CVE-2025-68505

H5P <= 1.16.1 - Missing Authorization

mediumMissing Authorization
5.3
CVSS Score
5.3
CVSS Score
medium
Severity
1.16.2
Patched in
9d
Time to patch

Description

The Interactive Content – H5P plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in all versions up to, and including, 1.16.1. This makes it possible for unauthenticated attackers to perform an unauthorized action.

CVSS Vector Breakdown

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
None
Confidentiality
Low
Integrity
None
Availability

Technical Details

Affected versions<=1.16.1
PublishedDecember 28, 2025
Last updatedJanuary 5, 2026
Affected pluginh5p

Source Code

WordPress.org SVN
Patched

Patched version not available.

Research Plan
Unverified

```markdown # Exploitation Research Plan - CVE-2025-68505 (H5P Missing Authorization) ## 1. Vulnerability Summary The **Interactive Content – H5P** plugin for WordPress (v1.16.1 and below) is vulnerable to missing authorization. Specifically, the function responsible for rebuilding the content cach…

Show full research plan
# Exploitation Research Plan - CVE-2025-68505 (H5P Missing Authorization)

## 1. Vulnerability Summary
The **Interactive Content – H5P** plugin for WordPress (v1.16.1 and below) is vulnerable to missing authorization. Specifically, the function responsible for rebuilding the content cache (likely `ajax_rebuild_cache`) is exposed via an AJAX action that does not verify user capabilities. This allows unauthenticated attackers to trigger a rebuild of H5P content caches, which involves database updates and server-side processing, potentially leading to resource exhaustion or unauthorized data modification (updating the `filter` state of content).

## 2. Attack Vector Analysis
- **Endpoint**: `wp-admin/admin-ajax.php`
- **Actions**: `h5p_rebuild_cache` and/or `h5p_embed_rebuild_cache`
- **Method**: POST
- **Parameters**: 
    - `action`: `h5p_rebuild_cache` or `h5p_embed_rebuild_cache`
    - `id`: The ID of the H5P content to rebuild.
    - `_nonce`: A WordPress nonce for the specific action.
- **Preconditions**: Unauthenticated attackers can obtain a valid nonce if H5P content is embedded on any public-facing page.

## 3. Code Flow
1.  **Registration**: In `public/class-h5p-plugin.php` or
Research Findings
Static analysis — not yet PoC-verified

Summary

The Interactive Content – H5P plugin for WordPress is vulnerable to missing authorization checks in its AJAX handlers for cache rebuilding. This allows unauthenticated attackers to trigger resource-intensive database updates and content processing by exploiting AJAX actions that lack sufficient capability verification.

Vulnerable Code

// admin/class-h5p-admin-ajax.php or similar AJAX handler file

/**
 * AJAX action to rebuild the content cache.
 */
public function ajax_rebuild_cache() {
  $id = filter_input(INPUT_POST, 'id', FILTER_SANITIZE_NUMBER_INT);

  // Vulnerability: The function lacks a check like current_user_can('manage_h5p_content')
  // which allows any user (or unauthenticated users if nopriv is registered) 
  // to trigger the rebuild process.
  
  $this->rebuild_cache($id);
  wp_send_json_success();
}

---

// Registration logic likely found in public/class-h5p-plugin.php or admin/class-h5p-admin.php
add_action('wp_ajax_h5p_rebuild_cache', array($this, 'ajax_rebuild_cache'));
add_action('wp_ajax_nopriv_h5p_rebuild_cache', array($this, 'ajax_rebuild_cache'));

Security Fix

--- a/admin/class-h5p-admin-ajax.php
+++ b/admin/class-h5p-admin-ajax.php
@@ -102,6 +102,11 @@
    */
   public function ajax_rebuild_cache() {
+    if (!current_user_can('edit_h5p_contents')) {
+      wp_send_json_error(__('You do not have permission to perform this action.', 'h5p'));
+      return;
+    }
+
     $id = filter_input(INPUT_POST, 'id', FILTER_SANITIZE_NUMBER_INT);
     if (!$id) {
       wp_send_json_error(__('Missing content ID.', 'h5p'));

Exploit Outline

To exploit this vulnerability, an attacker first identifies a target site running H5P <= 1.16.1. They locate a page with embedded H5P content to extract a valid nonce for the 'h5p_rebuild_cache' or 'h5p_embed_rebuild_cache' action, which is often leaked in the frontend JavaScript configuration. The attacker then sends a POST request to '/wp-admin/admin-ajax.php' with the parameters 'action=h5p_rebuild_cache', the acquired '_nonce', and a target content 'id'. Due to the lack of server-side capability checks, the plugin will perform the cache rebuild and database update for the specified ID regardless of the attacker's authentication status or privileges.

Check if your site is affected.

Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.