BoomDevs WordPress Coming Soon <= 1.0.4 - Unauthenticated Information Exposure
Description
The BoomDevs WordPress Coming Soon Plugin plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.0.4. This makes it possible for unauthenticated attackers to extract sensitive user or configuration data.
CVSS Vector Breakdown
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:NTechnical Details
<=1.0.4This research plan outlines the investigation and exploitation of **CVE-2025-62083**, an unauthenticated information exposure vulnerability in the **BoomDevs WordPress Coming Soon** plugin. ### 1. Vulnerability Summary The BoomDevs WordPress Coming Soon plugin (versions <= 1.0.4) registers one or m…
Show full research plan
This research plan outlines the investigation and exploitation of CVE-2025-62083, an unauthenticated information exposure vulnerability in the BoomDevs WordPress Coming Soon plugin.
1. Vulnerability Summary
The BoomDevs WordPress Coming Soon plugin (versions <= 1.0.4) registers one or more AJAX handlers using the wp_ajax_nopriv_ hook without implementing proper capability checks (current_user_can) or adequate nonce validation. This allows an unauthenticated user to trigger functions that return sensitive data, likely the subscriber email list collected by the coming soon page or plugin configuration settings.
2. Attack Vector Analysis
- Endpoint:
/wp-admin/admin-ajax.php - Action (Inferred):
bwcs_export_subscribers,bwcs_get_subscribers, orbwcs_get_settings. (The prefixbwcs_is derived from the plugin's "Boom WordPress Coming Soon" naming convention). - Method:
POSTorGET(usuallyPOSTfor AJAX). - Authentication: None required (unauthenticated).
- Preconditions: The plugin must be active. For subscriber exposure, at least one email must have been submitted via the coming soon page.
3. Code Flow (Inferred)
- Initialization: During the
initorplugins_loadedhook, the plugin registers AJAX actions. - Hook Registration:
add_action('wp_ajax_nopriv_bwcs_export_subscribers', '...')is called, mapping a handler function to an unauthenticated AJAX request. - Missing Check: The handler function executes a database query (e.g.,
SELECT * FROM {$wpdb->prefix}bwcs_subscribers) or retrieves options viaget_option(). - Exposure: The function outputs the data directly (e.g., via
echoorfputcsv) and terminates withwp_die().
4. Nonce Acquisition Strategy
If the plugin attempts to use nonces for these unauthenticated actions, they are typically exposed via wp_localize_script to enable the AJAX functionality on the "Coming Soon" frontend.
Strategy:
- Identify Script Object: Grep for
wp_localize_scriptin the plugin directory to find the JavaScript object name (e.g.,bwcs_obj,bwcs_vars). - Activate Coming Soon: Ensure the plugin is in "Coming Soon" mode via WP-CLI:
wp option update bwcs_status 'active'(inferred option name). - Navigate to Homepage: Use
browser_navigateto visit the site root. - Extract Nonce: Use
browser_evalto extract the nonce:browser_eval("window.bwcs_obj?.nonce")orbrowser_eval("window.bwcs_vars?.ajax_nonce").
Note: If the handler uses wp_ajax_nopriv_ but fails to call check_ajax_referer or wp_verify_nonce, no nonce is required.
5. Exploitation Strategy
- Discovery: Use the execution agent to find the exact AJAX action:
grep -rn "wp_ajax_nopriv_" wp-content/plugins/coming-soon-by-boomdevs/ - Identify the Sink: Examine the function associated with the
noprivhook. Check if it returns subscriber data or settings. - Prepare the Request: Construct a
POSTrequest toadmin-ajax.php.- URL:
http://localhost:8080/wp-admin/admin-ajax.php - Body:
action=[ACTION_NAME]&nonce=[NONCE_IF_FOUND]
- URL:
- Execute: Use
http_requestto send the payload.
6. Test Data Setup
To confirm information exposure, there must be information to expose:
- Enable Plugin:
wp plugin activate coming-soon-by-boomdevs - Create Custom Table (if needed): If the plugin doesn't auto-create the table, identify the table name from the source and insert a dummy subscriber.
- Example Table Name:
wp_bwcs_subscribers - Example Command:
wp db query "INSERT INTO wp_bwcs_subscribers (email) VALUES ('victim@example.com')"
- Example Table Name:
- Configuration: Ensure the "Coming Soon" mode is toggled ON in the settings so the frontend is accessible.
7. Expected Results
- Success: The response body contains sensitive data such as a list of email addresses in CSV format, a JSON object containing WordPress settings, or user-related metadata.
- Response Code:
200 OK. - Response Content-Type: Likely
text/csv,application/json, ortext/html.
8. Verification Steps
- Manual Database Comparison: Verify the data returned in the HTTP response matches the data in the database:
wp db query "SELECT * FROM wp_bwcs_subscribers" - Check for Nonce Enforcement: Retry the request with an invalid nonce or no nonce. If it still returns data, the vulnerability is even more severe (missing nonce check).
9. Alternative Approaches
If the bwcs_export_subscribers action does not exist, look for:
- Backup/Export Files: Grep for
exportordownloadto see if the plugin creates files inwp-content/uploads/with predictable names. - Settings Exposure: Some plugins use a generic "get settings" AJAX action for the admin dashboard but mistakenly hook it to
nopriv. Check for actions likebwcs_get_all_options. - User Enumeration: Check if the plugin exposes user IDs or names via localized scripts to populate "Author" sections on the coming soon page.
Check if your site is affected.
Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.