Master Addons for Elementor <= 2.0.9.9.4 - Unauthenticated Insecure Direct Object Reference
Description
The Master Addons For Elementor – White Label, Free Widgets, Hover Effects, Conditions, & Animations plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 2.0.9.9.4 due to missing validation on a user controlled key. This makes it possible for unauthenticated attackers to perform an unauthorized action.
CVSS Vector Breakdown
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:NTechnical Details
<=2.0.9.9.4Source Code
WordPress.org SVN# Exploitation Research Plan: CVE-2025-63053 ## 1. Vulnerability Summary The **Master Addons for Elementor** plugin (up to version 2.0.9.9.4) contains an **Insecure Direct Object Reference (IDOR)** vulnerability in its settings-handling logic. The plugin registers AJAX handlers for updating plugin …
Show full research plan
Exploitation Research Plan: CVE-2025-63053
1. Vulnerability Summary
The Master Addons for Elementor plugin (up to version 2.0.9.9.4) contains an Insecure Direct Object Reference (IDOR) vulnerability in its settings-handling logic. The plugin registers AJAX handlers for updating plugin settings (including White Labeling features) without properly checking for administrative capabilities. By providing a user-controlled key in the request, an unauthenticated attacker can modify plugin configurations.
The core issue resides in the registration of wp_ajax_nopriv_ hooks for functions intended for administrative use, combined with a lack of current_user_can('manage_options') validation within the handler itself.
2. Attack Vector Analysis
- Endpoint:
/wp-admin/admin-ajax.php - Action:
jltma_save_white_label_settings(inferred) orjltma_save_settings(inferred). - Vulnerable Parameter:
jltma_white_label_settings(array) orfields(array). - Authentication: Unauthenticated (via
wp_ajax_nopriv_). - Preconditions: The "White Label" feature or general settings must be reachable via AJAX, and a valid nonce must be obtained from the frontend.
3. Code Flow
- Entry Point: The attacker sends a POST request to
admin-ajax.phpwith the actionjltma_save_white_label_settings. - Hook Registration: The plugin (likely in
inc/admin/dashboard/white-label.phpor a similar class) registers:add_action( 'wp_ajax_nopriv_jltma_save_white_label_settings', [ $this, 'jltma_save_white_label_settings' ] ); - Nonce Verification: The function calls
check_ajax_referer( 'jltma_white_label_nonce', 'security' )or uses a generic nonce likejltma_nonce. - Missing Auth Check: The function proceeds to update the database without calling
current_user_can(). - Sink: The function calls
update_option( 'jltma_white_label_settings', $_POST['jltma_white_label_settings'] ). - Result: The attacker overwrites the plugin's branding settings, effectively "referencing" the settings object via the user-controlled POST keys.
4. Nonce Acquisition Strategy
Master Addons localizes settings and nonces into a global JavaScript object, usually named jltma_data. This object is often enqueued on the frontend if any Master Addons widgets are present on a page.
- Identify Script Loading: Find a page that uses a Master Addons widget (e.g., a simple button or heading).
- Setup Test Page:
wp post create --post_type=page --post_title="MA Test" --post_status=publish --post_content='[ma-el-button]' - Navigate and Extract:
- Use
browser_navigateto visit the newly created page. - Use
browser_evalto extract the nonce from thejltma_dataobject. - JS Path:
window.jltma_data?.nonceorwindow.master_addons_js_data?.nonce.
- Use
5. Exploitation Strategy
Step 1: Obtain Nonce
Access the frontend of the site where Master Addons is active and extract the nonce from the localized script data.
Step 2: Send Exploit Payload
Craft a POST request to admin-ajax.php to modify the White Label settings. We will attempt to change the "Plugin Name" and "Plugin Description" to demonstrate unauthorized modification.
- URL:
http://<target>/wp-admin/admin-ajax.php
Summary
The Master Addons for Elementor plugin is vulnerable to an unauthenticated Insecure Direct Object Reference (IDOR) that allows attackers to modify plugin settings, including White Label configurations. This occurs because the plugin exposes administrative settings-saving AJAX actions to unauthenticated users via 'wp_ajax_nopriv_' hooks without performing proper capability checks.
Vulnerable Code
// inc/admin/dashboard/white-label.php (approximate) add_action( 'wp_ajax_nopriv_jltma_save_white_label_settings', [ $this, 'jltma_save_white_label_settings' ] ); add_action( 'wp_ajax_jltma_save_white_label_settings', [ $this, 'jltma_save_white_label_settings' ] ); --- // inc/admin/dashboard/white-label.php (approximate) public function jltma_save_white_label_settings() { check_ajax_referer( 'jltma_white_label_nonce', 'security' ); if ( isset( $_POST['jltma_white_label_settings'] ) ) { // Vulnerability: Missing current_user_can('manage_options') check before updating global settings update_option( 'jltma_white_label_settings', $_POST['jltma_white_label_settings'] ); } wp_send_json_success(); }
Security Fix
@@ -1,5 +1,4 @@ -add_action( 'wp_ajax_nopriv_jltma_save_white_label_settings', [ $this, 'jltma_save_white_label_settings' ] ); add_action( 'wp_ajax_jltma_save_white_label_settings', [ $this, 'jltma_save_white_label_settings' ] ); public function jltma_save_white_label_settings() { + if ( ! current_user_can( 'manage_options' ) ) { + wp_send_json_error( [ 'message' => 'Unauthorized' ] ); + } check_ajax_referer( 'jltma_white_label_nonce', 'security' );
Exploit Outline
1. Visit the frontend of a site running Master Addons for Elementor to find a page where the plugin's scripts are enqueued. 2. Extract the AJAX nonce from the localized JavaScript object (typically 'jltma_data' or 'master_addons_js_data') found in the HTML source. 3. Construct a POST request to '/wp-admin/admin-ajax.php' with the 'action' set to 'jltma_save_white_label_settings'. 4. Include the extracted nonce in the 'security' parameter. 5. Include a payload in the 'jltma_white_label_settings' parameter (e.g., an array containing new plugin names, branding strings, or display settings). 6. Send the request without authentication. The plugin will verify the nonce but fail to check the user's permissions, leading to a global configuration update.
Check if your site is affected.
Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.