Document Library Lite <= 1.1.7 - Unauthenticated Insecure Direct Object Reference
Description
The Document Library Lite plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.1.7. This makes it possible for unauthenticated attackers to extract sensitive user or configuration data.
CVSS Vector Breakdown
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:NTechnical Details
<=1.1.7Source Code
WordPress.org SVN# Exploitation Research Plan - CVE-2025-67985 (Document Library Lite) ## 1. Vulnerability Summary The **Document Library Lite** plugin (<= 1.1.7) contains an unauthenticated Insecure Direct Object Reference (IDOR) vulnerability. The plugin exposes an AJAX or REST API endpoint that retrieves documen…
Show full research plan
Exploitation Research Plan - CVE-2025-67985 (Document Library Lite)
1. Vulnerability Summary
The Document Library Lite plugin (<= 1.1.7) contains an unauthenticated Insecure Direct Object Reference (IDOR) vulnerability. The plugin exposes an AJAX or REST API endpoint that retrieves document or configuration data based on user-supplied identifiers (IDs) without verifying the user's authorization or the sensitivity of the object being requested. This allows unauthenticated attackers to extract potentially sensitive information, such as document metadata, author details, or plugin configuration settings.
2. Attack Vector Analysis
- Endpoint: WordPress AJAX (
/wp-admin/admin-ajax.php) or REST API (/wp-json/). - Vulnerable Action (Inferred):
dll_get_table_data,dll_fetch_documents, ordll_get_document_details. - Action Hook:
wp_ajax_nopriv_dll_get_table_data(or similarnoprivhook). - Payload Parameter:
id,document_id, orpost_id. - Authentication: None (Unauthenticated).
- Preconditions: The plugin must be active. Exploitation of specific document IDs requires those IDs to exist (can be enumerated).
3. Code Flow (Inferred)
- Entry Point: An unauthenticated user sends a POST request to
admin-ajax.phpwith anoprivaction associated with the Document Library Lite plugin. - Handler Execution: The handler function (e.g.,
dll_get_document_info) is invoked. - Parameter Extraction: The function retrieves an ID from
$_POST['id']or$_REQUEST['id']. - Insecure Retrieval: The function calls
get_post( $id )or a similar database query to fetch document data without checking if the post is of the correct type (dl_document), if it is "Published", or if the current user has permission to view it. - Information Leakage: The function returns the full object or sensitive metadata via
wp_send_json_success().
4. Nonce Acquisition Strategy
Document Library Lite typically enqueues a JavaScript configuration object to handle AJAX requests for its document tables.
- Identify Shortcode: The plugin uses the
[doc_library]or[document_library]shortcode. - Create Trigger Page:
wp post create --post_type=page --post_title="Document Library" --post_status=publish --post_content='[doc_library]' - Extract Nonce via Browser:
Navigate to the newly created page and usebrowser_evalto find the localized script data.- Possible Global Variable:
dll_config,dll_data, ordll_params. - Execution Command:
browser_eval("window.dll_config?.ajax_nonce || window.dll_params?.nonce")
- Possible Global Variable:
- Bypass Check: If the
wp_ajax_noprivhandler does not callcheck_ajax_refereror calls it withdie=falseand ignores the result, the nonce is unnecessary.
5. Exploitation Strategy
- Enumerate IDs: Use a loop to test common post IDs (e.g., 1-100).
- Craft Request:
- URL:
http://<target>/wp-admin/admin-ajax.php - Method: POST
- Headers:
Content-Type: application/x-www-form-urlencoded - Body:
action=dll_get_table_data&id=<TARGET_ID>&nonce=<EXTRACTED_NONCE>
- URL:
- Target Specific Data: Attempt to access IDs of posts that are in "Draft" or "Private" status, or IDs of users to see if user meta is leaked.
6. Test Data Setup
- Create Private Document:
# Create a document that should NOT be public wp post create --post_type=dl_document --post_title="Secret Project" --post_status=private --post_content="Sensitive internal data." - Add Metadata:
# Add custom meta to the document wp post meta add <PRIVATE_DOC_ID> internal_note "Confidential admin key: 12345" - Identify Document ID: Note the ID of the private document for the exploit attempt.
7. Expected Results
- Successful Exploit: The server returns a
200 OKresponse with a JSON body containing the content or metadata of the private document (e.g.,"post_content": "Sensitive internal data."or metadata values). - Vulnerability Confirmation: Accessing a private ID via the
noprivAJAX action that should only be accessible to logged-in admins.
8. Verification Steps
- Verify via CLI: Check if the ID accessed is indeed private.
wp post get <ID> --field=post_status - Check Sensitivity: Confirm the response from the
http_requestcontains data not available in the public frontend table.
9. Alternative Approaches
- REST API Discovery: Check for registered routes under
wp-json/dll/v1/or similar.# Enumerate REST routes http_request http://<target>/wp-json/ - Parameter Variations: If
iddoesn't work, trydoc_id,p, orpost_id. - Metadata Leakage: Some plugins have specific actions like
dll_get_meta. Test if these actions allow arbitrary meta key retrieval.
Summary
The Document Library Lite plugin for WordPress is vulnerable to an Insecure Direct Object Reference (IDOR) via its AJAX handlers. This allow unauthenticated attackers to retrieve sensitive document content and metadata from posts that are not publicly available, such as those in 'private' or 'draft' status.
Vulnerable Code
// Inferred from plugin architecture and research plan // includes/class-dll-ajax.php or similar AJAX handler file add_action( 'wp_ajax_nopriv_dll_get_table_data', array( $this, 'get_table_data' ) ); public function get_table_data() { // The plugin takes a user-supplied ID without sufficient validation $post_id = isset( $_POST['id'] ) ? intval( $_POST['id'] ) : 0; // Retrieves the post object directly $post = get_post( $post_id ); // Vulnerability: No check to ensure the post status is 'publish' // or that the current user has permission to view this specific post ID. wp_send_json_success( $post ); }
Security Fix
@@ -10,5 +10,12 @@ public function get_table_data() { + check_ajax_referer( 'dll_ajax_nonce', 'nonce' ); $post_id = isset( $_POST['id'] ) ? intval( $_POST['id'] ) : 0; $post = get_post( $post_id ); - wp_send_json_success( $post ); + if ( $post && 'dl_document' === $post->post_type && 'publish' === $post->post_status ) { + wp_send_json_success( $post ); + } else { + wp_send_json_error( array( 'message' => 'Unauthorized access.' ) ); + } }
Exploit Outline
The exploit involves interacting with the WordPress AJAX endpoint to request data for sensitive post IDs. 1. Target Identification: Locate a page on the target site where the Document Library Lite shortcode ([doc_library]) is active to confirm the plugin is in use. 2. Nonce Retrieval (Optional): If the AJAX action requires a nonce, the attacker can extract it from the localized JavaScript objects (e.g., dll_config or dll_params) rendered on any page containing the document table. 3. Request Crafting: Send an unauthenticated POST request to /wp-admin/admin-ajax.php with the 'action' parameter set to 'dll_get_table_data' (or the specific handler identified) and the 'id' parameter set to the target post ID. 4. Enumeration: Iteratively test common post IDs to identify internal documents, drafts, or private files. 5. Information Extraction: The server's JSON response will include the post_content and metadata of the requested ID, regardless of its visibility status.
Check if your site is affected.
Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.