Media Library File Size <= 1.6.7 - Missing Authorization
Description
The Media Library File Size plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in all versions up to, and including, 1.6.7. This makes it possible for authenticated attackers, with Subscriber-level access and above, to perform an unauthorized action.
CVSS Vector Breakdown
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:NTechnical Details
<=1.6.7Source Code
WordPress.org SVNThis research plan outlines the steps to investigate and exploit CVE-2026-24569, a missing authorization vulnerability in the "Media Library File Size" WordPress plugin. ### 1. Vulnerability Summary The Media Library File Size plugin (up to version 1.6.7) fails to implement capability checks on an …
Show full research plan
This research plan outlines the steps to investigate and exploit CVE-2026-24569, a missing authorization vulnerability in the "Media Library File Size" WordPress plugin.
1. Vulnerability Summary
The Media Library File Size plugin (up to version 1.6.7) fails to implement capability checks on an AJAX function, likely responsible for updating plugin settings. While the plugin properly uses nonces to prevent CSRF, it does not verify if the authenticated user has the manage_options capability. This allows any authenticated user, including those with Subscriber roles, to modify the plugin's configuration.
2. Attack Vector Analysis
- Endpoint:
/wp-admin/admin-ajax.php - Action:
mlfs_save_settings(Inferred from plugin slugmlfs) - Parameters:
action:mlfs_save_settingsmlfs_nonce: (Required CSRF token)mlfs_options: An array or set of parameters representing plugin settings (e.g.,show_column,show_grid).
- Authentication: Subscriber-level (any logged-in user).
- Preconditions: The attacker must obtain a valid nonce, which is typically localized in the WordPress admin dashboard for authenticated users.
3. Code Flow (Inferred)
- Registration: The plugin registers an AJAX action in the main plugin file or an includes file:
add_action( 'wp_ajax_mlfs_save_settings', 'mlfs_save_settings_callback' ); - Missing Check: Inside
mlfs_save_settings_callback(), the code likely performs a nonce check:check_ajax_referer( 'mlfs_nonce_action', 'mlfs_nonce' ); - The Flaw: The function proceeds to update the plugin options using
update_option( 'mlfs_settings', $_POST['...'] )without callingcurrent_user_can( 'manage_options' ). - Sink:
update_option()is called, persisting the attacker's configuration.
4. Nonce Acquisition Strategy
The plugin likely enqueues a script in the admin area and localizes a nonce for its AJAX requests. Since Subscribers can access wp-admin/profile.php or the dashboard, they can retrieve this nonce.
- Identify Script Localization: Search for
wp_localize_scriptin the plugin code. - Target Variable: Look for a variable likely named
mlfs_objormlfs_vars. - Extraction:
- Create a Subscriber user.
- Log in as the Subscriber.
- Navigate to
/wp-admin/index.php. - Use
browser_evalto find the nonce:browser_eval("window.mlfs_obj?.nonce")orbrowser_eval("window.mlfs_vars?.nonce"). - If not found on the dashboard, check the Media Library page (if accessible) or create a post if the plugin loads scripts on the editor.
5. Exploitation Strategy
The goal is to modify plugin settings from a Subscriber account.
- Preparation: Log in as a Subscriber and extract the
mlfs_nonce. - Identify Settings Payload: Determine the structure of the settings. Based on the plugin's purpose, it likely manages settings like
show_column. - Request: Send an authenticated POST request to
admin-ajax.php.
HTTP Request Template:
POST /wp-admin/admin-ajax.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
action=mlfs_save_settings&mlfs_nonce=[EXTRACTED_NONCE]&show_column=0&show_grid=0
(Note: Parameter names like show_column are inferred and should be verified by inspecting the plugin's settings page in the admin UI as an administrator first.)
6. Test Data Setup
- Install Plugin: Install Media Library File Size version 1.6.7.
- Create User: Create a user with the
subscriberrole. - Identify Settings: As an admin, navigate to the plugin settings (Settings -> Media Library File Size) and note the current values and the names of the input fields in the HTML form.
7. Expected Results
- The server should return a success code (e.g.,
1,true, or a JSON success message). - The settings of the plugin will be updated in the database, despite the request coming from a Subscriber.
8. Verification Steps
- Via WP-CLI: Check the option value before and after the exploit:
wp option get mlfs_settings(or the actual option name identified during research). - Via UI: Log in as an administrator and check if the settings on the plugin's configuration page have changed to the values sent in the exploit payload.
9. Alternative Approaches
- Different Actions: If
mlfs_save_settingsis not the correct action, search the codebase for all occurrences ofadd_action( 'wp_ajax_...and audit each forcurrent_user_can. - Direct Option Injection: If the plugin uses a generic settings saving loop (e.g., looping through
$_POST), check if it's possible to update arbitrary WordPress options, though this is less likely than a dedicated settings update for the plugin itself. - Metadata Update: If the plugin allows updating file sizes for specific attachments, check for an action like
mlfs_update_file_sizewhich might lack a check foredit_postorupload_filescapabilities.
Summary
The Media Library File Size plugin for WordPress fails to perform a capability check on its AJAX settings-saving functionality. This allows authenticated users with Subscriber-level access or higher to modify plugin configurations by providing a valid nonce, which is often accessible to all logged-in users via localized scripts in the admin dashboard.
Vulnerable Code
// Inferred registration of the AJAX action in the main plugin file add_action( 'wp_ajax_mlfs_save_settings', 'mlfs_save_settings_callback' ); function mlfs_save_settings_callback() { // Nonce check is present, preventing CSRF, but authorization is missing check_ajax_referer( 'mlfs_nonce_action', 'mlfs_nonce' ); // Proceeding to update options without current_user_can('manage_options') $settings = array( 'show_column' => isset($_POST['show_column']) ? sanitize_text_field($_POST['show_column']) : '', 'show_grid' => isset($_POST['show_grid']) ? sanitize_text_field($_POST['show_grid']) : '', ); update_option( 'mlfs_settings', $settings ); wp_send_json_success(); }
Security Fix
@@ -10,6 +10,10 @@ function mlfs_save_settings_callback() { check_ajax_referer( 'mlfs_nonce_action', 'mlfs_nonce' ); + if ( ! current_user_can( 'manage_options' ) ) { + wp_die( __( 'You do not have sufficient permissions to access this page.' ) ); + } + $settings = array( 'show_column' => isset($_POST['show_column']) ? sanitize_text_field($_POST['show_column']) : '', 'show_grid' => isset($_POST['show_grid']) ? sanitize_text_field($_POST['show_grid']) : '',
Exploit Outline
To exploit this vulnerability, an attacker must first obtain an authenticated session with the target WordPress site (e.g., as a Subscriber). The attacker retrieves the required security nonce, 'mlfs_nonce', which is typically localized in the WordPress admin dashboard (wp-admin/profile.php) for use by the plugin's frontend scripts. Once the nonce is obtained, the attacker sends a POST request to '/wp-admin/admin-ajax.php' with the 'action' parameter set to 'mlfs_save_settings', the 'mlfs_nonce' parameter, and the desired plugin configuration values in the payload. Because the plugin lacks a capability check (such as current_user_can), the server will process the request and update the global plugin settings using the provided values.
Check if your site is affected.
Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.