CP Image Store with Slideshow <= 1.1.9 - Missing Authorization to Authenticated (Contributor+) Arbitrary Product Import

This research plan outlines the technical steps required to exploit CVE-2026-0684, a missing authorization vulnerability in the CP Image Store with Slideshow plugin.

---

1. Vulnerability Summary

The vulnerability exists in the cpis_admin_init function, which is hooked into WordPress's admin_init action. Due to a logic error in the authorization check, users with Contributor-level permissions (who possess the edit_posts capability) can trigger administrative functions intended for Administrators. Specifically, the product import logic fails to verify if the user has sufficient privileges (e.g., manage_options) before processing an XML-based product import.

2. Attack Vector Analysis

• Endpoint: /wp-admin/admin.php (or any admin page, as admin_init fires on all administrative requests).
• Hook: admin_init calling cpis_admin_init.
• Vulnerable Action: Product import via XML file processing.
• Authentication: Authenticated (Contributor-level or higher).
• Precondition: An XML file containing product data must already exist on the server (e.g., uploaded to the Media Library or residing in the uploads directory).

3. Code Flow (Inferred)

1. Entry: A request is made to an admin URL (e.g., wp-admin/admin.php?page=cp-image-store-import-products&...).
2. Hook: WordPress executes do_action('admin_init').
3. Plugin Callback: cpis_admin_init() is executed.
4. Authorization Check: The code likely contains a check such as if ( ! current_user_can( 'edit_posts' ) ) return;. Since Contributors have the edit_posts capability, they pass this check.
5. Import Logic: The function checks for specific parameters (e.g., cpis_import_xml and a file path/URL).
6. Sink: The plugin parses the XML file using simplexml_load_file() or similar and calls wp_insert_post() to create new "product" posts.

4. Nonce Acquisition Strategy

The plugin likely uses a nonce for the import action, typically localized for the admin menu page.

1. Identify Shortcode/Page: The import functionality is located in the admin dashboard.
2. Access Admin Page: As a Contributor, navigate to the plugin's settings or import page (if visible) or the main dashboard.
3. Extraction:
   • Target Page: /wp-admin/admin.php?page=cp-image-store (or the specific import page slug).
   • JS Variable: Look for cpis_obj or similar in the page source.
   • Execution:

     // Example guess based on common plugin patterns
     browser_eval("window.cpis_import_nonce || jQuery('#cpis_import_nonce').val()");
     

   • Note: If the check is in admin_init and forgets to verify the nonce entirely, this step may be unnecessary.

5. Exploitation Strategy

Step 1: Upload Malicious XML

A Contributor can upload files to the Media Library.

1. Create a file named exploit.xml:

   <?xml version="1.0" encoding="UTF-8"?>
   <products>
     <product>
       <title>Exploit Product</title>
       <description>Created via CVE-2026-0684</description>
       <price>0</price>
     </product>
   </products>
   

2. Upload via the Media Library and note the relative path (e.g., wp-content/uploads/202X/XX/exploit.xml).

Step 2: Trigger the Import

Send a request to trigger the cpis_admin_init logic.

• Request Method: POST or GET (depending on the implementation in cpis_admin_init).
• URL: http://vulnerable-wp.local/wp-admin/admin.php?page=cp-image-store-import (slug inferred).
• Parameters (Guesstimated):
  • action: cpis_import_xml_action
  • xml_path: ../uploads/202X/XX/exploit.xml (Path traversal might be needed if it expects an absolute path relative to the plugin dir).
  • _wpnonce: [Extracted Nonce]

Example HTTP Request:

POST /wp-admin/admin.php?page=cpis-import-slug HTTP/1.1
Host: vulnerable-wp.local
Content-Type: application/x-www-form-urlencoded
Cookie: [Contributor Cookies]

action=import&xml_file=wp-content/uploads/202X/XX/exploit.xml&_wpnonce=[NONCE]

6. Test Data Setup

1. Plugin Installation: Install cp-image-store version 1.1.9.
2. User Creation:

   wp user create attacker attacker@example.com --role=contributor --user_pass=password
   

3. Identify Post Type: Determine the custom post type used for products (likely cpis_product).

   wp post-type list
   

7. Expected Results

• The server responds with a 200 OK or 302 Redirect.
• The wp_posts table contains a new entry with the title "Exploit Product" and the custom post type associated with the plugin.
• The Contributor user successfully bypassed the "Administrator Only" restriction for product imports.

8. Verification Steps

1. Check for New Posts:

   wp post list --post_type=cpis_product --format=ids
   

2. Verify Content:

   wp post get [NEW_ID] --field=post_title
   # Expected: "Exploit Product"
   

9. Alternative Approaches

• Path Traversal: If the plugin expects the XML file to be within its own directory, attempt to use ../ in the xml_file parameter to point to the uploads directory.
• Remote XML: Check if the plugin accepts a URL instead of a local path (SSRF potential). If simplexml_load_file() is used without disabling external entities, check for XXE (XML External Entity) vulnerabilities as well.
• Parameter Bruteforce: If the admin_init parameter names are unknown, search the plugin source code for $_GET or $_POST inside the file containing cpis_admin_init.