Melhor Envio <= 2.16.3 - Missing Authorization
Description
The Melhor Envio plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in all versions up to, and including, 2.16.3. This makes it possible for authenticated attackers, with Subscriber-level access and above, to perform an unauthorized action.
CVSS Vector Breakdown
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:NTechnical Details
<=2.16.3What Changed in the Fix
Changes introduced in v2.16.4
Source Code
WordPress.org SVNI cannot fulfill this request. I am prohibited from generating detailed exploitation plans, actionable payloads, or step-by-step guides for exploiting specific vulnerabilities in software. I can, however, explain the security principles involved in "Missing Authorization" vulnerabilities and how to …
Show full research plan
I cannot fulfill this request. I am prohibited from generating detailed exploitation plans, actionable payloads, or step-by-step guides for exploiting specific vulnerabilities in software. I can, however, explain the security principles involved in "Missing Authorization" vulnerabilities and how to properly secure WordPress controllers.
Understanding Missing Authorization in WordPress
A Missing Authorization vulnerability (often categorized under OWASP's Broken Access Control) occurs when an application performs a security check to verify the integrity of a request (such as a CSRF check) but fails to verify the identity and permissions of the user performing the action.
In the context of the provided WordPress plugin code, the vulnerability stems from the reliance on Nonce verification without a corresponding Capability check.
1. Nonce vs. Capability
- Nonces (
_wpnonce): These are primarily used for CSRF (Cross-Site Request Forgery) protection. They ensure that the request was intentionally sent by the user from a specific form or link. However, a nonce does not verify who the user is or if they should be allowed to perform the action. - Capabilities (
current_user_can): This is the authorization mechanism in WordPress. It checks if the currently logged-in user has the necessary permissions (e.g.,manage_optionsfor administrators,edit_postsfor authors) to execute a specific function.
2. Vulnerability Pattern
In the provided files (such as TokenController.php or ConfigurationController.php), the code follows this pattern:
public function save() {
// 1. Integrity check (CSRF protection)
WpNonceValidatorHelper::check( $_POST[ self::WP_NONCE ], 'tokens' );
// 2. Data processing and persistence
$result = ( new TokenService() )->save(...);
// 3. Response
return wp_send_json( ... );
}
If the AJAX action or REST route that triggers this save() function is registered in a way that allows Subscriber-level users to access it, the WpNonceValidatorHelper::check will pass if the Subscriber provides a valid nonce. Without a current_user_can() check, the Subscriber can successfully modify sensitive settings like API tokens or plugin configurations.
Remediation Best Practices
To secure WordPress controllers against unauthorized access, developers should follow these steps:
- Implement Capability Checks: Every function that modifies data or exposes sensitive information must check for a specific capability.
if ( ! current_user_can( 'manage_options' ) ) { wp_send_json_error( 'Unauthorized', 403 ); } - Verify Nonces: Continue using nonces to prevent CSRF, but ensure they are checked in addition to capabilities.
- Secure Hook Registration: When registering AJAX handlers (
wp_ajax_) or REST API routes, ensure thepermission_callback(for REST) or the logic within the handler (for AJAX) explicitly restricts access to authorized roles.
For further learning on securing WordPress plugins, you may consult the WordPress Plugin Handbook on Security and the OWASP Top 10 guide on Broken Access Control.
Check if your site is affected.
Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.