Hide Plugins <= 1.0.4 - Missing Authorization
Description
The Hide Plugins plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in versions up to, and including, 1.0.4. This makes it possible for authenticated attackers, with subscriber-level access and above, to perform an unauthorized action.
CVSS Vector Breakdown
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:NTechnical Details
<=1.0.4# Exploitation Research Plan: CVE-2025-62115 (Hide Plugins) ## 1. Vulnerability Summary **CVE-2025-62115** is a missing authorization vulnerability in the **Hide Plugins** plugin for WordPress (versions <= 1.0.4). The plugin implements AJAX handlers or admin functions to manage which plugins are vi…
Show full research plan
Exploitation Research Plan: CVE-2025-62115 (Hide Plugins)
1. Vulnerability Summary
CVE-2025-62115 is a missing authorization vulnerability in the Hide Plugins plugin for WordPress (versions <= 1.0.4). The plugin implements AJAX handlers or admin functions to manage which plugins are visible in the WordPress administrative interface. Due to a failure to verify the user's capabilities (missing current_user_can() check), any authenticated user, including those with Subscriber roles, can trigger these functions to modify the visibility settings of installed plugins.
2. Attack Vector Analysis
- Endpoint:
/wp-admin/admin-ajax.php - Action:
wp_ajax_hp_hide_pluginorwp_ajax_hide_plugins_save(inferred - needs verification in source). - HTTP Method: POST
- Authentication: Authenticated (Subscriber level and above).
- Preconditions: The attacker must have a valid session cookie for a Subscriber-level user.
3. Code Flow (Inferred)
- Registration: The plugin registers an AJAX action for authenticated users using
add_action( 'wp_ajax_...', 'callback_function' ). - Execution: When a request is sent to
admin-ajax.phpwith the correspondingactionparameter, thecallback_functionis executed. - Vulnerability: The
callback_functionlikely performs a nonce check usingcheck_ajax_referer(), but fails to perform a capability check likecurrent_user_can( 'manage_options' ). - Sink: The function proceeds to update the plugin's settings, typically stored in the
wp_optionstable (e.g., an option namedhp_hidden_plugins), effectively hiding or unhiding plugins for all administrators.
4. Nonce Acquisition Strategy
The plugin likely uses wp_localize_script to pass a nonce to the admin dashboard. Since Subscribers can access /wp-admin/profile.php, any scripts enqueued for the admin area may expose the nonce there.
- Identify JS Variable: Search the plugin source for
wp_localize_scriptto find the object name (e.g.,hp_ajax_obj) and the nonce key (e.g.,nonceorhp_nonce). - Find the Action: Identify the action string used in
wp_create_nonce('action_string')to ensure it matches the verification in the AJAX handler. - Acquisition Steps:
- Log in as a Subscriber.
- Navigate to
/wp-admin/profile.php. - Use
browser_evalto extract the nonce:// Example (adjust object/key names based on search) window.hp_ajax_obj?.nonce || window.hide_plugins_data?.nonce
5. Exploitation Strategy
The goal is to hide a critical plugin (e.g., a security plugin or the "Hide Plugins" plugin itself) from the administrator's view.
- Preparation: Identify the "slug/main-file.php" of a plugin to hide (e.g.,
akismet/akismet.php). - Request Construction:
- URL:
http://localhost:8080/wp-admin/admin-ajax.php - Method: POST
- Headers:
Content-Type: application/x-www-form-urlencoded - Body Parameters (inferred):
action: (The identified AJAX action, e.g.,hp_hide_plugin)nonce: (The extracted nonce)plugin:akismet/akismet.phpstatus:hide(or similar toggle parameter)
- URL:
6. Test Data Setup
- Target Plugin: Ensure at least one other plugin is active (e.g., Akismet).
- Attacker Account:
wp user create attacker attacker@example.com --role=subscriber --user_pass=password
- Plugin Installation: Install and activate Hide Plugins version 1.0.4.
7. Expected Results
- Response: The server should return a
200 OKor a JSON success message (e.g.,{"success":true}). - Impact: When an administrator visits the
/wp-admin/plugins.phppage, the targeted plugin (Akismet) should no longer appear in the list, despite being installed and active.
8. Verification Steps
- Check Option via CLI:
# Check the option where hidden plugins are stored wp option get hp_hidden_plugins - Verify UI (Admin view):
- Log in as administrator.
- Navigate to the Plugins page and verify the "missing" plugin.
- Confirm Role: Ensure the
attackeruser still only has thesubscriberrole.
9. Alternative Approaches
- Generic Settings Update: If the plugin uses a generic settings save function (e.g.,
hp_save_settings), try sending the entire array of plugins to hide. - REST API: Check if the plugin registers any REST API routes (
register_rest_route) withpermission_callbackset to__return_trueor missing entirely. - Direct Option Manipulation: If the action allows arbitrary option updates (unlikely but possible), attempt to modify other WordPress settings.
Summary
The Hide Plugins plugin for WordPress (versions up to and including 1.0.4) is vulnerable to missing authorization checks in its AJAX handlers. This flaw enables authenticated attackers, including those with Subscriber-level permissions, to hide or unhide plugins in the WordPress administrative interface, potentially obscuring security tools or malicious components from administrators.
Exploit Outline
An attacker first authenticates as a Subscriber-level user and retrieves a valid security nonce from the WordPress admin dashboard (where it is typically enqueued via scripts). They then send a POST request to the '/wp-admin/admin-ajax.php' endpoint with an 'action' parameter corresponding to the plugin's visibility toggle (e.g., 'hp_hide_plugin') and the target plugin's slug. Because the plugin's backend callback function does not perform a capability check like 'current_user_can('manage_options')', the request is processed, updating the hidden plugins list in the site's options regardless of the user's actual permissions.
Check if your site is affected.
Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.