Exploitation Research Plan: CVE-2026-24566 (iNET Webkit)

1. Vulnerability Summary

The iNET Webkit plugin (versions <= 1.2.4) contains a missing authorization vulnerability. While the plugin registers several AJAX actions and admin functions, at least one critical function fails to perform a capability check (e.g., current_user_can( 'manage_options' )). This allows an authenticated attacker with Contributor-level permissions to invoke the function and perform unauthorized actions, such as modifying plugin settings or site configurations.

2. Attack Vector Analysis

• Endpoint: /wp-admin/admin-ajax.php
• Vulnerable Action: Likely prefixed with inet_webkit_ (e.g., wp_ajax_inet_webkit_save_settings or wp_ajax_inet_webkit_update_options) (inferred).
• HTTP Method: POST
• Authentication: Contributor-level account required.
• Payload Parameters:
  • action: The vulnerable AJAX action string.
  • _ajax_nonce or nonce: The CSRF token (if enforced).
  • Data parameters: Key-value pairs corresponding to options or settings the function modifies.

3. Code Flow (Inferred)

1. Entry Point: An authenticated user (Contributor) sends a POST request to admin-ajax.php.
2. Hook Trigger: WordPress triggers the wp_ajax_inet_webkit_... hook registered in the plugin's main initialization (likely in inet-webkit.php or an included admin class).
3. Vulnerable Function: The callback function executes. It likely calls check_ajax_referer() but fails to call current_user_can().
4. Data Sink: The function processes user-supplied input from $_POST and passes it to a function like update_option() or update_site_option().

4. Nonce Acquisition Strategy

If the vulnerable function validates a nonce, it is likely localized for use in the WordPress admin dashboard (where Contributors have access).

1. Search for Localized Data: The agent should search the plugin source for wp_localize_script.
   • Command: grep -r "wp_localize_script" .
2. Identify Variable and Key: Look for a JavaScript object containing a nonce or security key.
   • Target Example: wp_localize_script( 'inet-webkit-admin', 'inet_webkit_obj', [ 'nonce' => wp_create_nonce('inet_webkit_action') ] );
3. Extraction via Browser:
   • Log in as a Contributor.
   • Navigate to the WordPress Dashboard (/wp-admin/).
   • Use browser_eval to extract the nonce:
     browser_eval("window.inet_webkit_obj?.nonce") (Replace inet_webkit_obj with the actual variable name found).

5. Exploitation Strategy

Step 1: Discover the Vulnerable Action

Since source files are not provided, the agent must first identify the target AJAX action:

• Search for all wp_ajax_ hooks in the plugin directory.
• Filter for actions that do not have an accompanying current_user_can check in their callback function.
• Command: grep -rn "add_action.*wp_ajax_" . then inspect the callback functions.

Step 2: Formulate the Payload

Assuming the vulnerability allows updating settings (based on the "Integrity: Low" CVSS score):

• URL: http://localhost:8080/wp-admin/admin-ajax.php
• Method: POST
• Content-Type: application/x-www-form-urlencoded
• Body: action=inet_webkit_save_settings&security=NONCE_HERE&option_name=default_role&option_value=administrator (Note: Overwriting core WordPress options like default_role is a common high-impact outcome of settings-injection).

Step 3: Execute Request

Use the http_request tool to send the payload from the context of the Contributor user.

6. Test Data Setup

1. Install Plugin: Ensure inet-webkit version 1.2.4 is installed and active.
2. Create Contributor User:
   wp user create attacker attacker@example.com --role=contributor --user_pass=password123
3. Identify Target Option: Pick a plugin-specific option or a general WordPress option to modify for the PoC.

7. Expected Results

• Response: A 200 OK or a JSON success response (e.g., {"success": true}).
• State Change: The targeted WordPress option in the wp_options table is updated to the value provided in the payload.

8. Verification Steps

1. Check via WP-CLI:
   Verify if the option was changed.
   wp option get <targeted_option_name>
2. Check Database:
   wp db query "SELECT option_value FROM wp_options WHERE option_name = '<targeted_option_name>'"

9. Alternative Approaches

• If no settings update is found: Look for actions related to "cleanup," "import/export," or "logging." These often lack capability checks and allow unauthorized data deletion or information disclosure.
• If the nonce check is missing: The attack can be performed without any prior extraction, making it vulnerable to CSRF by higher-privileged users as well.
• If localized on specific pages: If the nonce is only loaded on a specific settings page, the Contributor may not be able to access that page. Check if the plugin registers a shortcode that can be placed on a post by a Contributor to force the script/nonce to load.
  • wp post create --post_type=post --post_status=publish --post_content='[inet_webkit_shortcode]'
  • Then navigate to the post URL to extract the nonce.