Passster <= 4.2.25 - Missing Authorization

This research plan outlines the steps to investigate and exploit CVE-2026-25036, a missing authorization vulnerability in the Passster plugin for WordPress.

---

1. Vulnerability Summary

• Vulnerability: Missing Authorization
• Affected Plugin: Passster – Password Protect Pages and Content (slug: content-protector)
• Affected Versions: <= 4.2.25
• Vulnerability Location: Likely an AJAX handler registered via wp_ajax_ in the plugin's administration or AJAX handling classes (e.g., includes/class-passster-ajax.php).
• Reason: The function triggered by the AJAX action fails to perform a capability check (e.g., current_user_can( 'manage_options' )) and/or does not properly verify a nonce that is restricted to administrators. This allows any authenticated user with dashboard access (Contributor level and above) to execute the function.

2. Attack Vector Analysis

• Endpoint: /wp-admin/admin-ajax.php
• Authentication: Authenticated, Contributor-level access (or higher).
• Vulnerable Action (Inferred): Likely related to statistics, log management, or setting updates. Based on the "Integrity: Low" rating, we will target the statistics deletion or log clearing functionality.
• Potential Actions to Audit:
  1. ps_delete_statistics (or passster_delete_statistics)
  2. ps_clear_logs
  3. ps_save_settings (if it affects non-critical parameters)
• Preconditions: The attacker must be logged in as a Contributor. The plugin must be active.

3. Code Flow (Inferred)

1. Registration: The plugin registers an AJAX handler using add_action( 'wp_ajax_[ACTION_NAME]', [ $this, 'function_name' ] ).
2. Trigger: A Contributor sends a POST request to admin-ajax.php with the action parameter set to the vulnerable hook.
3. Execution:
   • WordPress calls the registered function.
   • The function checks for a nonce (if present), which may be accessible to Contributors via the admin dashboard scripts.
   • The function fails to call current_user_can().
   • The function performs a database operation (e.g., $wpdb->query("DELETE FROM ...")) or updates an option.

4. Nonce Acquisition Strategy

Even if authorization is missing, WordPress plugins often check nonces.

1. Identify Shortcode/Script Loading: Check where the admin scripts are enqueued. Passster typically enqueues admin scripts for all users who can access the backend.
2. Identify Localized Variable: Look for wp_localize_script in includes/class-passster-admin.php (or similar).
   • Probable JS Object: passster_admin or passster_vars.
   • Probable Nonce Key: nonce or ajax_nonce.
3. Acquisition Steps:
   1. Log in as a Contributor.
   2. Navigate to the WordPress Dashboard (/wp-admin/).
   3. Use browser_eval to extract the nonce:

      // Example guess - will be verified in exploration phase
      window.passster_admin?.nonce || window.passster_vars?.nonce
      

5. Exploitation Strategy

We will attempt to perform an unauthorized action, such as deleting plugin statistics.

Step 1: Discovery

• Search for add_action( 'wp_ajax_ in the plugin directory.
• Identify the function associated with sensitive-looking actions (e.g., delete, save, update).
• Confirm the absence of current_user_can in that function.

Step 2: Preparation

• Create a Contributor user.
• Ensure some "Statistics" or "Logs" exist in the plugin (if applicable) to prove deletion.

Step 3: Execution (Targeting Statistics Deletion)

• URL: http://localhost:8080/wp-admin/admin-ajax.php
• Method: POST
• Headers: Content-Type: application/x-www-form-urlencoded
• Payload:

  action=[ACTION_NAME]&_wpnonce=[NONCE]&other_params=...
  

• Action Name: To be determined during discovery (e.g., ps_delete_statistics).

6. Test Data Setup

1. Plugin Setup: Install and activate Passster 4.2.25.
2. Generate Data:
   • Create a password-protected post: wp post create --post_type=post --post_title="Protected" --post_status=publish --post_content='[passster password="password"]Secret Content[/passster]'
   • Visit the post and enter the password several times to generate statistics entries in the database.
3. User Setup:
   • Create a Contributor: wp user create attacker attacker@example.com --role=contributor --user_pass=password

7. Expected Results

• Success: The server returns a 200 OK or a JSON success message (e.g., {"success": true}).
• Data Impact: The statistics table in the database is cleared or a specific setting is changed, despite the user only being a Contributor.

8. Verification Steps

1. CLI Check: Use wp db query "SELECT COUNT(*) FROM wp_passster_statistics" (adjust table name based on discovery) before and after the exploit.
2. Expected Count: The count should drop to 0 after the POST request.
3. Access Check: Verify that a Contributor normally cannot access the Statistics page in the UI, confirming the AJAX request bypassed intended UI restrictions.

9. Alternative Approaches

If statistics deletion is not the vulnerable path:

• Settings Update: Check for ps_save_settings. If vulnerable, try to change the passster_instructions or similar low-impact setting via admin-ajax.php.
• Post Meta: Check if any AJAX actions allow updating post meta without checking if the user can edit that specific post.
• Bypass Nonce: If check_ajax_referer is called with die=false and the return value is not checked, the exploit can be performed without a valid nonce. Look for:

  check_ajax_referer( 'action', 'nonce', false );
  // ... logic proceeds regardless of check_ajax_referer result ...