CVE-2025-66129

Pochipp <= 1.18.0 - Missing Authorization

mediumMissing Authorization
5.3
CVSS Score
5.3
CVSS Score
medium
Severity
1.18.1
Patched in
24d
Time to patch

Description

The Pochipp plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in versions up to, and including, 1.18.0. This makes it possible for unauthenticated attackers to perform an unauthorized action.

CVSS Vector Breakdown

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
None
Confidentiality
Low
Integrity
None
Availability

Technical Details

Affected versions<=1.18.0
PublishedDecember 14, 2025
Last updatedJanuary 6, 2026
Affected pluginpochipp

Source Code

WordPress.org SVN
Research Plan
Unverified

# Exploitation Research Plan: CVE-2025-66129 (Pochipp) ## 1. Vulnerability Summary The **Pochipp** plugin for WordPress (versions <= 1.18.0) contains a **Missing Authorization** vulnerability. The plugin registers one or more AJAX handlers that are accessible to unauthenticated users (via `wp_ajax_…

Show full research plan

Exploitation Research Plan: CVE-2025-66129 (Pochipp)

1. Vulnerability Summary

The Pochipp plugin for WordPress (versions <= 1.18.0) contains a Missing Authorization vulnerability. The plugin registers one or more AJAX handlers that are accessible to unauthenticated users (via wp_ajax_nopriv_ hooks) but fails to implement a capability check (e.g., current_user_can()) or a robust nonce validation within the callback function. This allows an unauthenticated attacker to trigger actions that should be restricted to administrators, potentially leading to unauthorized data modification or configuration changes.

2. Attack Vector Analysis

  • Endpoint: /wp-admin/admin-ajax.php
  • Action: pochipp_... (The specific action name is inferred; likely related to block settings or link management).
  • HTTP Method: POST
  • Authentication: None Required (PR:N).
  • Preconditions: The plugin must be active. If the handler requires a nonce, the attacker must be able to retrieve it from a public-facing page where Pochipp assets are loaded.

3. Code Flow (Inferred)

  1. Entry Point: The attacker sends a POST request to admin-ajax.php with a specific action parameter.
  2. Hook Execution: WordPress executes the hook registered via add_action('wp_ajax_nopriv_[action_name]', ...) in the plugin's initialization logic (likely in an Ajax class or the main plugin file).
  3. Missing Check: The callback function associated with the hook is executed. It performs logic (such as updating database entries or settings) without verifying if the requesting user has the necessary permissions (e.g., manage_options).
  4. Sink: The function calls a WordPress API like update_option(), wp_update_post(), or performs a direct database query via $wpdb.

4. Nonce Acquisition Strategy

If the vulnerable handler uses check_ajax_referer() or wp_verify_nonce(), the nonce must be obtained from the frontend.

  1. Identify Script Localization: Pochipp likely enqueues scripts that contain nonces for its blocks.
  2. Setup: Create a page containing a Pochipp-related block or shortcode to ensure the scripts are loaded.
    • Command: wp post create --post_type=page --post_status=publish --post_title="Pochipp Test" --post_content='<!-- wp:pochipp/block /-->' (Shortcode/Block name inferred).
  3. Extraction: Use the browser_navigate tool to visit the page and browser_eval to extract the nonce.
    • Target Variable: Look for pochipp_data or pochipp_vars (Inferred).
    • JavaScript: window.pochipp_vars?.nonce or window.pochipp_data?.ajax_nonce.

5. Exploitation Strategy

The goal is to identify which nopriv AJAX action is missing authorization.

  1. Action Discovery:
    • Grep the plugin directory for wp_ajax_nopriv_:
      grep -r "wp_ajax_nopriv_" /var/www/html/wp-content/plugins/pochipp/
  2. Targeting: Focus on actions that appear to perform modifications (e.g., pochipp_save_..., pochipp_update_..., or pochipp_create_...).
  3. Payload Construction:
    • URL: http://[target]/wp-admin/admin-ajax.php
    • Body (URL-Encoded):
      • action=[vulnerable_action]
      • _ajax_nonce=[extracted_nonce] (if required)
      • [param_name]=[malicious_value]
  4. Execution: Use the http_request tool to send the POST request.
  5. Detection: Look for a 200 OK response or a specific JSON success message (e.g., {"success":true}).

6. Test Data Setup

  1. Plugin Installation: Ensure Pochipp version 1.18.0 is installed and activated.
  2. Content Creation: Create a standard post or page to test if the unauthorized action affects existing data.
  3. Verification Page: Create a public page using a Pochipp block to facilitate nonce extraction for the automated agent.

7. Expected Results

  • Success: The HTTP response indicates the action was performed (e.g., a status code of 200 and a body of 1 or a success JSON).
  • Effect: A plugin setting is changed, or a post/link is modified/created in the database, despite the request being unauthenticated.

8. Verification Steps

After the http_request is sent, verify the impact using WP-CLI:

  1. Check Options: If the action modifies settings:
    • wp option get [affected_option_name]
  2. Check Database: Use wp db query to inspect changes in the wp_posts or custom plugin tables.
  3. Check Logs: Check the WordPress debug log (/wp-content/debug.log) if WP_DEBUG is enabled to see if any unauthorized errors were bypassed.

9. Alternative Approaches

  • Insecure REST API: If no vulnerable AJAX action is found, check for REST API routes registered with register_rest_route where the permission_callback is missing or set to __return_true.
    • Grep: grep -r "register_rest_route" /var/www/html/wp-content/plugins/pochipp/
  • Parameter Fuzzing: If an action is found but the parameters are unknown, fuzz common WordPress parameters like id, value, content, or settings.
Research Findings
Static analysis — not yet PoC-verified

Summary

The Pochipp plugin for WordPress (versions up to 1.18.0) is vulnerable to unauthorized access due to missing capability checks and/or nonce validation in its AJAX handlers. This flaw allows unauthenticated attackers to execute plugin-specific actions, such as product searches through affiliate APIs, by interacting with hooks registered via wp_ajax_nopriv_.

Exploit Outline

1. Action Discovery: Scan the plugin source code for the 'wp_ajax_nopriv_' string to identify AJAX actions accessible to unauthenticated users. 2. Nonce Acquisition: If the handler validates nonces, visit a public page where the Pochipp block or shortcode is present and extract the required nonce from localized JavaScript objects (likely 'pochipp_vars' or 'pochipp_data'). 3. Request Construction: Craft a POST request to /wp-admin/admin-ajax.php with the 'action' parameter set to the identified vulnerable hook and include the extracted nonce and any necessary operational parameters (e.g., search keywords). 4. Execution: Submit the request to trigger the backend functionality; because the callback lacks a 'current_user_can()' check, the server will process the request regardless of the attacker's authentication status.

Check if your site is affected.

Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.