Diet Calorie Calculator <= 1.1.1 - Missing Authorization

This research plan outlines the steps required to identify and exploit the Missing Authorization vulnerability in the Diet Calorie Calculator plugin (<= 1.1.1).

---

1. Vulnerability Summary

The Diet Calorie Calculator plugin for WordPress is vulnerable to unauthorized access due to a missing capability check in an action handler. In versions up to and including 1.1.1, certain functions—likely those associated with saving calculator data, updating user diet profiles, or modifying plugin settings—are registered via hooks (such as wp_ajax_nopriv_ or admin_init) without verifying if the requesting user has the necessary permissions (current_user_can()). This allows unauthenticated attackers to perform actions that should be restricted to administrators or specific users.

2. Attack Vector Analysis

• Endpoint: wp-admin/admin-ajax.php (most likely) or a general init/admin_init hook listener.
• Action Name (Inferred): Likely patterns include dcc_save_data, save_diet_calculator_settings, or diet_calorie_calculator_save.
• Payload Parameter: $_POST parameters corresponding to plugin settings or user data.
• Authentication: None required (Unauthenticated).
• Preconditions: The plugin must be active. If the vulnerability is in an AJAX handler, a nonce might be required, though many plugins with missing authorization also lack proper nonce verification.

3. Code Flow (Inferred)

1. Entry Point: The plugin registers a handler for an AJAX action:
   add_action('wp_ajax_nopriv_VULNERABLE_ACTION', 'vulnerable_function_name');
add_action('wp_ajax_VULNERABLE_ACTION', 'vulnerable_function_name');
2. Trigger: An HTTP POST request is sent to admin-ajax.php with action=VULNERABLE_ACTION.
3. Missing Check: Inside vulnerable_function_name(), the code fails to call current_user_can('manage_options') or a similar authorization check.
4. Sink: The function proceeds to execute a privileged operation, such as:
   • update_option('dcc_settings', ...)
   • $wpdb->insert(...) into a custom plugin table.
   • wp_insert_post(...) to create diet plans.

4. Nonce Acquisition Strategy

If the handler performs a check_ajax_referer or wp_verify_nonce check, we must extract the nonce from the frontend.

1. Identify Shortcode: Search the plugin code for add_shortcode.
   • Likely Shortcode: [diet-calorie-calculator] (inferred).
2. Create Trigger Page: Create a public page containing this shortcode to force the plugin to load its scripts and nonces.
   • wp post create --post_type=page --post_status=publish --post_title="Calculator" --post_content='[diet-calorie-calculator]'
3. Extract Nonce via Browser:
   • Navigate to the newly created page.
   • Search the source code for wp_localize_script data.
   • Common JS Variable (Inferred): window.dcc_ajax_obj or window.diet_calc_vars.
   • Command: browser_eval("window.diet_calc_vars?.nonce") (Replace with actual variable found during discovery).

5. Exploitation Strategy

Once the vulnerable action and necessary parameters are identified:

1. Discovery Phase:
   • Grep the plugin directory for wp_ajax_nopriv to find potential unauthenticated actions.
   • Check for current_user_can calls within those functions.
   • Identify parameters used in update_option or database queries.
2. Execution Phase:
   • Use the http_request tool to send a POST request to the AJAX endpoint.
   • Payload Example (Inferred):

     POST /wp-admin/admin-ajax.php HTTP/1.1
     Content-Type: application/x-www-form-urlencoded
     
     action=VULNERABLE_ACTION&nonce=EXTRACTED_NONCE&option_name=default_role&option_value=administrator
     

   • Note: If the vulnerability allows updating arbitrary options, targeting users_can_register and default_role is a common path to privilege escalation. If it only affects plugin-specific settings, target a setting that could lead to XSS (e.g., a "footer text" or "calculator label" setting).

6. Test Data Setup

1. Plugin Installation: Ensure diet-calorie-calculator version 1.1.1 is installed.
2. Page Creation:

   wp post create --post_type=page --post_status=publish --post_content='[diet-calorie-calculator]'
   

3. Baseline Check: Verify current plugin settings or system settings:

   wp option get users_can_register
   

7. Expected Results

• Success: The server returns a 200 OK or a JSON success message (e.g., {"success":true}).
• Impact: The targeted setting or data is modified in the database without the attacker ever providing administrator credentials.

8. Verification Steps

1. Database Check: Use WP-CLI to confirm the change.
   • If settings were targeted: wp option get <plugin_setting_name>
   • If user data was targeted: wp db query "SELECT * FROM wp_diet_data_table" (using the actual table name).
2. UI Check: Navigate to the plugin settings page in the WordPress admin dashboard to see if the values have changed.

9. Alternative Approaches

• Admin Init Bypass: If no AJAX actions are found, check for functions hooked to admin_init. If they process $_POST without a capability check, they can be triggered by any user (even unauthenticated) by visiting /wp-admin/admin-ajax.php (as admin_init fires on that endpoint).
• Parameter Fuzzing: If the logic for saving settings is found but the parameters are unclear, fuzz the $_POST keys based on the names found in the plugin's settings form HTML. Look for name="settings[some_val]" in the source code.