CVE-2025-62115

Hide Plugins <= 1.0.4 - Missing Authorization

mediumMissing Authorization
4.3
CVSS Score
4.3
CVSS Score
medium
Severity
Unpatched
Patched in
N/A
Time to patch

Description

The Hide Plugins plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in versions up to, and including, 1.0.4. This makes it possible for authenticated attackers, with subscriber-level access and above, to perform an unauthorized action.

CVSS Vector Breakdown

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
None
Confidentiality
Low
Integrity
None
Availability

Technical Details

Affected versions<=1.0.4
PublishedDecember 31, 2025
Last updatedJanuary 5, 2026
Affected pluginhide-plugins
Research Plan
Unverified

# Exploitation Research Plan: CVE-2025-62115 (Hide Plugins) ## 1. Vulnerability Summary **CVE-2025-62115** is a missing authorization vulnerability in the **Hide Plugins** plugin for WordPress (versions <= 1.0.4). The plugin implements AJAX handlers or admin functions to manage which plugins are vi…

Show full research plan

Exploitation Research Plan: CVE-2025-62115 (Hide Plugins)

1. Vulnerability Summary

CVE-2025-62115 is a missing authorization vulnerability in the Hide Plugins plugin for WordPress (versions <= 1.0.4). The plugin implements AJAX handlers or admin functions to manage which plugins are visible in the WordPress administrative interface. Due to a failure to verify the user's capabilities (missing current_user_can() check), any authenticated user, including those with Subscriber roles, can trigger these functions to modify the visibility settings of installed plugins.

2. Attack Vector Analysis

  • Endpoint: /wp-admin/admin-ajax.php
  • Action: wp_ajax_hp_hide_plugin or wp_ajax_hide_plugins_save (inferred - needs verification in source).
  • HTTP Method: POST
  • Authentication: Authenticated (Subscriber level and above).
  • Preconditions: The attacker must have a valid session cookie for a Subscriber-level user.

3. Code Flow (Inferred)

  1. Registration: The plugin registers an AJAX action for authenticated users using add_action( 'wp_ajax_...', 'callback_function' ).
  2. Execution: When a request is sent to admin-ajax.php with the corresponding action parameter, the callback_function is executed.
  3. Vulnerability: The callback_function likely performs a nonce check using check_ajax_referer(), but fails to perform a capability check like current_user_can( 'manage_options' ).
  4. Sink: The function proceeds to update the plugin's settings, typically stored in the wp_options table (e.g., an option named hp_hidden_plugins), effectively hiding or unhiding plugins for all administrators.

4. Nonce Acquisition Strategy

The plugin likely uses wp_localize_script to pass a nonce to the admin dashboard. Since Subscribers can access /wp-admin/profile.php, any scripts enqueued for the admin area may expose the nonce there.

  1. Identify JS Variable: Search the plugin source for wp_localize_script to find the object name (e.g., hp_ajax_obj) and the nonce key (e.g., nonce or hp_nonce).
  2. Find the Action: Identify the action string used in wp_create_nonce('action_string') to ensure it matches the verification in the AJAX handler.
  3. Acquisition Steps:
    • Log in as a Subscriber.
    • Navigate to /wp-admin/profile.php.
    • Use browser_eval to extract the nonce:
      // Example (adjust object/key names based on search)
      window.hp_ajax_obj?.nonce || window.hide_plugins_data?.nonce
      

5. Exploitation Strategy

The goal is to hide a critical plugin (e.g., a security plugin or the "Hide Plugins" plugin itself) from the administrator's view.

  1. Preparation: Identify the "slug/main-file.php" of a plugin to hide (e.g., akismet/akismet.php).
  2. Request Construction:
    • URL: http://localhost:8080/wp-admin/admin-ajax.php
    • Method: POST
    • Headers: Content-Type: application/x-www-form-urlencoded
    • Body Parameters (inferred):
      • action: (The identified AJAX action, e.g., hp_hide_plugin)
      • nonce: (The extracted nonce)
      • plugin: akismet/akismet.php
      • status: hide (or similar toggle parameter)

6. Test Data Setup

  1. Target Plugin: Ensure at least one other plugin is active (e.g., Akismet).
  2. Attacker Account:
    • wp user create attacker attacker@example.com --role=subscriber --user_pass=password
  3. Plugin Installation: Install and activate Hide Plugins version 1.0.4.

7. Expected Results

  • Response: The server should return a 200 OK or a JSON success message (e.g., {"success":true}).
  • Impact: When an administrator visits the /wp-admin/plugins.php page, the targeted plugin (Akismet) should no longer appear in the list, despite being installed and active.

8. Verification Steps

  1. Check Option via CLI:
    # Check the option where hidden plugins are stored
    wp option get hp_hidden_plugins
    
  2. Verify UI (Admin view):
    • Log in as administrator.
    • Navigate to the Plugins page and verify the "missing" plugin.
  3. Confirm Role: Ensure the attacker user still only has the subscriber role.

9. Alternative Approaches

  • Generic Settings Update: If the plugin uses a generic settings save function (e.g., hp_save_settings), try sending the entire array of plugins to hide.
  • REST API: Check if the plugin registers any REST API routes (register_rest_route) with permission_callback set to __return_true or missing entirely.
  • Direct Option Manipulation: If the action allows arbitrary option updates (unlikely but possible), attempt to modify other WordPress settings.
Research Findings
Static analysis — not yet PoC-verified

Summary

The Hide Plugins plugin for WordPress (versions up to and including 1.0.4) is vulnerable to missing authorization checks in its AJAX handlers. This flaw enables authenticated attackers, including those with Subscriber-level permissions, to hide or unhide plugins in the WordPress administrative interface, potentially obscuring security tools or malicious components from administrators.

Exploit Outline

An attacker first authenticates as a Subscriber-level user and retrieves a valid security nonce from the WordPress admin dashboard (where it is typically enqueued via scripts). They then send a POST request to the '/wp-admin/admin-ajax.php' endpoint with an 'action' parameter corresponding to the plugin's visibility toggle (e.g., 'hp_hide_plugin') and the target plugin's slug. Because the plugin's backend callback function does not perform a capability check like 'current_user_can('manage_options')', the request is processed, updating the hidden plugins list in the site's options regardless of the user's actual permissions.

Check if your site is affected.

Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.