CVE-2025-49338

Flowbox <= 1.1.5 - Missing Authorization

mediumMissing Authorization
5.3
CVSS Score
5.3
CVSS Score
medium
Severity
Unpatched
Patched in
N/A
Time to patch

Description

The Flowbox plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in versions up to, and including, 1.1.5. This makes it possible for unauthenticated attackers to perform an unauthorized action.

CVSS Vector Breakdown

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
None
Confidentiality
Low
Integrity
None
Availability

Technical Details

Affected versions<=1.1.5
PublishedDecember 31, 2025
Last updatedJanuary 5, 2026
Affected pluginflowbox
Research Plan
Unverified

This research plan outlines the process for identifying and exploiting the Missing Authorization vulnerability in the Flowbox WordPress plugin (CVE-2025-49338). ### 1. Vulnerability Summary The Flowbox plugin for WordPress (versions <= 1.1.5) fails to implement proper authorization checks (e.g., `c…

Show full research plan

This research plan outlines the process for identifying and exploiting the Missing Authorization vulnerability in the Flowbox WordPress plugin (CVE-2025-49338).

1. Vulnerability Summary

The Flowbox plugin for WordPress (versions <= 1.1.5) fails to implement proper authorization checks (e.g., current_user_can()) in one or more functions reachable via WordPress AJAX or REST API endpoints. This allows unauthenticated users to trigger actions intended for administrators, such as modifying plugin settings, clearing caches, or updating API credentials.

2. Attack Vector Analysis

  • Endpoint: https://<target>/wp-admin/admin-ajax.php (inferred) or a REST API route under wp-json/flowbox/v1/ (inferred).
  • Action/Hook: The vulnerability likely resides in an AJAX handler registered with wp_ajax_nopriv_ or a wp_ajax_ handler that lacks a capability check.
  • Authentication: None required (unauthenticated).
  • Preconditions: The plugin must be active. A valid WordPress nonce may be required if the handler calls check_ajax_referer() or wp_verify_nonce().

3. Code Flow (Inferred)

  1. Registration: The plugin registers an AJAX action in its main class (likely class-flowbox.php or includes/admin/class-admin.php):
    add_action( 'wp_ajax_nopriv_<action_name>', array( $this, 'vulnerable_function' ) );
  2. Entry Point: An unauthenticated POST request is sent to admin-ajax.php with action=<action_name>.
  3. Vulnerable Sink: The vulnerable_function executes without calling current_user_can( 'manage_options' ).
  4. Impact: The function performs an operation like update_option( 'flowbox_settings', ... ), allowing the attacker to alter plugin configuration.

4. Nonce Acquisition Strategy

If the vulnerable function requires a nonce (e.g., via check_ajax_referer), it is likely exposed to the frontend via wp_localize_script.

  1. Identify the Shortcode: Search the codebase for add_shortcode. Flowbox likely uses a shortcode to display galleries (e.g., [flowbox]).
  2. Create a Trigger Page:
    wp post create --post_type=page --post_status=publish --post_title="Flowbox Test" --post_content='[flowbox]'
    
  3. Navigate and Extract: Use the browser_navigate tool to go to the newly created page.
  4. Extract Nonce: Search for the JS object containing the nonce.
    • Inferred Script Handle: flowbox-js or flowbox-admin.
    • Inferred JS Variable: window.flowbox_vars?.nonce or window.flowbox_params?.ajax_nonce.
    • Execution: browser_eval("window.flowbox_vars?.nonce")

5. Exploitation Strategy

Assuming the vulnerability allows updating plugin settings (a common "Missing Authorization" pattern for this plugin type):

  1. Search for Action Names:
    Run grep -r "wp_ajax_nopriv" . in the plugin directory to find potential unauthenticated actions.
    • Candidate Action (Inferred): flowbox_save_settings or flowbox_update_config.
  2. Construct Payload:
    Prepare a POST request to admin-ajax.php.
    • URL: https://<target>/wp-admin/admin-ajax.php
    • Method: POST
    • Headers: Content-Type: application/x-www-form-urlencoded
    • Body: action=<action_name>&nonce=<extracted_nonce>&settings[flowbox_api_key]=MALICIOUS_KEY&settings[flowbox_username]=attacker_account
  3. Execute Request: Use the http_request tool to send the payload.

6. Test Data Setup

  1. Install and activate Flowbox <= 1.1.5.
  2. Configure a dummy API key in the legitimate admin settings to establish a baseline.
  3. Create a public page containing the Flowbox shortcode to ensure nonces are generated and accessible to unauthenticated visitors.

7. Expected Results

  • Response: The server returns a 200 OK response, potentially with a JSON body like {"success": true} or 1.
  • State Change: The plugin's internal settings (stored in the wp_options table) are updated with the attacker-supplied values.

8. Verification Steps

After the exploit attempt, verify the change using WP-CLI:

# Check the specific option name used by the plugin
wp option get flowbox_settings
# OR if settings are individual
wp option get flowbox_api_key

If the output matches the MALICIOUS_KEY provided in the payload, the exploit is successful.

9. Alternative Approaches

  • REST API: If no wp_ajax actions are found, check register_rest_route. Search for routes where permission_callback is missing or returns __return_true.
  • Parameter Fuzzing: If the action name is found but the parameters are unknown, inspect the callback function in the source code to identify which keys it reads from $_POST or $_REQUEST.
  • Unauthenticated Option Update: Check if the function uses update_option() on a variable directly controlled by $_POST without filtering (this could also lead to more severe impacts).
Research Findings
Static analysis — not yet PoC-verified

Summary

The Flowbox plugin for WordPress (versions up to and including 1.1.5) fails to implement authorization checks on AJAX handlers registered for unauthenticated users. This allows unauthenticated attackers to perform administrative actions, such as modifying plugin settings or updating API credentials, by sending requests to the admin-ajax.php endpoint.

Vulnerable Code

// Inferred from Research Plan: Registration of unauthenticated AJAX handler
add_action( 'wp_ajax_nopriv_<action_name>', array( $this, 'vulnerable_function' ) );

---

// Inferred from Research Plan: Vulnerable callback function lacking current_user_can()
public function vulnerable_function() {
    // Function body lacks capability checks and executes sensitive logic
    update_option( 'flowbox_settings', $_POST['settings'] );
}

Security Fix

--- a/includes/admin/class-admin.php
+++ b/includes/admin/class-admin.php
@@ -10,6 +10,11 @@
 public function vulnerable_function() {
+    if ( ! current_user_can( 'manage_options' ) ) {
+        wp_send_json_error( 'Unauthorized', 403 );
+    }
+
+    check_ajax_referer( 'flowbox_nonce', 'nonce' );
+
     $settings = $_POST['settings'];
     update_option( 'flowbox_settings', $settings );
     wp_send_json_success();

Exploit Outline

To exploit this vulnerability, an attacker first identifies a page on the target site containing a Flowbox shortcode to retrieve a valid security nonce, typically exposed via a JavaScript object like window.flowbox_vars. They then identify an AJAX action registered without capability checks, such as those intended for saving settings or updating configuration. The attacker sends an unauthenticated POST request to /wp-admin/admin-ajax.php with the 'action' parameter set to the vulnerable hook, the extracted 'nonce', and a payload containing malicious configuration values (e.g., an attacker-controlled API key). If successful, the server updates the plugin's settings in the database, granting the attacker control over the plugin's behavior.

Check if your site is affected.

Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.