Blockons <= 1.2.15 - Missing Authorization
Description
The Blockons plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in versions up to, and including, 1.2.15. This makes it possible for unauthenticated attackers to perform an unauthorized action.
CVSS Vector Breakdown
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:NTechnical Details
<=1.2.15# Exploitation Research Plan: CVE-2025-14360 (Blockons Missing Authorization) ## 1. Vulnerability Summary The **Blockons** plugin (versions <= 1.2.15) contains a missing authorization vulnerability. A specific function, likely registered as an AJAX handler or a REST API endpoint, performs a sensiti…
Show full research plan
Exploitation Research Plan: CVE-2025-14360 (Blockons Missing Authorization)
1. Vulnerability Summary
The Blockons plugin (versions <= 1.2.15) contains a missing authorization vulnerability. A specific function, likely registered as an AJAX handler or a REST API endpoint, performs a sensitive action without verifying the user's capabilities (e.g., via current_user_can()). This allows unauthenticated attackers to trigger the function by sending a crafted request to admin-ajax.php or the REST API.
2. Attack Vector Analysis
- Endpoint:
/wp-admin/admin-ajax.php(inferred) - Action: Likely related to block settings, data processing, or an administrative task (inferred).
- Authentication: Unauthenticated (as per CVSS vector
PR:N). - Preconditions: The plugin must be active. If the function requires a nonce, it must be exposed on the frontend.
3. Code Flow (Inferred)
- Entry Point: The attacker sends a POST request to
admin-ajax.phpwith a specificactionparameter. - Hook Registration: The plugin registers the action using
add_action('wp_ajax_nopriv_{action}', ...)oradd_action('wp_ajax_{action}', ...). - Vulnerable Function: The callback function is executed.
- Missing Check: The function fails to call
current_user_can('manage_options')(or a similar check) before proceeding with the logic (e.g., updating options, sending emails, or modifying database entries). - Sink: An unauthorized state change occurs (e.g.,
update_option(),wp_insert_post(), orwp_mail()).
4. Nonce Acquisition Strategy
If the function uses check_ajax_referer() or wp_verify_nonce(), the nonce must be retrieved from the frontend.
- Identify the Action: Search the plugin code for the vulnerable AJAX action.
grep -rn "wp_ajax_nopriv_" /var/www/html/wp-content/plugins/blockons/ - Locate Nonce Exposure: Find where the nonce is localized for the frontend.
grep -rn "wp_localize_script" /var/www/html/wp-content/plugins/blockons/ - Identify the Shortcode: Determine which block/shortcode enqueues the script containing the nonce.
- Create a Trigger Page:
wp post create --post_type=page --post_status=publish --post_title="Exploit Page" --post_content='[blockons_shortcode_found_above]' - Extract Nonce via Browser:
- Navigate to the page.
- Use
browser_evalto extract the nonce from the JS object (e.g.,window.blockons_vars?.nonce).
5. Exploitation Strategy
Step 1: Reconnaissance
Find the unauthenticated AJAX action and its corresponding function.
grep -r "wp_ajax_nopriv_" /var/www/html/wp-content/plugins/blockons/
Note: If multiple actions exist, look for ones involving settings, email, or data management.
Step 2: Extract Parameters
Analyze the function body to find required parameters (e.g., $_POST['config'], $_POST['data']).
Step 3: Craft and Send Payload
Use the http_request tool to trigger the action.
Example Request:
- Method: POST
- URL:
http://localhost:8080/wp-admin/admin-ajax.php - Headers:
Content-Type: application/x-www-form-urlencoded - Body:
action={vulnerable_action}&nonce={extracted_nonce}¶m1=malicious_value
6. Test Data Setup
- Install Plugin:
wp plugin install blockons --version=1.2.15 --activate - Configuration: (If needed) Configure a block in the editor to ensure its AJAX functionality is active.
7. Expected Results
- The server responds with a
200 OKor a JSON success message (e.g.,{"success": true}). - The unauthorized action is performed (e.g., a setting is changed in the
wp_optionstable).
8. Verification Steps
After the HTTP request, verify the impact using WP-CLI:
# Check if a specific option was changed
wp option get {option_name}
# Check for new posts or data
wp post list --post_type={type}
9. Alternative Approaches
- REST API: If no AJAX actions are unauthenticated, check for REST routes registered with
permission_callbackset to__return_true.grep -rn "register_rest_route" /var/www/html/wp-content/plugins/blockons/ - Admin Init Bypass: Look for functions hooked to
admin_initthat process$_POSTdata without acurrent_user_can()check. These can often be triggered by any logged-in user or sometimes even unauthenticated users visitingadmin-ajax.php.
Summary
The Blockons plugin for WordPress is vulnerable to unauthorized access in versions up to and including 1.2.15 due to a missing capability check on a sensitive function. This allows unauthenticated attackers to trigger administrative or sensitive actions by sending crafted requests to the plugin's AJAX or REST API endpoints.
Exploit Outline
1. Identify the vulnerable unauthenticated AJAX action by searching the plugin's source for hooks registered via 'wp_ajax_nopriv_'. 2. Locate the JavaScript variable where the plugin exposes an AJAX nonce to the frontend (typically via 'wp_localize_script'). 3. Visit a public page where the Blockons block or shortcode is active to extract the valid nonce from the page source. 4. Construct a POST request to '/wp-admin/admin-ajax.php' containing the 'action' parameter associated with the vulnerable function, the extracted 'nonce', and any required data parameters identified in the function body. 5. Send the request to perform the unauthorized action, such as modifying plugin configurations or manipulating database entries.
Check if your site is affected.
Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.