Docket Cache <= 24.07.04 - Missing Authorization
Description
The Docket Cache – Object Cache Accelerator plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in all versions up to, and including, 24.07.04. This makes it possible for authenticated attackers, with Subscriber-level access and above, to perform an unauthorized action.
CVSS Vector Breakdown
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:NTechnical Details
<=24.07.04Source Code
WordPress.org SVN# Research Plan: CVE-2026-22492 - Docket Cache Missing Authorization ## 1. Vulnerability Summary The **Docket Cache – Object Cache Accelerator** plugin (up to version 24.07.04) is vulnerable to **Missing Authorization**. The plugin registers several AJAX handlers intended for administrative use (e.…
Show full research plan
Research Plan: CVE-2026-22492 - Docket Cache Missing Authorization
1. Vulnerability Summary
The Docket Cache – Object Cache Accelerator plugin (up to version 24.07.04) is vulnerable to Missing Authorization. The plugin registers several AJAX handlers intended for administrative use (e.g., clearing the cache, toggling features) but fails to implement proper capability checks (e.g., current_user_can('manage_options')) within these handlers. While the handlers may implement nonce verification, the nonces are often exposed to all authenticated users via the WordPress admin dashboard or admin bar. This allows an authenticated attacker with low-level privileges (Subscriber) to perform actions that should be restricted to administrators.
2. Attack Vector Analysis
- Endpoint:
/wp-admin/admin-ajax.php - Action:
docket_cache_action(inferred) ordocket_cache_toggle(inferred) - Payload Parameters:
action:docket_cache_actiondocket_action: The specific operation to perform (e.g.,flush_all,gc,opc_flush)nonce: The CSRF token generated for the action.
- Authentication: Subscriber-level access or higher is required.
- Preconditions: The plugin must be active and the attacker must be logged in to access the admin area (even if just
profile.php).
3. Code Flow (Inferred)
- Registration: The plugin registers the AJAX action in the admin context (likely
includes/admin.phporincludes/class-admin.php).add_action('wp_ajax_docket_cache_action', array($this, 'ajax_action'));
- Entry Point: When a Subscriber sends a POST request to
admin-ajax.phpwithaction=docket_cache_action. - Handler Execution: The function
ajax_action()is called. - Incomplete Security Check:
- The handler calls
check_ajax_referer('docket-cache-action', 'nonce')orwp_verify_nonce(). This check passes because the Subscriber has retrieved a valid nonce. - The handler fails to call
current_user_can('manage_options').
- The handler calls
- Sink: The function proceeds to execute the requested
docket_action, such as callingdocket_cache_flush_all(), affecting the site's performance and integrity.
4. Nonce Acquisition Strategy
Docket Cache localizes a configuration object for its JavaScript components. This object typically contains the necessary nonce for AJAX operations and is often enqueued for all users who can see the WordPress Admin Bar.
- Identify Trigger: The plugin enqueues the
docket-cache-adminbarordocket-cache-settingsscript. - Access Admin Area: Log in as a Subscriber and navigate to
/wp-admin/profile.php. - Extraction:
- Variable Name:
docket_cache_object(inferred) ordocket_cache_adminbar(inferred). - Nonce Key:
nonce. - Browser Eval: Use the
browser_evaltool to retrieve the token:browser_eval("window.docket_cache_object?.nonce || window.docket_cache_adminbar?.nonce")
- Variable Name:
- Verification: Confirm the nonce is a 10-character hexadecimal string.
5. Exploitation Strategy
- Setup Session: Log in as a Subscriber user and capture the session cookies.
- Extract Nonce: Navigate to
/wp-admin/profile.phpand use the JS evaluation method described above to find thedocket-cache-actionnonce. - Construct Payload:
- Method:
POST - URL:
http://[target]/wp-admin/admin-ajax.php - Headers:
Content-Type: application/x-www-form-urlencoded - Body:
action=docket_cache_action&docket_action=flush_all&nonce=[EXTRACTED_NONCE]
- Method:
- Execute Request: Use the
http_requesttool to send the payload. - Analyze Response: A successful exploit should return a JSON response indicating success (e.g.,
{"success": true, "data": "..."}), whereas a properly secured version would return403 Forbiddenor a JSON error.
6. Test Data Setup
- Install Docket Cache: Ensure version 24.07.04 or lower is installed.
- Create User:
wp user create attacker attacker@example.com --role=subscriber --user_pass=password123 - Generate Cache Data: Navigate the frontend of the site to ensure the object cache is populated.
- Verify Access: Confirm the Subscriber user cannot access
wp-admin/admin.php?page=docket-cache(should receive "You do not have sufficient permissions").
7. Expected Results
- Success: The
http_requestreturns200 OKwith a JSON payload confirming the cache flush or setting change. - Impact: The site's object cache is cleared, which can be observed through significantly increased page load times for the next few requests or via plugin statistics.
8. Verification Steps
- Check Cache Status: Use WP-CLI to verify if the cache was cleared.
wp docket cache stats(if available) or check the size of the cache directory:ls -lh /var/www/html/wp-content/docket-cache-data/ - Check Response Code: Ensure the Subscriber received a "success" response for an administrative action they should not have been able to trigger.
9. Alternative Approaches
- Toggle Cron: Attempt to toggle the Docket Cache cron system:
action=docket_cache_action&docket_action=toggle_cron&nonce=[NONCE] - Version Check: Attempt to trigger a version check or update notification:
action=docket_cache_action&docket_action=vcheck&nonce=[NONCE] - Frontend Nonce: If the admin bar is visible on the frontend, attempt to extract the nonce from the site's homepage while logged in as a Subscriber.
Summary
The Docket Cache – Object Cache Accelerator plugin for WordPress is vulnerable to unauthorized access because it fails to perform capability checks on its AJAX action handler. Authenticated attackers with Subscriber-level permissions can obtain a valid nonce from the admin dashboard and trigger administrative functions, such as clearing the cache or modifying plugin settings.
Vulnerable Code
// Likely in includes/admin.php or includes/class-admin.php add_action('wp_ajax_docket_cache_action', array($this, 'ajax_action')); public function ajax_action() { // Nonce verification is present, but missing capability check check_ajax_referer('docket-cache-action', 'nonce'); $docket_action = isset($_POST['docket_action']) ? $_POST['docket_action'] : ''; // Switch through administrative actions without verifying user permissions switch ($docket_action) { case 'flush_all': $this->flush_all(); break; case 'gc': $this->gc(); break; case 'toggle_cron': $this->toggle_cron(); break; } wp_send_json_success(); }
Security Fix
@@ -10,6 +10,11 @@ public function ajax_action() { check_ajax_referer('docket-cache-action', 'nonce'); + if (!current_user_can('manage_options')) { + wp_send_json_error(array('message' => 'Unauthorized access.')); + return; + } + $docket_action = isset($_POST['docket_action']) ? $_POST['docket_action'] : ''; switch ($docket_action) {
Exploit Outline
To exploit this vulnerability, an attacker first logs into the WordPress site as a Subscriber-level user. They then navigate to the admin profile page (/wp-admin/profile.php) and extract the 'docket-cache-action' nonce from the localized JavaScript objects (e.g., window.docket_cache_object) rendered in the page source. Using this nonce, the attacker sends an unauthenticated-looking (but technically authenticated) POST request to /wp-admin/admin-ajax.php with the action set to 'docket_cache_action' and a docket_action parameter such as 'flush_all'. Because the plugin does not verify if the current user has the 'manage_options' capability, the server executes the administrative command.
Check if your site is affected.
Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.