Exploitation Research Plan - CVE-2026-24589 (Cargus Information Exposure)

1. Vulnerability Summary

The Cargus plugin (versions <= 1.5.8) contains an unauthenticated information exposure vulnerability. The plugin registers several AJAX handlers using the wp_ajax_nopriv_ hook (accessible to unauthenticated users) which return sensitive configuration data or system logs. These handlers lack proper capability checks (e.g., current_user_can('manage_options')) and may either lack nonce verification or use nonces that are easily obtainable by visitors.

The exposure likely resides in diagnostic or helper functions designed to assist in shipping configuration, which unintentionally leak API credentials, shipping logs, or user-related data.

2. Attack Vector Analysis

• Endpoint: https://<target>/wp-admin/admin-ajax.php
• Action: cargus_get_log or cargus_get_config (inferred names based on common diagnostic exposure patterns in shipping plugins).
• Authentication: None required (Unauthenticated).
• Preconditions: The plugin must be active. For log exposure, a log file must have been generated (usually via prior API interactions).

3. Code Flow

1. Entry Point: The plugin registers AJAX hooks in the main plugin file or an AJAX controller (e.g., includes/class-cargus-ajax.php or includes/class-cargus.php).
   • Action: add_action('wp_ajax_nopriv_cargus_get_log', array($this, 'get_log'));
   • Action: add_action('wp_ajax_nopriv_cargus_get_config', array($this, 'get_config'));
2. Handler Execution: When a request is made to admin-ajax.php?action=cargus_get_log, the get_log method is executed.
3. Vulnerable Sink:
   • The handler likely calls file_get_contents() on a path defined by a constant like CARGUS_LOG_FILE or plugin_dir_path() . 'cargus.log'.
   • Or, it calls get_option('cargus_settings') and returns the JSON-encoded array, which contains API usernames, passwords, and API keys.
4. Missing Protection: The code does not verify that the requester has administrative privileges before outputting the sensitive data.

4. Nonce Acquisition Strategy

If the handlers verify a nonce using check_ajax_referer, the nonce is likely localized for use on the checkout page or shipping calculator.

1. Identify Shortcode/Page: The Cargus plugin typically enqueues its scripts on the WooCommerce Checkout page or using a shortcode like [cargus_shipping_calc].
2. Create Test Page:

   wp post create --post_type=page --post_status=publish --post_title="Cargus Test" --post_content='[cargus_shipping_calc]'
   

   (Note: If it's WooCommerce-dependent, navigate to /checkout/).
3. Extract Nonce: Use browser_eval to find the localization object. Look for common names like cargus_params, cargus_vars, or cargus_ajax.
   • Execution: browser_eval("window.cargus_params?.ajax_nonce")
4. Check Verification Logic: If wp_verify_nonce($nonce, -1) or check_ajax_referer('cargus_action', 'security', false) (with die=false) is used, the check might be bypassable or easily satisfied.

5. Exploitation Strategy

Goal: Extract API Credentials or Communication Logs

1. Identify the target action: Scan the plugin source for wp_ajax_nopriv_ actions that look diagnostic.
   • Target candidates: cargus_get_log, cargus_get_debug, cargus_view_config.
2. Formulate HTTP Request:
   • Method: POST
   • URL: https://<target>/wp-admin/admin-ajax.php
   • Headers: Content-Type: application/x-www-form-urlencoded
   • Body: action=cargus_get_log&security=<NONCE_IF_NEEDED>
3. Process Response: The response is expected to be a raw log file or a JSON object containing plugin settings.

6. Test Data Setup

1. Install and activate the Cargus plugin (v1.5.8).
2. Navigate to the plugin settings and enter dummy API credentials (e.g., User: vuln_user, Pass: vuln_pass, API Key: SECRET_12345).
3. Trigger a shipping calculation or sync to ensure a log entry is created.
4. Create a public page with the relevant shortcode to facilitate nonce extraction if necessary.

7. Expected Results

• Success: The HTTP response contains the content of cargus.log or a JSON dump of the cargus_settings option.
• Sensitive Data Found: Look for strings like "api_key", "password", "username", or Authorization: Basic ... in the response body.

8. Verification Steps

1. WP-CLI Check: Verify the values returned in the exploit match the actual database values:

   wp option get cargus_settings
   

2. File System Check: If a log was exposed, verify its location on disk:

   ls -l wp-content/plugins/cargus/logs/
   

9. Alternative Approaches

• Direct Log Access: If the plugin doesn't use an AJAX handler but instead creates a log file in a predictable, web-accessible directory (e.g., wp-content/plugins/cargus/cargus_log.txt), attempt to fetch the file directly.
• Parameter Manipulation: If an AJAX handler exists for fetching "cities" but has a secondary parameter for "type" or "source", try changing the source to "log" or "config" to see if it triggers different logic.
• Search for permission_callback in REST: If the plugin registers REST routes, check wp-json/cargus/v1/... for endpoints where permission_callback is __return_true or missing.