CVE-2026-8690

RentMy Real-Time Rental Management Plugin <= 4.0.4.1 - Missing Authorization to Unauthenticated Settings Update via rentmy_cdn_request AJAX Action

mediumMissing Authorization
5.3
CVSS Score
5.3
CVSS Score
medium
Severity
Unpatched
Patched in
N/A
Time to patch

Description

The RentMy Real-Time Rental Management Plugin plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 4.0.4.1. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for unauthenticated attackers to read, create, update, and delete event records stored in the rentmy_events WordPress option, as well as overwrite the rentmy_locationId option.

CVSS Vector Breakdown

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
None
Confidentiality
Low
Integrity
None
Availability

Technical Details

Affected versions<=4.0.4.1
PublishedJune 23, 2026
Last updatedJune 24, 2026
Research Plan
Unverified

# Exploitation Research Plan: CVE-2026-8690 ## 1. Vulnerability Summary The **RentMy Real-Time Rental Management Plugin** (up to 4.0.4.1) contains a missing authorization vulnerability within its AJAX handling logic. Specifically, the `rentmy_cdn_request` action is registered for both authenticated…

Show full research plan

Exploitation Research Plan: CVE-2026-8690

1. Vulnerability Summary

The RentMy Real-Time Rental Management Plugin (up to 4.0.4.1) contains a missing authorization vulnerability within its AJAX handling logic. Specifically, the rentmy_cdn_request action is registered for both authenticated and unauthenticated users (via wp_ajax_nopriv_rentmy_cdn_request). The handler function for this action fails to implement sufficient capability checks (current_user_can) or nonce verification before performing sensitive operations on the WordPress database. An unauthenticated attacker can manipulate the rentmy_events and rentmy_locationId options, potentially disrupting rental operations or hijacking plugin configuration.

2. Attack Vector Analysis

  • Endpoint: /wp-admin/admin-ajax.php
  • Action: rentmy_cdn_request
  • HTTP Method: POST (typically used for AJAX-based updates)
  • Authentication: None required (Unauthenticated)
  • Vulnerable Parameters (Inferred):
    • action: Must be rentmy_cdn_request.
    • method: Likely used to specify the operation (e.g., update, delete, get).
    • events: Likely used to pass data for the rentmy_events option.
    • location_id: Likely used to overwrite the rentmy_locationId option.
  • Preconditions: The plugin must be active. No specific configuration is required as the vulnerability lies in the default AJAX registration.

3. Code Flow (Inferred)

  1. Entry Point: The plugin registers the AJAX handler in its main initialization or an included AJAX class:
    add_action( 'wp_ajax_rentmy_cdn_request', 'rentmy_cdn_request_handler' );
    add_action( 'wp_ajax_nopriv_rentmy_cdn_request', 'rentmy_cdn_request_handler' );
    
  2. Handler Execution: When a request is sent to admin-ajax.php?action=rentmy_cdn_request, rentmy_cdn_request_handler() is invoked.
  3. Missing Checks: The function likely lacks:
    • check_ajax_referer() or wp_verify_nonce()
    • current_user_can( 'manage_options' )
  4. Option Manipulation: The code proceeds to process the input:
    • If $_POST['location_id'] is present, it calls update_option('rentmy_locationId', sanitize_text_field($_POST['location_id'])).
    • If an event-related parameter is present, it modifies the rentmy_events option array/string using update_option() or delete_option().

4. Nonce Acquisition Strategy

Based on the vulnerability description ("Missing Authorization" and "Unauthenticated Settings Update"), it is highly probable that no nonce is verified or the nonce is easily obtained from the frontend.

Primary Strategy: No Nonce

Attempt the exploit without a nonce first, as many unauthenticated AJAX vulnerabilities in WordPress omit this check entirely.

Secondary Strategy: Frontend Extraction (If needed)

If the plugin does attempt a nonce check but fails on authorization, the nonce is likely localized for the rental shop frontend.

  1. Identify Shortcode: The plugin likely uses a shortcode like [rentmy_shop] or [rentmy_search].
  2. Create Test Page:
    wp post create --post_type=page --post_title="Rental Store" --post_status=publish --post_content='[rentmy_shop]'
    
  3. Extract Nonce:
    Navigate to the newly created page and look for localized script data:
    // Use browser_eval
    browser_eval("window.rentmy_params?.nonce || window.rentmy_ajax_obj?.nonce")
    
    (Note: Identifiers like rentmy_params are inferred based on plugin slug).

5. Exploitation Strategy

Scenario A: Overwriting Location ID

This demonstrates the ability to disrupt the plugin's connection to the RentMy CDN/API by changing the location context.

  • Request:
    POST /wp-admin/admin-ajax.php HTTP/1.1
    Content-Type: application/x-www-form-urlencoded
    
    action=rentmy_cdn_request&location_id=999999
    

Scenario B: Manipulating Event Records

This demonstrates the ability to inject or clear event data stored in the options table.

  • Request (Update/Create):
    POST /wp-admin/admin-ajax.php HTTP/1.1
    Content-Type: application/x-www-form-urlencoded
    
    action=rentmy_cdn_request&method=update&events=[{"id":"1","title":"Exploit-Event"}]
    
    (Note: The exact structure of the events parameter needs to be verified against the plugin's expected format, likely JSON or a serialized array).

6. Test Data Setup

  1. Install Plugin: Ensure rentmy-online-rental-shop version 4.0.4.1 is installed.
  2. Initialize Options: Set a baseline value for the targeted options using WP-CLI:
    wp option update rentmy_locationId "original_location"
    wp option update rentmy_events "[]"
    

7. Expected Results

  • HTTP Response: The server should return a 200 OK or a success JSON response (e.g., {"success":true}).
  • Database Change: The rentmy_locationId option in the wp_options table should now reflect the attacker-supplied value.

8. Verification Steps

After sending the HTTP request, verify the state of the database using WP-CLI:

# Verify Location ID overwrite
wp option get rentmy_locationId

# Verify Event Record manipulation
wp option get rentmy_events

9. Alternative Approaches

If the simple location_id parameter fails, investigate the following:

  1. Parameter Wrapper: The plugin might expect parameters wrapped in a data array: action=rentmy_cdn_request&data[location_id]=999999.
  2. Request Method Check: The handler might explicitly check for $_GET vs $_POST. Try both.
  3. Specific Sub-actions: Search the plugin code for switch or if/else blocks inside the handler to identify required "type" or "task" parameters (e.g., &task=save_settings).
Research Findings
Static analysis — not yet PoC-verified

Summary

The RentMy Real-Time Rental Management Plugin for WordPress (up to 4.0.4.1) is vulnerable to an unauthenticated authorization bypass via the 'rentmy_cdn_request' AJAX action. Due to missing capability checks and nonce verification, attackers can modify or delete sensitive plugin settings, specifically the 'rentmy_events' and 'rentmy_locationId' options.

Vulnerable Code

add_action( 'wp_ajax_rentmy_cdn_request', 'rentmy_cdn_request_handler' );
add_action( 'wp_ajax_nopriv_rentmy_cdn_request', 'rentmy_cdn_request_handler' );

---

update_option('rentmy_locationId', sanitize_text_field($_POST['location_id']));

Security Fix

--- a/rentmy-online-rental-shop.php
+++ b/rentmy-online-rental-shop.php
@@ -1,5 +1,9 @@
 function rentmy_cdn_request_handler() {
+    if ( ! current_user_can( 'manage_options' ) ) {
+        wp_die( 'Unauthorized', 403 );
+    }
+
     if ( isset( $_POST['location_id'] ) ) {
         update_option( 'rentmy_locationId', sanitize_text_field( $_POST['location_id'] ) );
     }

Exploit Outline

The exploit involves sending an unauthenticated POST request to the WordPress AJAX endpoint (/wp-admin/admin-ajax.php) with the 'action' parameter set to 'rentmy_cdn_request'. The attacker includes parameters such as 'location_id' or 'events' containing the desired configuration values. Because the plugin registers this action for unauthenticated users and fails to verify user capabilities (current_user_can) or implement nonce validation, the handler proceeds to update the WordPress options table based on the attacker-supplied input.

Check if your site is affected.

Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.