Mizan Demo Importer <= 0.1.3 - Missing Authorization

This research plan outlines the steps to identify and exploit the Missing Authorization vulnerability (CVE-2026-25021) in the Mizan Demo Importer plugin.

1. Vulnerability Summary

The Mizan Demo Importer plugin (versions <= 0.1.3) fails to implement capability checks (e.g., current_user_can( 'manage_options' )) in one or more of its AJAX handler functions. While these handlers are registered via wp_ajax_{action}, which ensures the user is authenticated, they do not verify that the authenticated user has administrative privileges. This allows a user with Subscriber-level access to trigger sensitive demo import or cleanup functionality.

2. Attack Vector Analysis

• Endpoint: wp-admin/admin-ajax.php
• HTTP Method: POST
• Authentication: Authenticated (Subscriber or higher).
• Vulnerable Parameter: action (The specific AJAX action registered by the plugin).
• Payload: Any parameters required by the vulnerable function (e.g., demo_id, step, or import_file).
• Preconditions: The plugin must be active. A Subscriber-level user account is required.

3. Code Flow (Inferred - Target Discovery)

Since source files were not provided, the following discovery steps are required to find the exact sink:

1. Identify Entry Points:
   Scan the plugin directory for AJAX registrations:
   grep -rn "wp_ajax_" wp-content/plugins/mizan-demo-importer/
2. Locate Callback Functions:
   Identify the function name associated with the wp_ajax_ action. For example:
   add_action( 'wp_ajax_mizan_import_demo_data', 'mizan_import_demo_callback' );
3. Trace Authorization Check:
   Examine the callback function for the absence of current_user_can().
   Expected vulnerable path:

   public function mizan_import_demo_callback() {
       // Missing: if ( ! current_user_can( 'manage_options' ) ) wp_die();
       // Missing: check_ajax_referer( 'mizan_nonce_action', 'security' );
       // ... sensitive import logic ...
   }
   

4. Nonce Acquisition Strategy

If the vulnerable function calls check_ajax_referer or wp_verify_nonce, a nonce is required. If those checks are also missing, this section can be skipped.

1. Identify Nonce Action and Variable:
   Search for wp_localize_script in the plugin to find how the nonce is passed to the frontend.
   grep -rn "wp_create_nonce" wp-content/plugins/mizan-demo-importer/
grep -rn "wp_localize_script" wp-content/plugins/mizan-demo-importer/
2. Determine Script Loading Trigger:
   Determine if the script loads on the standard WordPress Dashboard or a specific plugin page. If it's a specific page, create a post/page with the relevant shortcode if necessary.
3. Extraction (Agent Execution):
   • Navigate to the admin dashboard (as the Subscriber).
   • Use browser_eval to extract the nonce.
   • Example (Inferred): browser_eval("window.mizan_demo_importer_params?.ajax_nonce")

5. Exploitation Strategy

The goal is to trigger the unauthorized action (e.g., clearing demo data or initiating an import) using a Subscriber's session.

Step-by-Step Plan:

1. Discovery: Use ls -R and grep to find the exact AJAX action name (e.g., mizan_import_data or mizan_clear_demo).
2. Preparation: Log in as a Subscriber and obtain the session cookies.
3. Request Construction:
   • URL: http://localhost:8080/wp-admin/admin-ajax.php
   • Headers: Content-Type: application/x-www-form-urlencoded, Cookie: [Subscriber Cookies]
   • Body:

     action=[VULNERABLE_ACTION]&security=[NONCE_IF_REQUIRED]&demo_id=1
     

4. Execution: Use the http_request tool to send the POST request.
5. Validation: Observe if the response returns a success status (e.g., JSON {"success": true} or 1) instead of a 403 Forbidden or 0.

6. Test Data Setup

1. Plugin Installation: Ensure mizan-demo-importer v0.1.3 is installed and active.
2. User Creation:
   wp user create attacker attacker@example.com --role=subscriber --user_pass=password
3. Plugin State: If the plugin requires demo configurations to exist, check if there are default demo files in the plugin's demo/ folder or if they can be fetched.

7. Expected Results

• Vulnerable Behavior: The admin-ajax.php request returns a 200 OK and executes the logic inside the handler (e.g., starting an import process or deleting options).
• Fixed Behavior: The request returns a 403 Forbidden or an error indicating insufficient permissions.

8. Verification Steps

1. Database Check: If the action was mizan_clear_demo, verify if demo-related options or posts were deleted.
   wp option get mizan_import_status
2. Log Check: Check the WordPress debug log (if enabled) for signs of the import function executing.
   tail -n 50 wp-content/debug.log
3. Check for Changes: Use WP-CLI to see if new posts or attachments were created during an unauthorized import.
   wp post list --post_type=post

9. Alternative Approaches

• Multiple Actions: Many importer plugins have multiple AJAX actions (one for "init", one for "content", one for "widgets"). Check all registered wp_ajax_ actions in the plugin to see if some have authorization while others don't.
• Parameter Fuzzing: If the AJAX action requires a file or path parameter, test for Directory Traversal (../../) in conjunction with the missing authorization, as demo importers often handle file paths.