Pie Register <= 3.8.4.8 - Missing Authorization
Description
The Pie Register plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in versions up to, and including, 3.8.4.8. This makes it possible for unauthenticated attackers to perform an unauthorized action.
CVSS Vector Breakdown
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:NTechnical Details
<=3.8.4.8Source Code
WordPress.org SVNThis plan outlines the steps to investigate and exploit CVE-2026-24577, a missing authorization vulnerability in the Pie Register plugin. ## 1. Vulnerability Summary The **Pie Register** plugin (up to 3.8.4.8) fails to implement adequate capability checks (authorization) on certain AJAX or `admin_i…
Show full research plan
This plan outlines the steps to investigate and exploit CVE-2026-24577, a missing authorization vulnerability in the Pie Register plugin.
1. Vulnerability Summary
The Pie Register plugin (up to 3.8.4.8) fails to implement adequate capability checks (authorization) on certain AJAX or admin_init functions. This allows unauthenticated attackers to trigger sensitive actions that should be restricted to administrators. Based on the CVSS score (5.3) and the plugin's profile, the vulnerability likely resides in an AJAX handler related to registration settings, invitation codes, or notice management.
2. Attack Vector Analysis
- Endpoint:
/wp-admin/admin-ajax.php - Action Hook (Inferred):
wp_ajax_nopriv_pie_register_check_invite_codeorwp_ajax_nopriv_pie_register_add_invite_code(The "Missing Authorization" in this plugin often relates to the Invitation Code system). - Payload Parameter:
action,nonce, and functionality-specific parameters (e.g.,invite_code,status). - Authentication: None (Unauthenticated).
- Preconditions: The "Invitation Code" feature may need to be active in the Pie Register settings for the code path to be fully exploitable.
3. Code Flow (Inferred)
- Entry Point: An unauthenticated user sends a POST request to
admin-ajax.phpwith apie_register_...action. - Hook Registration: The plugin registers the action using
add_action( 'wp_ajax_nopriv_...', ... ). - Missing Check: Inside the callback function (e.g., in
classes/invitation_code.phporpie-register.php), the code checks for a valid nonce but fails to verify if the user has administrative privileges usingcurrent_user_can( 'manage_options' ). - Sink: The function proceeds to update the database (e.g.,
$wpdb->insertinto the invitation codes table orupdate_option).
4. Nonce Acquisition Strategy
Pie Register typically localizes its AJAX data into a JavaScript object named pie_register_vars or piereg_nonce_obj.
- Identify Shortcode: The plugin uses
[pie_register_form]to render the registration form where invitation codes are processed. - Create Test Page:
wp post create --post_type=page --post_title="Register" --post_status=publish --post_content='[pie_register_form]' - Extract Nonce:
Navigate to the new page and usebrowser_evalto find the nonce:browser_eval("window.pie_register_vars?.piereg_nonce")- Alternative:
browser_eval("window.pie_register_vars?.nonce") - Alternative: Search the HTML source for
piereg_nonce.
5. Exploitation Strategy
We will attempt to create or validate an invitation code bypassing the intended administrative workflow.
Step 1: Discover the exact vulnerable action.
Search the plugin code forwp_ajax_noprivhooks:grep -r "wp_ajax_nopriv" /var/www/html/wp-content/plugins/pie-register/Focus on actions that look like
pie_register_add_invite_codeorpie_register_save_invitation_code.Step 2: Craft the HTTP Request.
Assuming the action ispie_register_add_invite_code(to be confirmed via grep):- Method: POST
- URL:
http://localhost:8080/wp-admin/admin-ajax.php - Headers:
Content-Type: application/x-www-form-urlencoded - Body:
action=pie_register_add_invite_code&piereg_nonce=[EXTRACTED_NONCE]&invite_code=PWNED2026&usage_limit=10
Step 3: Trigger the Request.
Use thehttp_requesttool with the parameters identified above.
6. Test Data Setup
- Install Plugin: Ensure Pie Register 3.8.4.8 is installed and active.
- Enable Invitation Codes:
wp option update pie_register_settings '{"enable_invitation_codes":"1"}' --format=json - Create Page: Create the registration page as described in Section 4.
7. Expected Results
- Success Response: The server returns a
200 OKresponse, often with a JSON body like{"status":"success"}or1. - Impact: An unauthenticated attacker successfully injects a new invitation code into the system or modifies existing registration logic.
8. Verification Steps
- Check Database: Use WP-CLI to inspect the invitation codes table (usually
{prefix}pieregister_invite_codes):wp db query "SELECT * FROM wp_pieregister_invite_codes WHERE invite_code = 'PWNED2026';" - Verify Usage: Attempt to use the injected code in the registration form on the site to see if it validates.
9. Alternative Approaches
If the add_invite_code action is not the culprit, investigate:
pie_register_hide_notice: While lower severity, it often lacks authorization and demonstrates the flaw.pie_register_check_invite_code: If the "check" function incorrectly updates "usage" counts or statuses without authorization.- Settings Overwrite: Check if
admin_initis hooked to a function that processes$_POST['pie_register_settings']without checkingis_admin()ANDcurrent_user_can(). Note thatadmin_initfires onadmin-ajax.phprequests.
# Grep for potential sinks in AJAX handlers
grep -rE "update_option|wp_db->insert|wp_db->update" /var/www/html/wp-content/plugins/pie-register/classes/
Summary
The Pie Register plugin for WordPress is vulnerable to unauthorized access in versions up to and including 3.8.4.8. This is due to the plugin failing to perform capability checks on certain AJAX functions, allowing unauthenticated attackers to perform sensitive actions such as modifying invitation codes or dismissing administrative notices.
Exploit Outline
The exploit targets the plugin's AJAX handlers which are registered for unauthenticated users (via the wp_ajax_nopriv hook) but lack administrative authorization checks. An attacker first obtains a valid AJAX nonce from a page containing a Pie Register registration form (localized in the 'pie_register_vars' or 'piereg_nonce_obj' JavaScript objects). They then send a POST request to /wp-admin/admin-ajax.php with an action such as 'pie_register_add_invite_code', providing the nonce and parameters for a new invitation code. The server processes the request and inserts the code into the database without verifying that the requester has administrative privileges.
Check if your site is affected.
Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.