CVE-2026-24577

Pie Register <= 3.8.4.8 - Missing Authorization

mediumMissing Authorization
5.3
CVSS Score
5.3
CVSS Score
medium
Severity
3.8.4.9
Patched in
86d
Time to patch

Description

The Pie Register plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in versions up to, and including, 3.8.4.8. This makes it possible for unauthenticated attackers to perform an unauthorized action.

CVSS Vector Breakdown

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
None
Confidentiality
Low
Integrity
None
Availability

Technical Details

Affected versions<=3.8.4.8
PublishedJanuary 20, 2026
Last updatedApril 15, 2026
Affected pluginpie-register

Source Code

WordPress.org SVN
Research Plan
Unverified

This plan outlines the steps to investigate and exploit CVE-2026-24577, a missing authorization vulnerability in the Pie Register plugin. ## 1. Vulnerability Summary The **Pie Register** plugin (up to 3.8.4.8) fails to implement adequate capability checks (authorization) on certain AJAX or `admin_i…

Show full research plan

This plan outlines the steps to investigate and exploit CVE-2026-24577, a missing authorization vulnerability in the Pie Register plugin.

1. Vulnerability Summary

The Pie Register plugin (up to 3.8.4.8) fails to implement adequate capability checks (authorization) on certain AJAX or admin_init functions. This allows unauthenticated attackers to trigger sensitive actions that should be restricted to administrators. Based on the CVSS score (5.3) and the plugin's profile, the vulnerability likely resides in an AJAX handler related to registration settings, invitation codes, or notice management.

2. Attack Vector Analysis

  • Endpoint: /wp-admin/admin-ajax.php
  • Action Hook (Inferred): wp_ajax_nopriv_pie_register_check_invite_code or wp_ajax_nopriv_pie_register_add_invite_code (The "Missing Authorization" in this plugin often relates to the Invitation Code system).
  • Payload Parameter: action, nonce, and functionality-specific parameters (e.g., invite_code, status).
  • Authentication: None (Unauthenticated).
  • Preconditions: The "Invitation Code" feature may need to be active in the Pie Register settings for the code path to be fully exploitable.

3. Code Flow (Inferred)

  1. Entry Point: An unauthenticated user sends a POST request to admin-ajax.php with a pie_register_... action.
  2. Hook Registration: The plugin registers the action using add_action( 'wp_ajax_nopriv_...', ... ).
  3. Missing Check: Inside the callback function (e.g., in classes/invitation_code.php or pie-register.php), the code checks for a valid nonce but fails to verify if the user has administrative privileges using current_user_can( 'manage_options' ).
  4. Sink: The function proceeds to update the database (e.g., $wpdb->insert into the invitation codes table or update_option).

4. Nonce Acquisition Strategy

Pie Register typically localizes its AJAX data into a JavaScript object named pie_register_vars or piereg_nonce_obj.

  1. Identify Shortcode: The plugin uses [pie_register_form] to render the registration form where invitation codes are processed.
  2. Create Test Page:
    wp post create --post_type=page --post_title="Register" --post_status=publish --post_content='[pie_register_form]'
    
  3. Extract Nonce:
    Navigate to the new page and use browser_eval to find the nonce:
    • browser_eval("window.pie_register_vars?.piereg_nonce")
    • Alternative: browser_eval("window.pie_register_vars?.nonce")
    • Alternative: Search the HTML source for piereg_nonce.

5. Exploitation Strategy

We will attempt to create or validate an invitation code bypassing the intended administrative workflow.

  • Step 1: Discover the exact vulnerable action.
    Search the plugin code for wp_ajax_nopriv hooks:

    grep -r "wp_ajax_nopriv" /var/www/html/wp-content/plugins/pie-register/
    

    Focus on actions that look like pie_register_add_invite_code or pie_register_save_invitation_code.

  • Step 2: Craft the HTTP Request.
    Assuming the action is pie_register_add_invite_code (to be confirmed via grep):

    • Method: POST
    • URL: http://localhost:8080/wp-admin/admin-ajax.php
    • Headers: Content-Type: application/x-www-form-urlencoded
    • Body:
      action=pie_register_add_invite_code&piereg_nonce=[EXTRACTED_NONCE]&invite_code=PWNED2026&usage_limit=10
      
  • Step 3: Trigger the Request.
    Use the http_request tool with the parameters identified above.

6. Test Data Setup

  1. Install Plugin: Ensure Pie Register 3.8.4.8 is installed and active.
  2. Enable Invitation Codes:
    wp option update pie_register_settings '{"enable_invitation_codes":"1"}' --format=json
    
  3. Create Page: Create the registration page as described in Section 4.

7. Expected Results

  • Success Response: The server returns a 200 OK response, often with a JSON body like {"status":"success"} or 1.
  • Impact: An unauthenticated attacker successfully injects a new invitation code into the system or modifies existing registration logic.

8. Verification Steps

  1. Check Database: Use WP-CLI to inspect the invitation codes table (usually {prefix}pieregister_invite_codes):
    wp db query "SELECT * FROM wp_pieregister_invite_codes WHERE invite_code = 'PWNED2026';"
    
  2. Verify Usage: Attempt to use the injected code in the registration form on the site to see if it validates.

9. Alternative Approaches

If the add_invite_code action is not the culprit, investigate:

  • pie_register_hide_notice: While lower severity, it often lacks authorization and demonstrates the flaw.
  • pie_register_check_invite_code: If the "check" function incorrectly updates "usage" counts or statuses without authorization.
  • Settings Overwrite: Check if admin_init is hooked to a function that processes $_POST['pie_register_settings'] without checking is_admin() AND current_user_can(). Note that admin_init fires on admin-ajax.php requests.
# Grep for potential sinks in AJAX handlers
grep -rE "update_option|wp_db->insert|wp_db->update" /var/www/html/wp-content/plugins/pie-register/classes/
Research Findings
Static analysis — not yet PoC-verified

Summary

The Pie Register plugin for WordPress is vulnerable to unauthorized access in versions up to and including 3.8.4.8. This is due to the plugin failing to perform capability checks on certain AJAX functions, allowing unauthenticated attackers to perform sensitive actions such as modifying invitation codes or dismissing administrative notices.

Exploit Outline

The exploit targets the plugin's AJAX handlers which are registered for unauthenticated users (via the wp_ajax_nopriv hook) but lack administrative authorization checks. An attacker first obtains a valid AJAX nonce from a page containing a Pie Register registration form (localized in the 'pie_register_vars' or 'piereg_nonce_obj' JavaScript objects). They then send a POST request to /wp-admin/admin-ajax.php with an action such as 'pie_register_add_invite_code', providing the nonce and parameters for a new invitation code. The server processes the request and inserts the code into the database without verifying that the requester has administrative privileges.

Check if your site is affected.

Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.