CVE-2026-22492

Docket Cache <= 24.07.04 - Missing Authorization

mediumMissing Authorization
4.3
CVSS Score
4.3
CVSS Score
medium
Severity
24.07.05
Patched in
8d
Time to patch

Description

The Docket Cache – Object Cache Accelerator plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in all versions up to, and including, 24.07.04. This makes it possible for authenticated attackers, with Subscriber-level access and above, to perform an unauthorized action.

CVSS Vector Breakdown

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
None
Confidentiality
Low
Integrity
None
Availability

Technical Details

Affected versions<=24.07.04
PublishedJanuary 7, 2026
Last updatedJanuary 14, 2026
Affected plugindocket-cache

Source Code

WordPress.org SVN
Research Plan
Unverified

# Research Plan: CVE-2026-22492 - Docket Cache Missing Authorization ## 1. Vulnerability Summary The **Docket Cache – Object Cache Accelerator** plugin (up to version 24.07.04) is vulnerable to **Missing Authorization**. The plugin registers several AJAX handlers intended for administrative use (e.…

Show full research plan

Research Plan: CVE-2026-22492 - Docket Cache Missing Authorization

1. Vulnerability Summary

The Docket Cache – Object Cache Accelerator plugin (up to version 24.07.04) is vulnerable to Missing Authorization. The plugin registers several AJAX handlers intended for administrative use (e.g., clearing the cache, toggling features) but fails to implement proper capability checks (e.g., current_user_can('manage_options')) within these handlers. While the handlers may implement nonce verification, the nonces are often exposed to all authenticated users via the WordPress admin dashboard or admin bar. This allows an authenticated attacker with low-level privileges (Subscriber) to perform actions that should be restricted to administrators.

2. Attack Vector Analysis

  • Endpoint: /wp-admin/admin-ajax.php
  • Action: docket_cache_action (inferred) or docket_cache_toggle (inferred)
  • Payload Parameters:
    • action: docket_cache_action
    • docket_action: The specific operation to perform (e.g., flush_all, gc, opc_flush)
    • nonce: The CSRF token generated for the action.
  • Authentication: Subscriber-level access or higher is required.
  • Preconditions: The plugin must be active and the attacker must be logged in to access the admin area (even if just profile.php).

3. Code Flow (Inferred)

  1. Registration: The plugin registers the AJAX action in the admin context (likely includes/admin.php or includes/class-admin.php).
    • add_action('wp_ajax_docket_cache_action', array($this, 'ajax_action'));
  2. Entry Point: When a Subscriber sends a POST request to admin-ajax.php with action=docket_cache_action.
  3. Handler Execution: The function ajax_action() is called.
  4. Incomplete Security Check:
    • The handler calls check_ajax_referer('docket-cache-action', 'nonce') or wp_verify_nonce(). This check passes because the Subscriber has retrieved a valid nonce.
    • The handler fails to call current_user_can('manage_options').
  5. Sink: The function proceeds to execute the requested docket_action, such as calling docket_cache_flush_all(), affecting the site's performance and integrity.

4. Nonce Acquisition Strategy

Docket Cache localizes a configuration object for its JavaScript components. This object typically contains the necessary nonce for AJAX operations and is often enqueued for all users who can see the WordPress Admin Bar.

  1. Identify Trigger: The plugin enqueues the docket-cache-adminbar or docket-cache-settings script.
  2. Access Admin Area: Log in as a Subscriber and navigate to /wp-admin/profile.php.
  3. Extraction:
    • Variable Name: docket_cache_object (inferred) or docket_cache_adminbar (inferred).
    • Nonce Key: nonce.
    • Browser Eval: Use the browser_eval tool to retrieve the token:
      browser_eval("window.docket_cache_object?.nonce || window.docket_cache_adminbar?.nonce")
  4. Verification: Confirm the nonce is a 10-character hexadecimal string.

5. Exploitation Strategy

  1. Setup Session: Log in as a Subscriber user and capture the session cookies.
  2. Extract Nonce: Navigate to /wp-admin/profile.php and use the JS evaluation method described above to find the docket-cache-action nonce.
  3. Construct Payload:
    • Method: POST
    • URL: http://[target]/wp-admin/admin-ajax.php
    • Headers: Content-Type: application/x-www-form-urlencoded
    • Body: action=docket_cache_action&docket_action=flush_all&nonce=[EXTRACTED_NONCE]
  4. Execute Request: Use the http_request tool to send the payload.
  5. Analyze Response: A successful exploit should return a JSON response indicating success (e.g., {"success": true, "data": "..."}), whereas a properly secured version would return 403 Forbidden or a JSON error.

6. Test Data Setup

  1. Install Docket Cache: Ensure version 24.07.04 or lower is installed.
  2. Create User:
    wp user create attacker attacker@example.com --role=subscriber --user_pass=password123
  3. Generate Cache Data: Navigate the frontend of the site to ensure the object cache is populated.
  4. Verify Access: Confirm the Subscriber user cannot access wp-admin/admin.php?page=docket-cache (should receive "You do not have sufficient permissions").

7. Expected Results

  • Success: The http_request returns 200 OK with a JSON payload confirming the cache flush or setting change.
  • Impact: The site's object cache is cleared, which can be observed through significantly increased page load times for the next few requests or via plugin statistics.

8. Verification Steps

  1. Check Cache Status: Use WP-CLI to verify if the cache was cleared.
    wp docket cache stats (if available) or check the size of the cache directory:
    ls -lh /var/www/html/wp-content/docket-cache-data/
  2. Check Response Code: Ensure the Subscriber received a "success" response for an administrative action they should not have been able to trigger.

9. Alternative Approaches

  • Toggle Cron: Attempt to toggle the Docket Cache cron system:
    action=docket_cache_action&docket_action=toggle_cron&nonce=[NONCE]
  • Version Check: Attempt to trigger a version check or update notification:
    action=docket_cache_action&docket_action=vcheck&nonce=[NONCE]
  • Frontend Nonce: If the admin bar is visible on the frontend, attempt to extract the nonce from the site's homepage while logged in as a Subscriber.
Research Findings
Static analysis — not yet PoC-verified

Summary

The Docket Cache – Object Cache Accelerator plugin for WordPress is vulnerable to unauthorized access because it fails to perform capability checks on its AJAX action handler. Authenticated attackers with Subscriber-level permissions can obtain a valid nonce from the admin dashboard and trigger administrative functions, such as clearing the cache or modifying plugin settings.

Vulnerable Code

// Likely in includes/admin.php or includes/class-admin.php
add_action('wp_ajax_docket_cache_action', array($this, 'ajax_action'));

public function ajax_action() {
    // Nonce verification is present, but missing capability check
    check_ajax_referer('docket-cache-action', 'nonce');

    $docket_action = isset($_POST['docket_action']) ? $_POST['docket_action'] : '';

    // Switch through administrative actions without verifying user permissions
    switch ($docket_action) {
        case 'flush_all':
            $this->flush_all();
            break;
        case 'gc':
            $this->gc();
            break;
        case 'toggle_cron':
            $this->toggle_cron();
            break;
    }
    wp_send_json_success();
}

Security Fix

--- includes/admin.php
+++ includes/admin.php
@@ -10,6 +10,11 @@
 public function ajax_action() {
     check_ajax_referer('docket-cache-action', 'nonce');
 
+    if (!current_user_can('manage_options')) {
+        wp_send_json_error(array('message' => 'Unauthorized access.'));
+        return;
+    }
+
     $docket_action = isset($_POST['docket_action']) ? $_POST['docket_action'] : '';
 
     switch ($docket_action) {

Exploit Outline

To exploit this vulnerability, an attacker first logs into the WordPress site as a Subscriber-level user. They then navigate to the admin profile page (/wp-admin/profile.php) and extract the 'docket-cache-action' nonce from the localized JavaScript objects (e.g., window.docket_cache_object) rendered in the page source. Using this nonce, the attacker sends an unauthenticated-looking (but technically authenticated) POST request to /wp-admin/admin-ajax.php with the action set to 'docket_cache_action' and a docket_action parameter such as 'flush_all'. Because the plugin does not verify if the current user has the 'manage_options' capability, the server executes the administrative command.

Check if your site is affected.

Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.