Pochipp <= 1.18.0 - Missing Authorization
Description
The Pochipp plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in versions up to, and including, 1.18.0. This makes it possible for unauthenticated attackers to perform an unauthorized action.
CVSS Vector Breakdown
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:NTechnical Details
<=1.18.0Source Code
WordPress.org SVN# Exploitation Research Plan: CVE-2025-66129 (Pochipp) ## 1. Vulnerability Summary The **Pochipp** plugin for WordPress (versions <= 1.18.0) contains a **Missing Authorization** vulnerability. The plugin registers one or more AJAX handlers that are accessible to unauthenticated users (via `wp_ajax_…
Show full research plan
Exploitation Research Plan: CVE-2025-66129 (Pochipp)
1. Vulnerability Summary
The Pochipp plugin for WordPress (versions <= 1.18.0) contains a Missing Authorization vulnerability. The plugin registers one or more AJAX handlers that are accessible to unauthenticated users (via wp_ajax_nopriv_ hooks) but fails to implement a capability check (e.g., current_user_can()) or a robust nonce validation within the callback function. This allows an unauthenticated attacker to trigger actions that should be restricted to administrators, potentially leading to unauthorized data modification or configuration changes.
2. Attack Vector Analysis
- Endpoint:
/wp-admin/admin-ajax.php - Action:
pochipp_...(The specific action name is inferred; likely related to block settings or link management). - HTTP Method:
POST - Authentication: None Required (
PR:N). - Preconditions: The plugin must be active. If the handler requires a nonce, the attacker must be able to retrieve it from a public-facing page where Pochipp assets are loaded.
3. Code Flow (Inferred)
- Entry Point: The attacker sends a
POSTrequest toadmin-ajax.phpwith a specificactionparameter. - Hook Execution: WordPress executes the hook registered via
add_action('wp_ajax_nopriv_[action_name]', ...)in the plugin's initialization logic (likely in anAjaxclass or the main plugin file). - Missing Check: The callback function associated with the hook is executed. It performs logic (such as updating database entries or settings) without verifying if the requesting user has the necessary permissions (e.g.,
manage_options). - Sink: The function calls a WordPress API like
update_option(),wp_update_post(), or performs a direct database query via$wpdb.
4. Nonce Acquisition Strategy
If the vulnerable handler uses check_ajax_referer() or wp_verify_nonce(), the nonce must be obtained from the frontend.
- Identify Script Localization: Pochipp likely enqueues scripts that contain nonces for its blocks.
- Setup: Create a page containing a Pochipp-related block or shortcode to ensure the scripts are loaded.
- Command:
wp post create --post_type=page --post_status=publish --post_title="Pochipp Test" --post_content='<!-- wp:pochipp/block /-->'(Shortcode/Block name inferred).
- Command:
- Extraction: Use the
browser_navigatetool to visit the page andbrowser_evalto extract the nonce.- Target Variable: Look for
pochipp_dataorpochipp_vars(Inferred). - JavaScript:
window.pochipp_vars?.nonceorwindow.pochipp_data?.ajax_nonce.
- Target Variable: Look for
5. Exploitation Strategy
The goal is to identify which nopriv AJAX action is missing authorization.
- Action Discovery:
- Grep the plugin directory for
wp_ajax_nopriv_:grep -r "wp_ajax_nopriv_" /var/www/html/wp-content/plugins/pochipp/
- Grep the plugin directory for
- Targeting: Focus on actions that appear to perform modifications (e.g.,
pochipp_save_...,pochipp_update_..., orpochipp_create_...). - Payload Construction:
- URL:
http://[target]/wp-admin/admin-ajax.php - Body (URL-Encoded):
action=[vulnerable_action]_ajax_nonce=[extracted_nonce](if required)[param_name]=[malicious_value]
- URL:
- Execution: Use the
http_requesttool to send thePOSTrequest. - Detection: Look for a
200 OKresponse or a specific JSON success message (e.g.,{"success":true}).
6. Test Data Setup
- Plugin Installation: Ensure Pochipp version 1.18.0 is installed and activated.
- Content Creation: Create a standard post or page to test if the unauthorized action affects existing data.
- Verification Page: Create a public page using a Pochipp block to facilitate nonce extraction for the automated agent.
7. Expected Results
- Success: The HTTP response indicates the action was performed (e.g., a status code of 200 and a body of
1or a success JSON). - Effect: A plugin setting is changed, or a post/link is modified/created in the database, despite the request being unauthenticated.
8. Verification Steps
After the http_request is sent, verify the impact using WP-CLI:
- Check Options: If the action modifies settings:
wp option get [affected_option_name]
- Check Database: Use
wp db queryto inspect changes in thewp_postsor custom plugin tables. - Check Logs: Check the WordPress debug log (
/wp-content/debug.log) ifWP_DEBUGis enabled to see if any unauthorized errors were bypassed.
9. Alternative Approaches
- Insecure REST API: If no vulnerable AJAX action is found, check for REST API routes registered with
register_rest_routewhere thepermission_callbackis missing or set to__return_true.- Grep:
grep -r "register_rest_route" /var/www/html/wp-content/plugins/pochipp/
- Grep:
- Parameter Fuzzing: If an action is found but the parameters are unknown, fuzz common WordPress parameters like
id,value,content, orsettings.
Summary
The Pochipp plugin for WordPress (versions up to 1.18.0) is vulnerable to unauthorized access due to missing capability checks and/or nonce validation in its AJAX handlers. This flaw allows unauthenticated attackers to execute plugin-specific actions, such as product searches through affiliate APIs, by interacting with hooks registered via wp_ajax_nopriv_.
Exploit Outline
1. Action Discovery: Scan the plugin source code for the 'wp_ajax_nopriv_' string to identify AJAX actions accessible to unauthenticated users. 2. Nonce Acquisition: If the handler validates nonces, visit a public page where the Pochipp block or shortcode is present and extract the required nonce from localized JavaScript objects (likely 'pochipp_vars' or 'pochipp_data'). 3. Request Construction: Craft a POST request to /wp-admin/admin-ajax.php with the 'action' parameter set to the identified vulnerable hook and include the extracted nonce and any necessary operational parameters (e.g., search keywords). 4. Execution: Submit the request to trigger the backend functionality; because the callback lacks a 'current_user_can()' check, the server will process the request regardless of the attacker's authentication status.
Check if your site is affected.
Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.