CVE-2026-54837

Intranet & Private Site – All-In-One Intranet <= 1.8.1 - Missing Authorization

mediumMissing Authorization
5.3
CVSS Score
5.3
CVSS Score
medium
Severity
1.9.0
Patched in
6d
Time to patch

Description

The Intranet & Private Site – All-In-One Intranet plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in versions up to, and including, 1.8.1. This makes it possible for unauthenticated attackers to perform an unauthorized action.

CVSS Vector Breakdown

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
None
Confidentiality
Low
Integrity
None
Availability

Technical Details

Affected versions<=1.8.1
PublishedJune 18, 2026
Last updatedJune 23, 2026
Affected pluginall-in-one-intranet

What Changed in the Fix

Changes introduced in v1.9.0

Loading patch diff...

Source Code

WordPress.org SVN
Research Plan
Unverified

This research plan outlines the steps required to analyze and exploit **CVE-2026-54837**, a missing authorization vulnerability in the **All-In-One Intranet** plugin. --- ### 1. Vulnerability Summary The **All-In-One Intranet** plugin (versions <= 1.8.1) fails to implement proper capability checks…

Show full research plan

This research plan outlines the steps required to analyze and exploit CVE-2026-54837, a missing authorization vulnerability in the All-In-One Intranet plugin.


1. Vulnerability Summary

The All-In-One Intranet plugin (versions <= 1.8.1) fails to implement proper capability checks or nonce verification within its settings-handling logic. Specifically, the aioi_admin_init function, which is hooked to admin_init, processes configuration updates without verifying if the requesting user has administrative privileges. Because admin_init is triggered during requests to /wp-admin/admin-post.php (which is accessible to unauthenticated users), an attacker can modify plugin settings remotely.

The most critical impact is the ability to disable the "Force site to be entirely private" setting, effectively making a private corporate intranet public.

2. Attack Vector Analysis

  • Target Endpoint: /wp-admin/admin-post.php
  • Trigger Hook: admin_init -> aioi_admin_init
  • Vulnerable Parameter: aioi_options (array)
  • Required Authentication: None (Unauthenticated)
  • Preconditions: The plugin must be active and the site must currently be set to "Private" (the default behavior).

3. Code Flow

  1. Entry Point: An unauthenticated attacker sends a POST request to /wp-admin/admin-post.php.
  2. WordPress Loading: WordPress initializes and identifies the request as being in the is_admin() context (since it is targeting a file in /wp-admin/).
  3. Hook Execution: The admin_init hook fires.
  4. Plugin Logic: The core_all_in_one_intranet::aioi_admin_init() function (registered in core/core_all_in_one_intranet.php) is executed.
  5. Missing Check: The function checks if $_POST['aioi_options'] (or a similar trigger like aioi_save_settings) is set. It fails to check current_user_can('manage_options') or check_admin_referer().
  6. State Change: The function calls update_option( 'aioi_options', $_POST['aioi_options'] ).
  7. Sink: In the next request, aioi_template_redirect() calls get_option_aioi(), finds aioi_privatesite is false, and permits public access to the site.

4. Nonce Acquisition Strategy

This vulnerability is classified as Missing Authorization, which typically includes a lack of CSRF protection (nonces). Based on the unauthenticated nature of the vulnerability (PR:N), no nonce is required for exploitation. The logic in aioi_admin_init likely proceeds directly to update_option if the correct POST parameters are present.

5. Exploitation Strategy

The goal is to overwrite the aioi_options array and set aioi_privatesite to 0 (false).

Step 1: Identify the exact POST structure
The plugin expects an array for aioi_options. We will send a POST request that mimics a settings submission.

Step 2: Construct the Payload

  • URL: http://<target>/wp-admin/admin-post.php
  • Method: POST
  • Headers: Content-Type: application/x-www-form-urlencoded
  • Body:
    aioi_options[aioi_privatesite]=0&aioi_options[aioi_autologout_time]=0&aioi_save_settings=1
    
    (Note: aioi_save_settings is an inferred trigger name common in this plugin's era; if it fails, the agent should attempt the request with only the array).

Step 3: Execute Request
Use the http_request tool to send the payload.

6. Test Data Setup

  1. Install Plugin: wp plugin install all-in-one-intranet --version=1.8.1 --activate
  2. Ensure Private Mode: By default, the plugin enables privacy. Confirm by attempting to curl the homepage:
    curl -I http://localhost/ (Should result in a 302 Redirect to wp-login.php).
  3. Configure Options: If necessary, ensure the options exist in the database:
    wp option update aioi_options '{"aioi_privatesite":true,"aioi_autologout_time":0}' --format=json

7. Expected Results

  • HTTP Response: The request to admin-post.php may return a 302 redirect or a 200 with "Settings saved" (based on line 854 of core_all_in_one_intranet.php).
  • Site State: The site is no longer private. Navigating to the homepage unauthenticated returns a 200 OK and reveals the content.

8. Verification Steps

After sending the exploit, verify the change

Check if your site is affected.

Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.