Enable jQuery Migrate Helper <= 1.4.1 - Missing Authorization to Authenticated (Subscriber+) jQuery Version Downgrade
Description
The Enable jQuery Migrate Helper plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the `downgrade_jquery_version()` function in all versions up to, and including, 1.4.1. This is due to the function only verifying a nonce without checking user capabilities. This makes it possible for authenticated attackers, with Subscriber-level access and above, to downgrade the site-wide jQuery version from 3.7.1 to the legacy 1.12.4-wp release, which has knowns security vulnerabilities.
CVSS Vector Breakdown
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:NTechnical Details
<=1.4.1# Exploitation Research Plan: CVE-2026-3279 - Enable jQuery Migrate Helper Downgrade ## 1. Vulnerability Summary The **Enable jQuery Migrate Helper** plugin (<= 1.4.1) contains a missing authorization vulnerability in its `downgrade_jquery_version()` function. While the function implements a nonce …
Show full research plan
Exploitation Research Plan: CVE-2026-3279 - Enable jQuery Migrate Helper Downgrade
1. Vulnerability Summary
The Enable jQuery Migrate Helper plugin (<= 1.4.1) contains a missing authorization vulnerability in its downgrade_jquery_version() function. While the function implements a nonce check to prevent Cross-Site Request Forgery (CSRF), it fails to verify if the requesting user has administrative capabilities (e.g., manage_options). Consequently, any authenticated user with Subscriber-level permissions or higher can trigger a site-wide downgrade of the jQuery library to a legacy version (1.12.4-wp), which contains known security vulnerabilities.
2. Attack Vector Analysis
- Endpoint:
/wp-admin/admin-ajax.php - Action:
downgrade_jquery_version(inferred from function name) orjquery-migrate-downgrade-version(common pattern for this plugin). - Parameters:
action: The AJAX action string._ajax_nonce: A valid WordPress nonce generated for the downgrade action.
- Authentication: Subscriber-level account (
PR:L). - Preconditions: The plugin must be active. The site should ideally be running a modern jQuery version (default in recent WP) to observe the change.
3. Code Flow
- Hook Registration: The plugin likely registers the AJAX handler in its main class or an admin initialization file:
add_action( 'wp_ajax_downgrade_jquery_version', array( $this, 'downgrade_jquery_version' ) ); - Function Execution: When a Subscriber sends a POST request to
admin-ajax.phpwithaction=downgrade_jquery_version:- The
downgrade_jquery_version()function is invoked. - It calls
check_ajax_referer( 'jquery-migrate-downgrade', 'nonce' )(or similar action/key). - Vulnerability: It proceeds to
update_option( 'jquery_migrate_helper_version', 'legacy' )(inferred) without callingcurrent_user_can( 'manage_options' ).
- The
- Sink: The
update_optioncall modifies the site configuration, affecting which scripts are enqueued for all users.
4. Nonce Acquisition Strategy
Since this is an authenticated vulnerability affecting the admin-ajax interface, the nonce is likely localized for the WordPress admin dashboard.
- Identify Script Localization: Search the codebase for
wp_localize_script. - Create Subscriber: Use WP-CLI to create a Subscriber user.
- Capture Nonce:
- Log into the WordPress admin as the Subscriber.
- Navigate to the main Dashboard (
/wp-admin/index.php). - Use
browser_evalto search for the localized object. - JS Variables to check:
window.jquery_migrate_helper?.noncewindow.jqmh_data?.downgrade_noncewindow.wp_jquery_migrate_helper?.nonce(inferred)
Example Extraction:
// Run via browser_eval after navigating to /wp-admin/
return window.jquery_migrate_helper || window.jqmh_data || "Variable not found";
5. Exploitation Strategy
- Setup: Create a Subscriber user and log in.
- Discovery: Navigate to
/wp-admin/and extract the nonce using thebrowser_evaltool. - Execution: Send a POST request to
admin-ajax.php.- URL:
http://[TARGET]/wp-admin/admin-ajax.php - Method:
POST - Headers:
Content-Type: application/x-www-form-urlencoded - Body:
action=downgrade_jquery_version&_ajax_nonce=[EXTRACTED_NONCE](Note:_ajax_nonceis the default key used bycheck_ajax_referer).
- URL:
6. Test Data Setup
- Install Plugin: Ensure Enable jQuery Migrate Helper <= 1.4.1 is installed.
- Configure Baseline: Ensure the site is currently using the default (modern) jQuery.
wp option get jquery_migrate_helper_version(Should return nothing or 'default').
- User Creation:
wp user create attacker attacker@example.com --role=subscriber --user_pass=password123
7. Expected Results
- HTTP Response: 200 OK, likely returning a JSON success message or
1. - System Change: The WordPress option responsible for the jQuery version is updated.
- Frontend Change: Script tags in the site source will now point to
/wp-includes/js/jquery/jquery-migrate.min.js?ver=1.4.1(legacy) instead of modern versions.
8. Verification Steps
- Check Option Value:
A successful exploit will returnwp option get jquery_migrate_helper_versionlegacy(or the specific internal value used by the plugin to represent the old version). - Check Enqueued Scripts:
Fetch the homepage and check the jQuery version:# Using the http_request tool on the homepage # Look for jquery.js?ver=1.12.4-wp
9. Alternative Approaches
If the direct action downgrade_jquery_version fails:
- Search for settings saves: The plugin might use a general settings saving AJAX action that lacks capability checks. Look for
wp_ajax_save_jquery_migrate_settings. - Action Guessing: If the nonce action name is different, grep the plugin source for
wp_create_nonceto find the correct action string required forcheck_ajax_referer. - Parameter Variation: The function might expect
version=legacyas an explicit POST parameter.- Payload:
action=downgrade_jquery_version&_ajax_nonce=...&version=legacy(inferred).
- Payload:
Summary
The Enable jQuery Migrate Helper plugin for WordPress is vulnerable to unauthorized data modification due to a missing capability check in its AJAX handler for downgrading jQuery. This allows authenticated users with Subscriber-level access to downgrade the site-wide jQuery library to a legacy version (1.12.4-wp) which contains known security vulnerabilities.
Vulnerable Code
// class-enable-jquery-migrate-helper.php (inferred from research plan) add_action( 'wp_ajax_downgrade_jquery_version', array( $this, 'downgrade_jquery_version' ) ); --- public function downgrade_jquery_version() { // Only verifies the nonce, not user capabilities check_ajax_referer( 'jquery-migrate-downgrade', 'nonce' ); update_option( 'jquery_migrate_helper_version', 'legacy' ); wp_send_json_success(); }
Security Fix
@@ -XX,6 +XX,10 @@ public function downgrade_jquery_version() { check_ajax_referer( 'jquery-migrate-downgrade', 'nonce' ); + if ( ! current_user_can( 'manage_options' ) ) { + wp_die( __( 'You do not have permission to perform this action.', 'enable-jquery-migrate-helper' ) ); + } + update_option( 'jquery_migrate_helper_version', 'legacy' ); wp_send_json_success(); }
Exploit Outline
The exploit leverages a missing capability check in the 'downgrade_jquery_version' AJAX action. An authenticated Subscriber first retrieves a valid nonce (likely 'jquery-migrate-downgrade') by inspecting localized JavaScript variables in the admin dashboard (e.g., window.jquery_migrate_helper). The attacker then sends a POST request to '/wp-admin/admin-ajax.php' with the 'action' parameter set to 'downgrade_jquery_version' and the retrieved nonce. This successfully updates the site configuration to load the legacy jQuery version 1.12.4-wp for all users.
Check if your site is affected.
Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.