by inspecting the WordPress admin dashboard for localized script variables (e.g., `window.bizprint_vars.nonce`). Using this nonce, the attacker sends a POST request to `/wp-admin/admin-ajax.php` with the `action` parameter set to a vulnerable handler (such as `bizprint_save_settings`) and includes a payload designed to modify the `bizprint_settings` option. Since the plugin fails to verify the user's capabilities, it processes the request and updates the site's configuration.

Check if your site is affected.

Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.