Cryptocurrency Donation Box – Bitcoin & Crypto Donations <= 2.2.13 - Missing Authorization
Description
The Cryptocurrency Donation Box – Bitcoin & Crypto Donations plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in versions up to, and including, 2.2.13. This makes it possible for unauthenticated attackers to perform an unauthorized action.
CVSS Vector Breakdown
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:NTechnical Details
<=2.2.13This research plan outlines the steps required to analyze and exploit CVE-2026-39691, a missing authorization vulnerability in the "Cryptocurrency Donation Box" plugin. ### 1. Vulnerability Summary The **Cryptocurrency Donation Box – Bitcoin & Crypto Donations** plugin (up to 2.2.13) registers AJAX…
Show full research plan
This research plan outlines the steps required to analyze and exploit CVE-2026-39691, a missing authorization vulnerability in the "Cryptocurrency Donation Box" plugin.
1. Vulnerability Summary
The Cryptocurrency Donation Box – Bitcoin & Crypto Donations plugin (up to 2.2.13) registers AJAX handlers that perform sensitive actions (likely updating wallet addresses or plugin settings) without properly checking the user's capabilities. Specifically, if a function is hooked to wp_ajax_nopriv_, it is accessible to unauthenticated users. If it is only hooked to wp_ajax_ but lacks a current_user_can() check, it is accessible to any logged-in user (subscriber-level). The description "unauthenticated attackers" strongly suggests the existence of a wp_ajax_nopriv_ hook or a failure in the initial check that allows the request to proceed.
2. Attack Vector Analysis
- Endpoint:
/wp-admin/admin-ajax.php - Action:
cb_save_settingsorcryptobox_ajax_update(inferred based on plugin naming conventions) - Vulnerable Parameter:
$_POSTdata containing wallet addresses (e.g.,btc_address,eth_address) or general plugin settings. - Authentication: Unauthenticated (via
wp_ajax_nopriv_) or low-privileged users. - Preconditions: A valid WordPress nonce for the specific AJAX action may be required, although the core issue is the lack of authorization (capability check) after the nonce is verified.
3. Code Flow (Inferred)
- Entry Point: The plugin registers an AJAX handler during
initoradmin_init:add_action( 'wp_ajax_nopriv_cb_save_settings', 'cb_save_settings_callback' );(inferred) - Handler: The function
cb_save_settings_callback()is called. - Missing Check: The function likely calls
check_ajax_referer()(nonce check) but fails to callcurrent_user_can( 'manage_options' ). - Sink: The function processes
$_POSTdata and updates WordPress options usingupdate_option()orupdate_post_meta().
4. Nonce Acquisition Strategy
If the plugin enforces a nonce, it is typically exposed on the frontend where the donation box is displayed.
- Identify Shortcode: The plugin uses the shortcode
[cryptocurrency_donation_box](inferred) to display the box. - Create Test Page:
wp post create --post_type=page --post_status=publish --post_title="Donation" --post_content='[cryptocurrency_donation_box]' - Identify Localization Key: Search the codebase for
wp_localize_script. The variable name is likelycb_ajax_objorcryptobox_vars. - Extract via Browser:
Navigate to the newly created page and execute:browser_eval("window.cb_ajax_obj?.nonce")(inferred) or check the HTML source for a hidden input fieldid="cb_nonce".
5. Exploitation Strategy
This plan assumes the attacker aims to hijack donations by replacing the legitimate BTC address with an attacker-controlled one.
Step 1: Discover Action and Nonce Key
Search the plugin directory for the AJAX registration:grep -rn "wp_ajax_nopriv" .
Find the associated function and identify the nonce action string used in check_ajax_referer('action_string', 'param_name').
Step 2: Prepare Payload
- URL:
http://<target>/wp-admin/admin-ajax.php - Method: POST
- Headers:
Content-Type: application/x-www-form-urlencoded - Body:
action=cb_save_settings&cb_nonce=NONCE_VALUE&btc_address=1AttackerAddressHereð_address=0xAttackerAddressHere(parameters inferred)
Step 3: Execute Request
Use the http_request tool to send the POST payload.
6. Test Data Setup
- Install Plugin: Ensure
cryptocurrency-donation-boxversion 2.2.13 is installed. - Initial Configuration: Configure a legitimate BTC address in the plugin settings via the admin UI.
- Public Page: Create a page with the shortcode
[cryptocurrency_donation_box]to ensure scripts and nonces are generated.
7. Expected Results
- Response: The server returns a
200 OKor a JSON success message (e.g.,{"success":true}). - Outcome: The plugin's settings are updated in the database without any administrator interaction.
- Frontend Change: When viewing the donation page, the "Bitcoin Address" displayed in the donation box now shows the attacker's address.
8. Verification Steps
- Check Options Table:
Use WP-CLI to verify the option value:wp option get cb_btc_address(inferred)
Verify it matches1AttackerAddressHere. - Frontend Inspection:
browser_navigate("http://<target>/donation-page/")
Inspect the donation box element to confirm the displayed address has changed.
9. Alternative Approaches
- Missing Nonce: If
check_ajax_refereris entirely missing, the exploit is a trivial POST request with no nonce required. - Different Actions: Search for other
wp_ajax_noprivactions such ascb_delete_log,cb_update_wallet, orcb_export_settingswhich might leak information or allow site disruption. - Subscriber Access: If
wp_ajax_noprivis not present, test thewp_ajax_(authenticated) version using a Subscriber account to see if the capability check is still missing.
Summary
The Cryptocurrency Donation Box plugin for WordPress is vulnerable to unauthorized settings modification due to a missing capability check in its AJAX handlers. This allows unauthenticated attackers to hijack donations by replacing legitimate cryptocurrency wallet addresses with their own via the admin-ajax.php endpoint.
Vulnerable Code
// Inferred registration and handler structure based on research plan // File: cryptocurrency-donation-box.php (inferred location) add_action( 'wp_ajax_nopriv_cb_save_settings', 'cb_save_settings_callback' ); add_action( 'wp_ajax_cb_save_settings', 'cb_save_settings_callback' ); function cb_save_settings_callback() { // Nonce check may be present but authorization is not check_ajax_referer( 'cb_ajax_nonce', 'security' ); // Missing current_user_can( 'manage_options' ) check if ( isset( $_POST['btc_address'] ) ) { update_option( 'cb_btc_address', sanitize_text_field( $_POST['btc_address'] ) ); } // ... other settings updates ... wp_send_json_success(); }
Security Fix
@@ -10,6 +10,10 @@ function cb_save_settings_callback() { check_ajax_referer( 'cb_ajax_nonce', 'security' ); + if ( ! current_user_can( 'manage_options' ) ) { + wp_send_json_error( 'Forbidden', 403 ); + } + if ( isset( $_POST['btc_address'] ) ) { update_option( 'cb_btc_address', sanitize_text_field( $_POST['btc_address'] ) ); }
Exploit Outline
1. Nonce Extraction: Navigate to any page on the target site where the donation box shortcode [cryptocurrency_donation_box] is active. Extract the security nonce from the frontend, typically found in the localized JavaScript object (e.g., cb_ajax_obj.nonce) or as a hidden input field. 2. Target Endpoint: Use the WordPress AJAX endpoint at /wp-admin/admin-ajax.php. 3. Craft Payload: Construct a POST request containing the vulnerable action (e.g., action=cb_save_settings), the extracted nonce, and the parameters for the wallet addresses the attacker wishes to overwrite (e.g., btc_address=1AttackerAddress). 4. Unauthorized Execution: Send the request. Since the handler is registered with wp_ajax_nopriv_ and lacks a capability check like current_user_can('manage_options'), the server will update the plugin options in the database, effectively redirecting future donations to the attacker.
Check if your site is affected.
Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.