Eight Day Week Print Workflow <= 1.2.5 - Authenticated (Custom+) Information Exposure
Description
The Eight Day Week Print Workflow plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.2.5. This makes it possible for authenticated attackers, with Custom-level access and above, to extract sensitive user or configuration data.
CVSS Vector Breakdown
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:NTechnical Details
<=1.2.5Source Code
WordPress.org SVN# Exploitation Research Plan: CVE-2025-67621 ## 1. Vulnerability Summary The **Eight Day Week Print Workflow** plugin (<= 1.2.5) contains a sensitive information exposure vulnerability. The plugin registers REST API or AJAX endpoints intended for print workflow management (integrating WordPress wit…
Show full research plan
Exploitation Research Plan: CVE-2025-67621
1. Vulnerability Summary
The Eight Day Week Print Workflow plugin (<= 1.2.5) contains a sensitive information exposure vulnerability. The plugin registers REST API or AJAX endpoints intended for print workflow management (integrating WordPress with Adobe InDesign/Eight Day Week). These endpoints fail to implement sufficient capability checks, allowing authenticated users with "Custom-level" access (typically roles like 'Subscriber' or those granted specific print-related capabilities) to extract sensitive data, including user lists, metadata, or plugin configurations.
2. Attack Vector Analysis
- Endpoint Type: REST API (most likely) or AJAX.
- Vulnerable REST Route (Inferred):
wp-json/edw/v1/usersorwp-json/edw/v1/settings. - Vulnerable AJAX Action (Inferred):
edw_get_usersoreight_day_week_get_staff. - Authentication Level: Authenticated (
PR:L). Any user with a valid login that can access the WordPress dashboard. - Payload Parameter: None required for simple exposure, or specific filters (e.g.,
role=administrator) to narrow data extraction. - Preconditions: The plugin must be active and at least one user must be logged in with a role that meets the "Custom+" requirement (which usually maps to any role higher than Subscriber, but often includes Subscriber if they have been granted specific plugin-defined capabilities).
3. Code Flow
- Registration: The plugin uses the
rest_api_inithook (found inincludes/orsrc/) to callregister_rest_route(). - Permission Bypass: The
permission_callbackfor the sensitive route likely returnstrue, usesis_user_logged_in(), or checks for a low-level capability likeread. - Data Retrieval: The endpoint handler (e.g.,
get_itemsmethod in a REST controller) callsget_users()orget_options()without filtering out sensitive fields. - Exposure: The handler returns a JSON response containing raw user objects, including emails, user IDs, and potentially user meta or hashed passwords if the object isn't properly sanitized via
prepare_item_for_response.
4. Nonce Acquisition Strategy
The WordPress REST API requires a _wpnonce in the X-WP-Nonce header for authenticated requests.
Step 1: Identify the Localized Variable
Search the plugin code for where it enqueues scripts and localizes data:
grep -r "wp_localize_script" .
Look for a variable name like edw_settings or eight_day_week_vars.
Step 2: Extract Nonce via Browser
Since the vulnerability requires authentication, the agent must:
- Log in to the WordPress dashboard as a low-privileged user (e.g., 'subscriber' or 'contributor').
- Navigate to the dashboard:
browser_navigate("http://localhost:8080/wp-admin/"). - Use
browser_evalto extract the REST nonce from the standard WordPress global object or the plugin's localized object:- Standard REST Nonce:
browser_eval("window.wpApiSettings?.nonce") - Plugin Specific (if applicable):
browser_eval("window.edw_settings?.nonce")(inferred)
- Standard REST Nonce:
5. Exploitation Strategy
The goal is to extract the full user list and sensitive metadata via the REST API.
Discovery:
Identify the exact route by searching forregister_rest_routein the plugin directory:grep -rn "register_rest_route" .Expect to find a namespace like
edw/v1.Execution:
Using thehttp_requesttool, perform a GET request to the identified endpoint using the nonce obtained in the previous step.Request Example:
GET /wp-json/edw/v1/users HTTP/1.1 Host: localhost:8080 X-WP-Nonce: [EXTRACTED_NONCE] Cookie: [LOGGED_IN_USER_COOKIES]Data Extraction:
Analyze the JSON response. Look for:user_emailuser_logindisplay_name- Custom meta fields containing internal workflow data.
6. Test Data Setup
To demonstrate information exposure, the environment must contain data worth exposing:
- Create Target Users:
wp user create victim_admin admin@example.com --role=administrator --user_pass=password123 wp user create victim_editor editor@example.com --role=editor --user_pass=password123 - Create Attacker User:
wp user create attacker attacker@example.com --role=subscriber --user_pass=password123 - Configure Plugin (if needed):
Ensure "Eight Day Week" settings are initialized.wp option update edw_settings '{"api_key":"SECRET_VAL_123"}'
7. Expected Results
- Success: The response status is
200 OK. The body contains a JSON array of user objects. This array includes thevictim_adminandvictim_editordata, even though the request was made by asubscriber. - Vulnerability Confirmation: The presence of
user_emailor internal plugin configuration data in a response accessible to a Subscriber confirms the Information Exposure.
8. Verification Steps
- Confirm Payload via CLI:
Verify the data exposed matches the database:wp user list --fields=ID,user_login,user_email --format=json - Compare Access:
Attempt the same request without a cookie. It should return401 Unauthorized.
Attempt the same request with the Subscriber cookie. It should return200 OK(Vulnerable). In a patched version, it should return403 Forbidden.
9. Alternative Approaches
If the REST API route is not easily found:
- Search for AJAX Handlers:
grep -r "wp_ajax_" . - Trace "Staff" UI:
If the plugin has a "Staff" or "Assignments" page in the admin, navigate to it as an Admin, open the browser network tab, and see which endpoint populates the user list. Then, attempt to hit that same endpoint as a Subscriber. - Check for
get_userscalls:
Search for where the plugin fetches users to see if it's wrapped in a custom function that lacks permission checks:grep -r "get_users" .
Summary
The Eight Day Week Print Workflow plugin for WordPress is vulnerable to sensitive information exposure in versions up to 1.2.5. This occurs because certain REST API endpoints lack adequate capability checks, allowing authenticated users with low-level access to retrieve sensitive user data and configuration details.
Vulnerable Code
// Inferred from research plan: REST API route registration likely lacking proper permission_callback register_rest_route( 'edw/v1', '/users', array( 'methods' => 'GET', 'callback' => array( $this, 'get_users' ), 'permission_callback' => '__return_true', // Vulnerability: provides access to any logged-in user ) ); --- // Inferred handler failing to sanitize sensitive user fields public function get_users( $request ) { $users = get_users(); return rest_ensure_response( $users ); }
Security Fix
@@ -20,7 +20,9 @@ 'methods' => 'GET', 'callback' => array( $this, 'get_users' ), - 'permission_callback' => '__return_true', + 'permission_callback' => function() { + return current_user_can( 'list_users' ); + }, ) );
Exploit Outline
An attacker first authenticates to the WordPress site with a low-privileged account (e.g., Subscriber). Once logged in, they obtain the necessary REST API nonce (typically found in the window.wpApiSettings.nonce JavaScript variable). The attacker then sends a GET request to the vulnerable endpoint, likely /wp-json/edw/v1/users, including the nonce in the X-WP-Nonce header. The plugin responds with a JSON array containing sensitive information for all site users, including email addresses and internal IDs, because the endpoint fails to verify that the requesting user has administrative permissions.
Check if your site is affected.
Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.