Claspo – Popups, Spin the Wheel & Email Capture <= 1.0.7 - Missing Authorization
Description
The Claspo – Popups, Spin the Wheel & Email Capture plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in versions up to, and including, 1.0.7. This makes it possible for unauthenticated attackers to perform an unauthorized action.
CVSS Vector Breakdown
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:NTechnical Details
<=1.0.7Source Code
WordPress.org SVNThis research plan focuses on identifying and exploiting the **Missing Authorization** vulnerability in the **Claspo** plugin (CVE-2025-68568). Since source files are not provided, the plan relies on typical WordPress plugin patterns for SaaS integrations and flags inferred identifiers for verificat…
Show full research plan
This research plan focuses on identifying and exploiting the Missing Authorization vulnerability in the Claspo plugin (CVE-2025-68568). Since source files are not provided, the plan relies on typical WordPress plugin patterns for SaaS integrations and flags inferred identifiers for verification.
1. Vulnerability Summary
The Claspo plugin (<= 1.0.7) registers one or more AJAX or REST API handlers intended for administrative configuration (such as connecting a Claspo account or updating settings). However, these handlers are either hooked to wp_ajax_nopriv_* (accessible to unauthenticated users) or registered as REST routes without a permission_callback. Critically, the callback functions lack a current_user_can() check, allowing any visitor to modify plugin settings.
2. Attack Vector Analysis
- Endpoint:
wp-admin/admin-ajax.php(Most likely for this plugin type). - Action: Likely
claspo_save_settings,claspo_update_config, orclaspo_set_account_id(inferred). - Parameter: A setting key (e.g.,
account_id,api_key,script_id) and its value. - Authentication: None (Unauthenticated).
- Precondition: The plugin must be active. If the endpoint requires a nonce, the researcher must identify a page where the nonce is exposed.
3. Code Flow (Inferred)
- Entry Point: An unauthenticated user sends a POST request to
admin-ajax.phpwith anactionparameter registered viaadd_action('wp_ajax_nopriv_[ACTION_NAME]', ...). - Hook Registration: The plugin likely registers the hook in the main plugin file or an admin/ajax controller (e.g.,
includes/class-claspo-ajax.php). - Vulnerable Callback: The callback function (e.g.,
save_account_data) retrieves data from$_POST. - Missing Check: The function performs the action (e.g.,
update_option('claspo_account_id', $_POST['id'])) without verifyingcurrent_user_can('manage_options'). - Sink:
update_option()orwpdb::query()updates the site configuration.
4. Nonce Acquisition Strategy
If the handler uses check_ajax_referer or wp_verify_nonce, the nonce must be retrieved from the frontend.
- Identify JS Localization: Search the codebase for
wp_localize_script.grep -r "wp_localize_script" .
- Identify the Object and Key: Look for the variable name (e.g.,
claspo_obj) and the nonce key (e.g.,ajax_nonce). - Trigger Script Loading: Determine if the script only loads on pages with the Claspo popup.
- If a shortcode is required, create a page:
wp post create --post_type=page --post_status=publish --post_content='[claspo]'(inferred shortcode).
- If a shortcode is required, create a page:
- Extraction:
- Navigate to the page:
browser_navigate("http://localhost:8080/test-page") - Extract:
browser_eval("window.claspo_obj?.ajax_nonce")(Replaceclaspo_objandajax_noncewith actual names found in Step 1).
- Navigate to the page:
5. Exploitation Strategy
Step 1: Discovery
Find the vulnerable hook and the configuration parameter it modifies.
# Find nopriv AJAX hooks
grep -rn "wp_ajax_nopriv_" .
# Examine the callback function for the first match
# Example: If 'wp_ajax_nopriv_claspo_save' is found, check its callback
Step 2: Identify the Payload
Look for update_option or update_user_meta inside the callback to see what parameters are accepted.
- Expected parameters:
action,nonce(if applicable), and the setting (e.g.,claspo_id).
Step 3: Execute Unauthorized Modification
Using the http_request tool, attempt to change the Claspo Account ID to an arbitrary value (e.g., 13371337).
Request Template:
- Method: POST
- URL:
http://localhost:8080/wp-admin/admin-ajax.php - Headers:
Content-Type: application/x-www-form-urlencoded - Body:
action=[INFERRED_ACTION]&[SETTING_PARAM]=13371337&nonce=[EXTRACTED_NONCE]
6. Test Data Setup
- Install & Activate: Ensure Claspo <= 1.0.7 is active.
- Initial State: Check the current account ID (if any) via WP-CLI:
wp option get claspo_account_id(inferred option name).
- Public Page: Create a page that might expose a nonce if the plugin enqueues scripts on the frontend.
7. Expected Results
- Response: The server returns a
200 OK(often with1or a JSON success message). - Effect: The plugin setting is updated in the database without any administrator interaction.
- Security Impact: An attacker can replace the legitimate Claspo script with their own, enabling XSS (via the Claspo popup service) on the entire site.
8. Verification Steps
After the exploit attempt, verify the change using WP-CLI:
# Check the option value
wp option get claspo_account_id
# If the result is '13371337', the exploit was successful.
9. Alternative Approaches
- REST API: If no AJAX
noprivhooks are found, search forregister_rest_route.grep -rn "register_rest_route" .- Check for routes missing the
permission_callbackor using__return_true. - Target the POST/PUT method for those routes.
- Admin Init: Check if a function is hooked to
admin_init. Note thatadmin_initruns foradmin-ajax.phpeven for unauthenticated users. If the function processes$_POSTand doesn't check capabilities, it is vulnerable.grep -rn "add_action.*admin_init" .
Summary
The Claspo plugin for WordPress (<= 1.0.7) is vulnerable to unauthorized access due to missing capability checks on its configuration-handling functions. This allows unauthenticated attackers to perform unauthorized actions, such as modifying the plugin's settings and account identifiers, which can lead to the injection of arbitrary scripts on the site via the Claspo service.
Exploit Outline
The exploit involves identifying an unauthenticated AJAX action registered via 'wp_ajax_nopriv_' or a REST API route lacking a 'permission_callback'. An attacker identifies the action used for saving plugin configuration (e.g., 'claspo_save_settings') and any necessary nonces, which are often found localized in JavaScript on the frontend. The attacker then sends a POST request to '/wp-admin/admin-ajax.php' (or the REST endpoint) containing the target action and the desired parameter to be updated, such as an 'account_id'. This allows the attacker to replace the site owner's Claspo account with their own, enabling them to control popups and capture visitor data.
Check if your site is affected.
Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.