Intranet & Private Site – All-In-One Intranet <= 1.8.1 - Missing Authorization
Description
The Intranet & Private Site – All-In-One Intranet plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in versions up to, and including, 1.8.1. This makes it possible for unauthenticated attackers to perform an unauthorized action.
CVSS Vector Breakdown
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:NTechnical Details
<=1.8.1What Changed in the Fix
Changes introduced in v1.9.0
Source Code
WordPress.org SVNThis research plan outlines the steps required to analyze and exploit **CVE-2026-54837**, a missing authorization vulnerability in the **All-In-One Intranet** plugin. --- ### 1. Vulnerability Summary The **All-In-One Intranet** plugin (versions <= 1.8.1) fails to implement proper capability checks…
Show full research plan
This research plan outlines the steps required to analyze and exploit CVE-2026-54837, a missing authorization vulnerability in the All-In-One Intranet plugin.
1. Vulnerability Summary
The All-In-One Intranet plugin (versions <= 1.8.1) fails to implement proper capability checks or nonce verification within its settings-handling logic. Specifically, the aioi_admin_init function, which is hooked to admin_init, processes configuration updates without verifying if the requesting user has administrative privileges. Because admin_init is triggered during requests to /wp-admin/admin-post.php (which is accessible to unauthenticated users), an attacker can modify plugin settings remotely.
The most critical impact is the ability to disable the "Force site to be entirely private" setting, effectively making a private corporate intranet public.
2. Attack Vector Analysis
- Target Endpoint:
/wp-admin/admin-post.php - Trigger Hook:
admin_init->aioi_admin_init - Vulnerable Parameter:
aioi_options(array) - Required Authentication: None (Unauthenticated)
- Preconditions: The plugin must be active and the site must currently be set to "Private" (the default behavior).
3. Code Flow
- Entry Point: An unauthenticated attacker sends a
POSTrequest to/wp-admin/admin-post.php. - WordPress Loading: WordPress initializes and identifies the request as being in the
is_admin()context (since it is targeting a file in/wp-admin/). - Hook Execution: The
admin_inithook fires. - Plugin Logic: The
core_all_in_one_intranet::aioi_admin_init()function (registered incore/core_all_in_one_intranet.php) is executed. - Missing Check: The function checks if
$_POST['aioi_options'](or a similar trigger likeaioi_save_settings) is set. It fails to checkcurrent_user_can('manage_options')orcheck_admin_referer(). - State Change: The function calls
update_option( 'aioi_options', $_POST['aioi_options'] ). - Sink: In the next request,
aioi_template_redirect()callsget_option_aioi(), findsaioi_privatesiteisfalse, and permits public access to the site.
4. Nonce Acquisition Strategy
This vulnerability is classified as Missing Authorization, which typically includes a lack of CSRF protection (nonces). Based on the unauthenticated nature of the vulnerability (PR:N), no nonce is required for exploitation. The logic in aioi_admin_init likely proceeds directly to update_option if the correct POST parameters are present.
5. Exploitation Strategy
The goal is to overwrite the aioi_options array and set aioi_privatesite to 0 (false).
Step 1: Identify the exact POST structure
The plugin expects an array for aioi_options. We will send a POST request that mimics a settings submission.
Step 2: Construct the Payload
- URL:
http://<target>/wp-admin/admin-post.php - Method:
POST - Headers:
Content-Type: application/x-www-form-urlencoded - Body:
(Note:aioi_options[aioi_privatesite]=0&aioi_options[aioi_autologout_time]=0&aioi_save_settings=1aioi_save_settingsis an inferred trigger name common in this plugin's era; if it fails, the agent should attempt the request with only the array).
Step 3: Execute Request
Use the http_request tool to send the payload.
6. Test Data Setup
- Install Plugin:
wp plugin install all-in-one-intranet --version=1.8.1 --activate - Ensure Private Mode: By default, the plugin enables privacy. Confirm by attempting to curl the homepage:
curl -I http://localhost/(Should result in a302 Redirecttowp-login.php). - Configure Options: If necessary, ensure the options exist in the database:
wp option update aioi_options '{"aioi_privatesite":true,"aioi_autologout_time":0}' --format=json
7. Expected Results
- HTTP Response: The request to
admin-post.phpmay return a302redirect or a200with "Settings saved" (based on line 854 ofcore_all_in_one_intranet.php). - Site State: The site is no longer private. Navigating to the homepage unauthenticated returns a
200 OKand reveals the content.
8. Verification Steps
After sending the exploit, verify the change
Check if your site is affected.
Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.