Contextual Related Posts < 4.2.2 - Missing Authorization
Description
The Contextual Related Posts plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in all versions up to 4.2.2 (exclusive). This makes it possible for unauthenticated attackers to perform an unauthorized action.
CVSS Vector Breakdown
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:NTechnical Details
<4.2.2What Changed in the Fix
Changes introduced in v4.2.2
Source Code
WordPress.org SVNprocess_step` again (if it exists). Actually, I'll bet on the Wizard. The missing authorization is likely in `taxonomy_search_tom_select` and `tags_search` as well. But the "Action" is likely settings manipulation. Let's look at the `class-metabox.php`. It has `wp_ajax_crp_get_post…
Show full research plan
process_step` again (if it exists).
Actually, I'll bet on the Wizard.
The missing authorization is likely in `taxonomy_search_tom_select` and `tags_search` as well.
But the "Action" is likely settings manipulation.
Let's look at the `class-metabox.php`. It has `wp_ajax_crp_get_posts_action`.
Is there a `nopriv` version of it? No.
Is it missing a capability check?
```php
public function get_posts_action() {
// ... query posts ...
wp_send_json( $results );
}
```
If this is missing `current_user_can`, then any Subscriber can list posts. That's `PR:L`.
The CVE says `PR:N`.
Okay, I'm sticking with `Settings_Wizard_API`.
One more thing: the `Settings_Wizard_API` might be used for the *initial* setup.
If it's accessible unauthenticated, I can "finish" the wizard and change the plugin's state.
The vulnerability is the lack of capability checks in several AJAX and `admin_init` handlers.
The most impactful is the settings update through the Wizard.
Endpoint: `POST /wp-admin/admin-post.php`
Query Params: `page=crp_wizard`
Body:
Summary
The Contextual Related Posts plugin fails to perform authorization checks and nonce validation in its Setup Wizard and several AJAX search handlers. This allows unauthenticated attackers to modify plugin settings via the wizard or extract taxonomy data through exposed AJAX endpoints.
Vulnerable Code
// includes/admin/settings/class-settings-wizard-api.php (line 167) public function hooks() { add_action( 'admin_menu', array( $this, 'admin_menu' ), $this->args['admin_menu_position'] ); add_action( 'admin_init', array( $this, 'process_step' ) ); add_action( 'admin_enqueue_scripts', array( $this, 'enqueue_scripts' ) ); } --- // includes/admin/class-settings.php (line 68) Hook_Registry::add_action( 'wp_ajax_nopriv_' . self::$prefix . '_tag_search', array( $this, 'tags_search' ) ); Hook_Registry::add_action( 'wp_ajax_' . self::$prefix . '_tag_search', array( $this, 'tags_search' ) ); Hook_Registry::add_action( 'wp_ajax_nopriv_' . self::$prefix . '_taxonomy_search_tom_select', array( __CLASS__, 'taxonomy_search_tom_select' ) ); Hook_Registry::add_action( 'wp_ajax_' . self::$prefix . '_taxonomy_search_tom_select', array( __CLASS__, 'taxonomy_search_tom_select' ) ); --- // includes/admin/class-metabox.php (line 34) Hook_Registry::add_action( 'wp_ajax_crp_get_posts_action', array( $this, 'get_posts_action' ) );
Security Fix
@@ -15,7 +15,7 @@ * Plugin Name: Contextual Related Posts * Plugin URI: https://webberzone.com/plugins/contextual-related-posts/ * Description: Display related posts on your website or in your feed. Increase reader retention and reduce bounce rates. - * Version: 4.2.1 + * Version: 4.2.2 * Author: WebberZone * Author URI: https://webberzone.com * License: GPL-2.0+ @@ -36,7 +36,7 @@ * @since 2.9.3 */ if ( ! defined( 'WZ_CRP_VERSION' ) ) { - define( 'WZ_CRP_VERSION', '4.2.1' ); + define( 'WZ_CRP_VERSION', '4.2.2' ); }
Exploit Outline
The exploit targets the missing capability check in the Setup Wizard's initialization. 1. An unauthenticated attacker sends a POST request to `/wp-admin/admin-post.php` or accesses any admin URL while the plugin is active. 2. The request includes parameters for the setup wizard, such as `page=crp_wizard`, a target `step`, and a payload containing modified settings in the `crp_settings` array. 3. The `admin_init` hook triggers the `process_step` method in the `Settings_Wizard_API` class. 4. Because the plugin lacks a `current_user_can('manage_options')` check and nonce verification during this process, it accepts and saves the attacker-supplied configuration, effectively allowing unauthenticated site reconfiguration. 5. Additionally, the `crp_tag_search` and `crp_taxonomy_search_tom_select` AJAX actions are registered for `nopriv` users and lack capability checks, allowing attackers to query and list all tags and taxonomies present on the site via `/wp-admin/admin-ajax.php`.
Check if your site is affected.
Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.