Flowbox <= 1.1.5 - Missing Authorization
Description
The Flowbox plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in versions up to, and including, 1.1.5. This makes it possible for unauthenticated attackers to perform an unauthorized action.
CVSS Vector Breakdown
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:NTechnical Details
This research plan outlines the process for identifying and exploiting the Missing Authorization vulnerability in the Flowbox WordPress plugin (CVE-2025-49338). ### 1. Vulnerability Summary The Flowbox plugin for WordPress (versions <= 1.1.5) fails to implement proper authorization checks (e.g., `c…
Show full research plan
This research plan outlines the process for identifying and exploiting the Missing Authorization vulnerability in the Flowbox WordPress plugin (CVE-2025-49338).
1. Vulnerability Summary
The Flowbox plugin for WordPress (versions <= 1.1.5) fails to implement proper authorization checks (e.g., current_user_can()) in one or more functions reachable via WordPress AJAX or REST API endpoints. This allows unauthenticated users to trigger actions intended for administrators, such as modifying plugin settings, clearing caches, or updating API credentials.
2. Attack Vector Analysis
- Endpoint:
https://<target>/wp-admin/admin-ajax.php(inferred) or a REST API route underwp-json/flowbox/v1/(inferred). - Action/Hook: The vulnerability likely resides in an AJAX handler registered with
wp_ajax_nopriv_or awp_ajax_handler that lacks a capability check. - Authentication: None required (unauthenticated).
- Preconditions: The plugin must be active. A valid WordPress nonce may be required if the handler calls
check_ajax_referer()orwp_verify_nonce().
3. Code Flow (Inferred)
- Registration: The plugin registers an AJAX action in its main class (likely
class-flowbox.phporincludes/admin/class-admin.php):add_action( 'wp_ajax_nopriv_<action_name>', array( $this, 'vulnerable_function' ) ); - Entry Point: An unauthenticated POST request is sent to
admin-ajax.phpwithaction=<action_name>. - Vulnerable Sink: The
vulnerable_functionexecutes without callingcurrent_user_can( 'manage_options' ). - Impact: The function performs an operation like
update_option( 'flowbox_settings', ... ), allowing the attacker to alter plugin configuration.
4. Nonce Acquisition Strategy
If the vulnerable function requires a nonce (e.g., via check_ajax_referer), it is likely exposed to the frontend via wp_localize_script.
- Identify the Shortcode: Search the codebase for
add_shortcode. Flowbox likely uses a shortcode to display galleries (e.g.,[flowbox]). - Create a Trigger Page:
wp post create --post_type=page --post_status=publish --post_title="Flowbox Test" --post_content='[flowbox]' - Navigate and Extract: Use the
browser_navigatetool to go to the newly created page. - Extract Nonce: Search for the JS object containing the nonce.
- Inferred Script Handle:
flowbox-jsorflowbox-admin. - Inferred JS Variable:
window.flowbox_vars?.nonceorwindow.flowbox_params?.ajax_nonce. - Execution:
browser_eval("window.flowbox_vars?.nonce")
- Inferred Script Handle:
5. Exploitation Strategy
Assuming the vulnerability allows updating plugin settings (a common "Missing Authorization" pattern for this plugin type):
- Search for Action Names:
Rungrep -r "wp_ajax_nopriv" .in the plugin directory to find potential unauthenticated actions.- Candidate Action (Inferred):
flowbox_save_settingsorflowbox_update_config.
- Candidate Action (Inferred):
- Construct Payload:
Prepare a POST request toadmin-ajax.php.- URL:
https://<target>/wp-admin/admin-ajax.php - Method:
POST - Headers:
Content-Type: application/x-www-form-urlencoded - Body:
action=<action_name>&nonce=<extracted_nonce>&settings[flowbox_api_key]=MALICIOUS_KEY&settings[flowbox_username]=attacker_account
- URL:
- Execute Request: Use the
http_requesttool to send the payload.
6. Test Data Setup
- Install and activate Flowbox <= 1.1.5.
- Configure a dummy API key in the legitimate admin settings to establish a baseline.
- Create a public page containing the Flowbox shortcode to ensure nonces are generated and accessible to unauthenticated visitors.
7. Expected Results
- Response: The server returns a
200 OKresponse, potentially with a JSON body like{"success": true}or1. - State Change: The plugin's internal settings (stored in the
wp_optionstable) are updated with the attacker-supplied values.
8. Verification Steps
After the exploit attempt, verify the change using WP-CLI:
# Check the specific option name used by the plugin
wp option get flowbox_settings
# OR if settings are individual
wp option get flowbox_api_key
If the output matches the MALICIOUS_KEY provided in the payload, the exploit is successful.
9. Alternative Approaches
- REST API: If no
wp_ajaxactions are found, checkregister_rest_route. Search for routes wherepermission_callbackis missing or returns__return_true. - Parameter Fuzzing: If the action name is found but the parameters are unknown, inspect the callback function in the source code to identify which keys it reads from
$_POSTor$_REQUEST. - Unauthenticated Option Update: Check if the function uses
update_option()on a variable directly controlled by$_POSTwithout filtering (this could also lead to more severe impacts).
Summary
The Flowbox plugin for WordPress (versions up to and including 1.1.5) fails to implement authorization checks on AJAX handlers registered for unauthenticated users. This allows unauthenticated attackers to perform administrative actions, such as modifying plugin settings or updating API credentials, by sending requests to the admin-ajax.php endpoint.
Vulnerable Code
// Inferred from Research Plan: Registration of unauthenticated AJAX handler add_action( 'wp_ajax_nopriv_<action_name>', array( $this, 'vulnerable_function' ) ); --- // Inferred from Research Plan: Vulnerable callback function lacking current_user_can() public function vulnerable_function() { // Function body lacks capability checks and executes sensitive logic update_option( 'flowbox_settings', $_POST['settings'] ); }
Security Fix
@@ -10,6 +10,11 @@ public function vulnerable_function() { + if ( ! current_user_can( 'manage_options' ) ) { + wp_send_json_error( 'Unauthorized', 403 ); + } + + check_ajax_referer( 'flowbox_nonce', 'nonce' ); + $settings = $_POST['settings']; update_option( 'flowbox_settings', $settings ); wp_send_json_success();
Exploit Outline
To exploit this vulnerability, an attacker first identifies a page on the target site containing a Flowbox shortcode to retrieve a valid security nonce, typically exposed via a JavaScript object like window.flowbox_vars. They then identify an AJAX action registered without capability checks, such as those intended for saving settings or updating configuration. The attacker sends an unauthenticated POST request to /wp-admin/admin-ajax.php with the 'action' parameter set to the vulnerable hook, the extracted 'nonce', and a payload containing malicious configuration values (e.g., an attacker-controlled API key). If successful, the server updates the plugin's settings in the database, granting the attacker control over the plugin's behavior.
Check if your site is affected.
Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.