miniOrange OTP Verification and SMS Notification for WooCommerce <= 4.3.8 - Missing Authorization to Unauthenticated Notification Settings Modification

This research plan focuses on CVE-2025-14948, a missing authorization vulnerability in the miniOrange OTP Verification and SMS Notification for WooCommerce plugin.

1. Vulnerability Summary

The plugin provides an AJAX endpoint enable_wc_sms_notification intended for administrators to toggle SMS notification settings for various WooCommerce order statuses (e.g., processing, completed). However, in versions up to 4.3.8, the plugin registers this action for unauthenticated users (wp_ajax_nopriv_) and fails to implement any capability checks (current_user_can) or nonce verification within the handler. This allows an unauthenticated attacker to modify the SMS notification configuration, potentially disabling critical alerts or enabling unwanted notifications.

2. Attack Vector Analysis

• Endpoint: /wp-admin/admin-ajax.php
• Action: enable_wc_sms_notification
• HTTP Method: POST
• Authentication: None required (Unauthenticated)
• Preconditions: The plugin must be active.
• Vulnerable Parameter(s):
  • sms_notif_type (The notification setting to modify)
  • enable (The value to set: '1' for enabled, '0' for disabled)

3. Code Flow

1. Registration: The plugin registers the AJAX actions in the initialization logic (often in miniorange_sms_order_notification_otp_verification.php or a dedicated AJAX handler class).
   • add_action( 'wp_ajax_enable_wc_sms_notification', 'mo_enable_wc_sms_notification' );
   • add_action( 'wp_ajax_nopriv_enable_wc_sms_notification', 'mo_enable_wc_sms_notification' );
2. Handler Execution: When a request is sent to admin-ajax.php with action=enable_wc_sms_notification, the function mo_enable_wc_sms_notification() is invoked.
3. Missing Security Controls:
   • The function lacks a current_user_can( 'manage_options' ) check.
   • The function lacks check_ajax_referer() or wp_verify_nonce().
4. Data Sink: The handler reads $_POST['sms_notif_type'] and $_POST['enable'] and calls update_option().
   • update_option( $_POST['sms_notif_type'], $_POST['enable'] ); (inferred structure)

4. Nonce Acquisition Strategy

According to the vulnerability report and the "Missing Authorization" type, this specific endpoint does not require a nonce in the affected versions, or if it does, it is not verified.

Verification Plan:

1. Attempt the exploit first without a nonce.
2. If the response is 0 or -1, it implies the action wasn't hit or failed basic WP AJAX requirements.
3. If the response is a specific error related to nonces, search for the localization variable. In miniOrange plugins, this is typically localized as mo_otp_verification_ajax_object or mo_sms_order_notification_ajax_object.
   • Check for wp_localize_script in the source for the key containing "nonce".
   • If a nonce is needed, use browser_navigate to the WooCommerce settings page or a page where the plugin is active, then browser_eval("mo_sms_order_notification_ajax_object.nonce").

5. Exploitation Strategy

We will attempt to disable the "Order Processing" SMS notification, which is a standard feature in this plugin.

• Request URL: http://localhost:8080/wp-admin/admin-ajax.php
• Method: POST
• Headers: Content-Type: application/x-www-form-urlencoded
• Payload:

  action=enable_wc_sms_notification&sms_notif_type=mo_customer_validation_wc_config_customer_processing_order&enable=0
  

  (Note: sms_notif_type parameter name and option slugs like mo_customer_validation_wc_config_... are based on standard miniOrange naming conventions for WooCommerce notifications. These should be verified in the source code if available.)

6. Test Data Setup

1. Install and activate WooCommerce.
2. Install and activate miniOrange OTP Verification and SMS Notification for WooCommerce version 4.3.8.
3. Go to the plugin settings and ensure "Customer SMS Notifications" are enabled for "Processing Order".
4. Verify the option exists in the database:
   wp option get mo_customer_validation_wc_config_customer_processing_order (should be '1').

7. Expected Results

• Response Code: 200 OK.
• Response Body: Likely a success string (e.g., true, 1, or a JSON success message) or a blank response if the developer didn't include an explicit echo.
• Impact: The targeted setting in the database will be updated from 1 to 0.

8. Verification Steps

After sending the HTTP request, verify the change using WP-CLI:

# Check if the notification setting was successfully disabled
wp option get mo_customer_validation_wc_config_customer_processing_order

Expected Output: 0

9. Alternative Approaches

If the sms_notif_type or enable parameter names differ:

1. Grep for the AJAX handler:
   grep -r "enable_wc_sms_notification" /var/www/html/wp-content/plugins/miniorange-sms-order-notification-otp-verification/
2. Inspect the handler function:
   Identify the exact $_POST keys being used.
3. Try alternate notification keys:
   • mo_customer_validation_wc_config_customer_completed_order
   • mo_customer_validation_wc_config_customer_on_hold_order
4. Admin Leakage: If the plugin includes an admin script on the frontend for some reason, use browser_navigate("/") and browser_eval("window") to look for leaked setting keys or nonces.