CVE-2026-22461

CTX Feed <= 6.6.18 - Missing Authorization

mediumMissing Authorization
5.3
CVSS Score
5.3
CVSS Score
medium
Severity
6.6.19
Patched in
53d
Time to patch

Description

The CTX Feed plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in versions up to, and including, 6.6.18. This makes it possible for unauthenticated attackers to perform an unauthorized action.

CVSS Vector Breakdown

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
None
Confidentiality
Low
Integrity
None
Availability

Technical Details

Affected versions<=6.6.18
PublishedJanuary 4, 2026
Last updatedFebruary 25, 2026

What Changed in the Fix

Changes introduced in v6.6.19

Loading patch diff...

Source Code

WordPress.org SVN
Research Plan
Unverified

# Exploitation Research Plan - CVE-2026-22461 ## 1. Vulnerability Summary The **CTX Feed** plugin for WordPress (versions up to 6.6.18) is vulnerable to unauthorized access due to missing authorization checks in its REST API implementation. The plugin registers a series of REST routes in `V5/API/Re…

Show full research plan

Exploitation Research Plan - CVE-2026-22461

1. Vulnerability Summary

The CTX Feed plugin for WordPress (versions up to 6.6.18) is vulnerable to unauthorized access due to missing authorization checks in its REST API implementation. The plugin registers a series of REST routes in V5/API/RestController.php but fails to consistently apply the get_item_permissions_check method as a permission_callback for several sensitive endpoints. This allows unauthenticated attackers to perform administrative actions, such as modifying plugin settings or managing product feeds.

2. Attack Vector Analysis

  • Endpoint: POST /wp-json/ctxfeed/v1/settings or POST /wp-json/ctxfeed/v1/wp-options
  • REST Namespace: ctxfeed/v1 (Inferred from WOO_FEED_API_NAMESPACE and the class folder structure V5/API/V1).
  • Method: POST
  • Authentication: None (Unauthenticated)
  • Preconditions: The plugin must be active. WooCommerce is typically required for the plugin to function.

3. Code Flow

  1. Route Registration: During rest_api_init, RestController::instance() calls register_api().
  2. Sub-class Initialization: register_api() loops through a list of classes: AttributesMapping, CategoryMapping, DropDown, ManageFeeds, Settings, WPOptions, etc.
  3. Route Definition: Each class (e.g., Settings::instance()) calls its own register_routes() method.
  4. The Vulnerability: These sub-classes register routes using register_rest_route() but either omit the permission_callback parameter or set it to a function that does not properly invoke the RestController::get_item_permissions_check logic.
  5. Request Execution: An unauthenticated HTTP request hits the endpoint. Because there is no permission_callback returning false (or a WP_Error), the callback (e.g., update_settings) is executed immediately.
  6. Unauthorized Action: The callback performs a privileged action (like update_option) without verifying the requester has manage_options or manage_woocommerce capabilities.

4. Nonce Acquisition Strategy

The WordPress REST API generally does not require a nonce for unauthenticated access unless the specific handler logic checks for one. Since this vulnerability involves a missing authorization check at the route level, the X-WP-Nonce header is not required for the exploit to succeed.

5. Exploitation Strategy

The goal is to modify a plugin setting to demonstrate unauthorized write access (Integrity: Low).

Step 1: Discover the settings structure

Attempt to read the current settings to identify valid keys.

  • Request:
    • Method: GET
    • URL: /wp-json/ctxfeed/v1/settings
    • Tool: http_request

Step 2: Modify a setting

We will target the disable_pixel or remarketing_id settings which are used in the tracking logic (FacebookTracker and GoogleTracker).

  • Request:
    • Method: POST
    • URL: /wp-json/ctxfeed/v1/settings
    • Headers: Content-Type: application/json
    • Payload: {"disable_pixel": "enable", "pixel_id": "exploited_id"}
    • Tool: http_request

Step 3: Verify the change

Check the response from Step 2 or repeat Step 1 to confirm the value has changed.

6. Test Data Setup

  1. Environment: Standard WordPress installation.
  2. Plugin: Install and activate webappick-product-feed-for-woocommerce version 6.6.18.
  3. Dependency: WooCommerce must be active for the CTX Feed REST controllers to initialize correctly.
  4. Configuration: No specific feeds need to be created; the vulnerability exists in the global settings management.

7. Expected Results

  • Success Indicator: The server returns an HTTP 200 OK.
  • Response Content: The response body should contain a JSON object with status: 200 and the updated data array showing the new setting values.
  • Example Response:
    {
      "status": 200,
      "data": {
        "disable_pixel": "enable",
        "pixel_id": "exploited_id",
        "..." : "..."
      }
    }
    

8. Verification Steps

After the HTTP request, use the wp_cli to confirm the persistent database change:

# Check the plugin settings option
wp option get woo_feed_settings --format=json

Verify that the pixel_id or disable_pixel keys match the payload sent in the exploit.

9. Alternative Approaches

If the settings endpoint is partially protected, attempt to exploit the wp-options endpoint:

  • Endpoint: POST /wp-json/ctxfeed/v1/wp-options
  • Payload: {"option_name": "woo_feed_settings", "option_value": {"disable_pixel": "enable", "pixel_id": "exploited_alt"}}

If the objective is to impact feed availability, attempt to use the manage-feeds endpoint to delete an existing feed:

  • Action: DELETE /wp-json/ctxfeed/v1/manage-feeds/[FEED_ID] (where FEED_ID is identified via a prior GET /wp-json/ctxfeed/v1/manage-feeds).
Research Findings
Static analysis — not yet PoC-verified

Summary

The CTX Feed plugin for WordPress is vulnerable to unauthorized access and modification due to missing authorization (capability) checks and nonce verification on multiple REST API endpoints and AJAX handlers. Unauthenticated attackers can exploit this to modify plugin settings, clear cache data, and manage product feeds, potentially compromising the integrity of shopping channel integrations.

Vulnerable Code

/* V5/API/RestController.php:143 */
$classes = [
    AttributesMapping::instance(),
    CategoryMapping::instance(),
    DropDown::instance(),
    DynamicAttributes::instance(),
    ManageFeeds::instance(),
    MerchantInfo::instance(),
    ProductCategories::instance(),
    Products::instance(),
    ProductTaxonomy::instance(),
    Settings::instance(),
    WPOptions::instance(),
    MakeFeed::instance(),
    WPStatus::instance(),
    WooFeedDocs::instance(),
];
foreach ( $classes as $class ) {
    $class->register_routes();
}

---

/* includes/helper.php:1027 */
if ( ! function_exists( 'woo_feed_ajax_merchant_info' ) ) {
	add_action( 'wp_ajax_woo_feed_get_merchant_info', 'woo_feed_ajax_merchant_info' );
	function woo_feed_ajax_merchant_info() {
		if ( isset( $_REQUEST['nonce'] ) && wp_verify_nonce(
			sanitize_text_field( wp_unslash( $_REQUEST['nonce'] ) ),
			'wpf_feed_nonce'
		) ) {
            // ... missing current_user_can check ...

Security Fix

diff -ru /home/deploy/wp-safety.org/data/plugin-versions/webappick-product-feed-for-woocommerce/6.6.18/includes/action-handler.php /home/deploy/wp-safety.org/data/plugin-versions/webappick-product-feed-for-woocommerce/6.6.19/includes/action-handler.php
--- /home/deploy/wp-safety.org/data/plugin-versions/webappick-product-feed-for-woocommerce/6.6.18/includes/action-handler.php	2024-06-25 05:13:52.000000000 +0000
+++ /home/deploy/wp-safety.org/data/plugin-versions/webappick-product-feed-for-woocommerce/6.6.19/includes/action-handler.php	2026-01-19 12:27:58.000000000 +0000
@@ -120,7 +120,7 @@
 		// Check user permission
 		if ( ! current_user_can( 'manage_woocommerce' ) ) {
 			Logs::write_debug_log( 'User doesnt have enough permission.' );
-			wp_send_json_error( esc_html__( 'Unauthorized Action.', 'woo-feed' ) );
+			wp_send_json_error( esc_html__( 'Unauthorized Action.', 'woo-feed' ),403 );
 			wp_die();
 		}
 
@@ -226,7 +226,7 @@
 		// Check user permission
 		if ( ! current_user_can( 'manage_woocommerce' ) ) {
 			Logs::write_debug_log( 'User doesnt have enough permission.' );
-			wp_send_json_error( esc_html__( 'Unauthorized Action.', 'woo-feed' ) );
+			wp_send_json_error( esc_html__( 'Unauthorized Action.', 'woo-feed' ),403 );
 			wp_die();
 		}

(truncated)

Exploit Outline

The exploit involves interacting with the plugin's REST API or AJAX endpoints directly. An attacker targets the `/wp-json/ctxfeed/v1/settings` or `/wp-json/ctxfeed/v1/wp-options` endpoints using a POST request. By providing a JSON payload containing administrative keys (such as 'disable_pixel' or 'remarketing_id'), the attacker can overwrite global plugin configurations because the corresponding REST controllers fail to define a 'permission_callback' that verifies administrative capabilities. Alternatively, an attacker can trigger administrative AJAX actions via 'wp-admin/admin-ajax.php' for actions that lack the 'current_user_can' check, even if a nonce is required, if that nonce is not properly validated against user roles or is leakable.

Check if your site is affected.

Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.