CTX Feed <= 6.6.18 - Missing Authorization
Description
The CTX Feed plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in versions up to, and including, 6.6.18. This makes it possible for unauthenticated attackers to perform an unauthorized action.
CVSS Vector Breakdown
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:NTechnical Details
<=6.6.18What Changed in the Fix
Changes introduced in v6.6.19
Source Code
WordPress.org SVN# Exploitation Research Plan - CVE-2026-22461 ## 1. Vulnerability Summary The **CTX Feed** plugin for WordPress (versions up to 6.6.18) is vulnerable to unauthorized access due to missing authorization checks in its REST API implementation. The plugin registers a series of REST routes in `V5/API/Re…
Show full research plan
Exploitation Research Plan - CVE-2026-22461
1. Vulnerability Summary
The CTX Feed plugin for WordPress (versions up to 6.6.18) is vulnerable to unauthorized access due to missing authorization checks in its REST API implementation. The plugin registers a series of REST routes in V5/API/RestController.php but fails to consistently apply the get_item_permissions_check method as a permission_callback for several sensitive endpoints. This allows unauthenticated attackers to perform administrative actions, such as modifying plugin settings or managing product feeds.
2. Attack Vector Analysis
- Endpoint:
POST /wp-json/ctxfeed/v1/settingsorPOST /wp-json/ctxfeed/v1/wp-options - REST Namespace:
ctxfeed/v1(Inferred fromWOO_FEED_API_NAMESPACEand the class folder structureV5/API/V1). - Method:
POST - Authentication: None (Unauthenticated)
- Preconditions: The plugin must be active. WooCommerce is typically required for the plugin to function.
3. Code Flow
- Route Registration: During
rest_api_init,RestController::instance()callsregister_api(). - Sub-class Initialization:
register_api()loops through a list of classes:AttributesMapping,CategoryMapping,DropDown,ManageFeeds,Settings,WPOptions, etc. - Route Definition: Each class (e.g.,
Settings::instance()) calls its ownregister_routes()method. - The Vulnerability: These sub-classes register routes using
register_rest_route()but either omit thepermission_callbackparameter or set it to a function that does not properly invoke theRestController::get_item_permissions_checklogic. - Request Execution: An unauthenticated HTTP request hits the endpoint. Because there is no
permission_callbackreturningfalse(or aWP_Error), the callback (e.g.,update_settings) is executed immediately. - Unauthorized Action: The callback performs a privileged action (like
update_option) without verifying the requester hasmanage_optionsormanage_woocommercecapabilities.
4. Nonce Acquisition Strategy
The WordPress REST API generally does not require a nonce for unauthenticated access unless the specific handler logic checks for one. Since this vulnerability involves a missing authorization check at the route level, the X-WP-Nonce header is not required for the exploit to succeed.
5. Exploitation Strategy
The goal is to modify a plugin setting to demonstrate unauthorized write access (Integrity: Low).
Step 1: Discover the settings structure
Attempt to read the current settings to identify valid keys.
- Request:
- Method:
GET - URL:
/wp-json/ctxfeed/v1/settings - Tool:
http_request
- Method:
Step 2: Modify a setting
We will target the disable_pixel or remarketing_id settings which are used in the tracking logic (FacebookTracker and GoogleTracker).
- Request:
- Method:
POST - URL:
/wp-json/ctxfeed/v1/settings - Headers:
Content-Type: application/json - Payload:
{"disable_pixel": "enable", "pixel_id": "exploited_id"} - Tool:
http_request
- Method:
Step 3: Verify the change
Check the response from Step 2 or repeat Step 1 to confirm the value has changed.
6. Test Data Setup
- Environment: Standard WordPress installation.
- Plugin: Install and activate
webappick-product-feed-for-woocommerceversion 6.6.18. - Dependency: WooCommerce must be active for the CTX Feed REST controllers to initialize correctly.
- Configuration: No specific feeds need to be created; the vulnerability exists in the global settings management.
7. Expected Results
- Success Indicator: The server returns an HTTP
200 OK. - Response Content: The response body should contain a JSON object with
status: 200and the updateddataarray showing the new setting values. - Example Response:
{ "status": 200, "data": { "disable_pixel": "enable", "pixel_id": "exploited_id", "..." : "..." } }
8. Verification Steps
After the HTTP request, use the wp_cli to confirm the persistent database change:
# Check the plugin settings option
wp option get woo_feed_settings --format=json
Verify that the pixel_id or disable_pixel keys match the payload sent in the exploit.
9. Alternative Approaches
If the settings endpoint is partially protected, attempt to exploit the wp-options endpoint:
- Endpoint:
POST /wp-json/ctxfeed/v1/wp-options - Payload:
{"option_name": "woo_feed_settings", "option_value": {"disable_pixel": "enable", "pixel_id": "exploited_alt"}}
If the objective is to impact feed availability, attempt to use the manage-feeds endpoint to delete an existing feed:
- Action:
DELETE /wp-json/ctxfeed/v1/manage-feeds/[FEED_ID](where FEED_ID is identified via a priorGET /wp-json/ctxfeed/v1/manage-feeds).
Summary
The CTX Feed plugin for WordPress is vulnerable to unauthorized access and modification due to missing authorization (capability) checks and nonce verification on multiple REST API endpoints and AJAX handlers. Unauthenticated attackers can exploit this to modify plugin settings, clear cache data, and manage product feeds, potentially compromising the integrity of shopping channel integrations.
Vulnerable Code
/* V5/API/RestController.php:143 */ $classes = [ AttributesMapping::instance(), CategoryMapping::instance(), DropDown::instance(), DynamicAttributes::instance(), ManageFeeds::instance(), MerchantInfo::instance(), ProductCategories::instance(), Products::instance(), ProductTaxonomy::instance(), Settings::instance(), WPOptions::instance(), MakeFeed::instance(), WPStatus::instance(), WooFeedDocs::instance(), ]; foreach ( $classes as $class ) { $class->register_routes(); } --- /* includes/helper.php:1027 */ if ( ! function_exists( 'woo_feed_ajax_merchant_info' ) ) { add_action( 'wp_ajax_woo_feed_get_merchant_info', 'woo_feed_ajax_merchant_info' ); function woo_feed_ajax_merchant_info() { if ( isset( $_REQUEST['nonce'] ) && wp_verify_nonce( sanitize_text_field( wp_unslash( $_REQUEST['nonce'] ) ), 'wpf_feed_nonce' ) ) { // ... missing current_user_can check ...
Security Fix
@@ -120,7 +120,7 @@ // Check user permission if ( ! current_user_can( 'manage_woocommerce' ) ) { Logs::write_debug_log( 'User doesnt have enough permission.' ); - wp_send_json_error( esc_html__( 'Unauthorized Action.', 'woo-feed' ) ); + wp_send_json_error( esc_html__( 'Unauthorized Action.', 'woo-feed' ),403 ); wp_die(); } @@ -226,7 +226,7 @@ // Check user permission if ( ! current_user_can( 'manage_woocommerce' ) ) { Logs::write_debug_log( 'User doesnt have enough permission.' ); - wp_send_json_error( esc_html__( 'Unauthorized Action.', 'woo-feed' ) ); + wp_send_json_error( esc_html__( 'Unauthorized Action.', 'woo-feed' ),403 ); wp_die(); } (truncated)
Exploit Outline
The exploit involves interacting with the plugin's REST API or AJAX endpoints directly. An attacker targets the `/wp-json/ctxfeed/v1/settings` or `/wp-json/ctxfeed/v1/wp-options` endpoints using a POST request. By providing a JSON payload containing administrative keys (such as 'disable_pixel' or 'remarketing_id'), the attacker can overwrite global plugin configurations because the corresponding REST controllers fail to define a 'permission_callback' that verifies administrative capabilities. Alternatively, an attacker can trigger administrative AJAX actions via 'wp-admin/admin-ajax.php' for actions that lack the 'current_user_can' check, even if a nonce is required, if that nonce is not properly validated against user roles or is leakable.
Check if your site is affected.
Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.