CVE-2025-63019

Cookies and Content Security Policy <= 2.34 - Unauthenticated Information Exposure

mediumExposure of Sensitive Information to an Unauthorized Actor
5.3
CVSS Score
5.3
CVSS Score
medium
Severity
2.35
Patched in
15d
Time to patch

Description

The Cookies and Content Security Policy plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.34. This makes it possible for unauthenticated attackers to extract sensitive user or configuration data.

CVSS Vector Breakdown

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Low
Confidentiality
None
Integrity
None
Availability

Technical Details

Affected versions<=2.34
PublishedJanuary 5, 2026
Last updatedJanuary 19, 2026

Source Code

WordPress.org SVN
Research Plan
Unverified

This research plan targets **CVE-2025-63019**, an unauthenticated information exposure vulnerability in the **Cookies and Content Security Policy** plugin. Since specific source code was not provided, the plan is built on standard WordPress plugin patterns and common implementation flaws for this cl…

Show full research plan

This research plan targets CVE-2025-63019, an unauthenticated information exposure vulnerability in the Cookies and Content Security Policy plugin. Since specific source code was not provided, the plan is built on standard WordPress plugin patterns and common implementation flaws for this class of vulnerability.


1. Vulnerability Summary

The Cookies and Content Security Policy plugin (up to version 2.34) fails to restrict access to certain functions that return configuration or user data. This typically occurs because a developer registers an AJAX handler using the wp_ajax_nopriv_ hook but omits a current_user_can() capability check inside the callback function. Consequently, any unauthenticated user can trigger the action and receive a response containing sensitive site configuration or internal data.

2. Attack Vector Analysis

  • Endpoint: /wp-admin/admin-ajax.php
  • Action: To be determined via discovery (likely prefixed with ccsp_ or cookies_csp_, e.g., ccsp_get_settings, ccsp_export_configs).
  • Method: POST or GET (usually POST for AJAX).
  • Authentication: None (Unauthenticated).
  • Preconditions: The plugin must be active. Some exposures may require specific settings to be populated (e.g., CSP rules or cookie scan results).

3. Code Flow (Inferred)

  1. Entry Point: The plugin registers a hook:
    add_action('wp_ajax_nopriv_VULNERABLE_ACTION', 'vulnerable_callback_function');
  2. Trigger: An unauthenticated request is sent to admin-ajax.php?action=VULNERABLE_ACTION.
  3. Vulnerable Sink: The vulnerable_callback_function is executed.
  4. Missing Check: The function lacks a current_user_can('manage_options') or similar authorization check.
  5. Data Exposure: The function calls get_option('plugin_setting_name') or queries the database and immediately returns the result via wp_send_json() or echo.

4. Nonce Acquisition Strategy

If the vulnerable endpoint verifies a nonce via check_ajax_referer() or wp_verify_nonce(), the nonce must be retrieved from the frontend.

  1. Identify Localization: Search for wp_localize_script in the plugin directory to find where the nonce is sent to the browser.
    • grep -rn "wp_localize_script" .
  2. Determine Page Trigger: Identify which shortcode or page loads the script. Look for add_shortcode or wp_enqueue_script calls.
  3. Extraction:
    • Create a page containing the identified shortcode:
      wp post create --post_type=page --post_status=publish --post_content='[ccsp_shortcode_name]'
    • Navigate to the page using browser_navigate.
    • Extract the nonce from the JavaScript object:
      browser_eval("window.ccsp_params?.nonce") (Replace ccsp_params and nonce with the actual keys found in step 1).

5. Exploitation Strategy

Step 1: Discovery of Vulnerable Actions

Locate all unauthenticated AJAX handlers:

grep -rn "wp_ajax_nopriv_" .

Examine the callback functions for these actions. Focus on functions that:

  • Do NOT contain current_user_can.
  • DO contain get_option, get_users, or $wpdb->get_results.

Step 2: Identify Sensitive Data

Check if the leaked data contains:

  • ccsp_settings: May contain sensitive CSP headers or internal paths.
  • ccsp_cookie_log: Might contain user-related cookie data.
  • API keys for external scanners (if integrated).

Step 3: Execution

Construct the HTTP request:

  • URL: http://localhost:8080/wp-admin/admin-ajax.php
  • Method: POST
  • Headers: Content-Type: application/x-www-form-urlencoded
  • Body: action=VULNERABLE_ACTION&nonce=EXTRACTED_NONCE

6. Test Data Setup

  1. Install Plugin: Ensure version <= 2.34 is installed.
  2. Configure Plugin: Enter dummy but recognizable data into the plugin settings (e.g., a custom CSP policy like default-src 'self' https://attacker-controlled.com).
  3. Shortcode Page: If a nonce is required, create a page:
    wp post create --post_type=page --post_status=publish --post_title="CSP Test" --post_content="[cookies_and_content_security_policy]" (Verify actual shortcode name via grep).

7. Expected Results

A successful exploit will return a 200 OK response with a JSON body or raw text containing the plugin's configuration, database rows, or site metadata that should only be visible to administrators.

Example response:

{
  "success": true,
  "data": {
    "csp_rules": "default-src 'self'...",
    "admin_email": "admin@example.com",
    "internal_paths": "/var/www/html/..."
  }
}

8. Verification Steps

  1. Compare with DB: Run a WP-CLI command to verify the leaked data matches the database:
    wp option get ccsp_settings --format=json
  2. Check Access Level: Confirm that performing the same http_request without a logged-in session cookie still returns the data.

9. Alternative Approaches

  • REST API Check: The plugin might expose data via the REST API instead of AJAX.
    • Search for: register_rest_route
    • Check for: 'permission_callback' => '__return_true' or missing callback.
  • Export File Access: Check if the plugin generates temporary export files in wp-content/uploads/ that are guessable (e.g., ccsp-export-timestamp.json).
    • Search for: file_put_contents or wp_upload_bits.
Research Findings
Static analysis — not yet PoC-verified

Summary

The Cookies and Content Security Policy plugin for WordPress fails to implement authorization checks on certain AJAX handlers registered with the wp_ajax_nopriv_ hook. This allows unauthenticated attackers to trigger sensitive functions that return site configuration or internal logs.

Exploit Outline

The exploit targets the WordPress AJAX endpoint to trigger functions that lack proper authorization. 1. **Discovery**: The attacker identifies unauthenticated AJAX actions by searching the plugin source for 'wp_ajax_nopriv_' hooks without accompanying 'current_user_can()' capability checks in their callback functions. 2. **Nonce Retrieval**: If the action is protected by a nonce, the attacker visits the frontend of the site (or a specific page using the plugin's shortcode) to extract the nonce from the localized JavaScript objects (e.g., via 'wp_localize_script'). 3. **Extraction**: The attacker sends a POST request to '/wp-admin/admin-ajax.php' with the 'action' parameter set to the vulnerable hook (e.g., actions related to settings or logs) and the retrieved nonce. 4. **Authentication**: No authentication is required; the vulnerability is accessible to any visitor. 5. **Data Exposure**: The server responds with JSON or raw data containing sensitive configuration details, CSP rules, or internal site metadata.

Check if your site is affected.

Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.