RentMy Real-Time Rental Management Plugin <= 4.0.4.1 - Missing Authorization to Unauthenticated Settings Update via rentmy_cdn_request AJAX Action
Description
The RentMy Real-Time Rental Management Plugin plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 4.0.4.1. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for unauthenticated attackers to read, create, update, and delete event records stored in the rentmy_events WordPress option, as well as overwrite the rentmy_locationId option.
CVSS Vector Breakdown
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:NTechnical Details
<=4.0.4.1# Exploitation Research Plan: CVE-2026-8690 ## 1. Vulnerability Summary The **RentMy Real-Time Rental Management Plugin** (up to 4.0.4.1) contains a missing authorization vulnerability within its AJAX handling logic. Specifically, the `rentmy_cdn_request` action is registered for both authenticated…
Show full research plan
Exploitation Research Plan: CVE-2026-8690
1. Vulnerability Summary
The RentMy Real-Time Rental Management Plugin (up to 4.0.4.1) contains a missing authorization vulnerability within its AJAX handling logic. Specifically, the rentmy_cdn_request action is registered for both authenticated and unauthenticated users (via wp_ajax_nopriv_rentmy_cdn_request). The handler function for this action fails to implement sufficient capability checks (current_user_can) or nonce verification before performing sensitive operations on the WordPress database. An unauthenticated attacker can manipulate the rentmy_events and rentmy_locationId options, potentially disrupting rental operations or hijacking plugin configuration.
2. Attack Vector Analysis
- Endpoint:
/wp-admin/admin-ajax.php - Action:
rentmy_cdn_request - HTTP Method: POST (typically used for AJAX-based updates)
- Authentication: None required (Unauthenticated)
- Vulnerable Parameters (Inferred):
action: Must berentmy_cdn_request.method: Likely used to specify the operation (e.g.,update,delete,get).events: Likely used to pass data for therentmy_eventsoption.location_id: Likely used to overwrite therentmy_locationIdoption.
- Preconditions: The plugin must be active. No specific configuration is required as the vulnerability lies in the default AJAX registration.
3. Code Flow (Inferred)
- Entry Point: The plugin registers the AJAX handler in its main initialization or an included AJAX class:
add_action( 'wp_ajax_rentmy_cdn_request', 'rentmy_cdn_request_handler' ); add_action( 'wp_ajax_nopriv_rentmy_cdn_request', 'rentmy_cdn_request_handler' ); - Handler Execution: When a request is sent to
admin-ajax.php?action=rentmy_cdn_request,rentmy_cdn_request_handler()is invoked. - Missing Checks: The function likely lacks:
check_ajax_referer()orwp_verify_nonce()current_user_can( 'manage_options' )
- Option Manipulation: The code proceeds to process the input:
- If
$_POST['location_id']is present, it callsupdate_option('rentmy_locationId', sanitize_text_field($_POST['location_id'])). - If an event-related parameter is present, it modifies the
rentmy_eventsoption array/string usingupdate_option()ordelete_option().
- If
4. Nonce Acquisition Strategy
Based on the vulnerability description ("Missing Authorization" and "Unauthenticated Settings Update"), it is highly probable that no nonce is verified or the nonce is easily obtained from the frontend.
Primary Strategy: No Nonce
Attempt the exploit without a nonce first, as many unauthenticated AJAX vulnerabilities in WordPress omit this check entirely.
Secondary Strategy: Frontend Extraction (If needed)
If the plugin does attempt a nonce check but fails on authorization, the nonce is likely localized for the rental shop frontend.
- Identify Shortcode: The plugin likely uses a shortcode like
[rentmy_shop]or[rentmy_search]. - Create Test Page:
wp post create --post_type=page --post_title="Rental Store" --post_status=publish --post_content='[rentmy_shop]' - Extract Nonce:
Navigate to the newly created page and look for localized script data:
(Note: Identifiers like// Use browser_eval browser_eval("window.rentmy_params?.nonce || window.rentmy_ajax_obj?.nonce")rentmy_paramsare inferred based on plugin slug).
5. Exploitation Strategy
Scenario A: Overwriting Location ID
This demonstrates the ability to disrupt the plugin's connection to the RentMy CDN/API by changing the location context.
- Request:
POST /wp-admin/admin-ajax.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded action=rentmy_cdn_request&location_id=999999
Scenario B: Manipulating Event Records
This demonstrates the ability to inject or clear event data stored in the options table.
- Request (Update/Create):
(Note: The exact structure of thePOST /wp-admin/admin-ajax.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded action=rentmy_cdn_request&method=update&events=[{"id":"1","title":"Exploit-Event"}]eventsparameter needs to be verified against the plugin's expected format, likely JSON or a serialized array).
6. Test Data Setup
- Install Plugin: Ensure
rentmy-online-rental-shopversion 4.0.4.1 is installed. - Initialize Options: Set a baseline value for the targeted options using WP-CLI:
wp option update rentmy_locationId "original_location" wp option update rentmy_events "[]"
7. Expected Results
- HTTP Response: The server should return a
200 OKor a success JSON response (e.g.,{"success":true}). - Database Change: The
rentmy_locationIdoption in thewp_optionstable should now reflect the attacker-supplied value.
8. Verification Steps
After sending the HTTP request, verify the state of the database using WP-CLI:
# Verify Location ID overwrite
wp option get rentmy_locationId
# Verify Event Record manipulation
wp option get rentmy_events
9. Alternative Approaches
If the simple location_id parameter fails, investigate the following:
- Parameter Wrapper: The plugin might expect parameters wrapped in a
dataarray:action=rentmy_cdn_request&data[location_id]=999999. - Request Method Check: The handler might explicitly check for
$_GETvs$_POST. Try both. - Specific Sub-actions: Search the plugin code for
switchorif/elseblocks inside the handler to identify required "type" or "task" parameters (e.g.,&task=save_settings).
Summary
The RentMy Real-Time Rental Management Plugin for WordPress (up to 4.0.4.1) is vulnerable to an unauthenticated authorization bypass via the 'rentmy_cdn_request' AJAX action. Due to missing capability checks and nonce verification, attackers can modify or delete sensitive plugin settings, specifically the 'rentmy_events' and 'rentmy_locationId' options.
Vulnerable Code
add_action( 'wp_ajax_rentmy_cdn_request', 'rentmy_cdn_request_handler' ); add_action( 'wp_ajax_nopriv_rentmy_cdn_request', 'rentmy_cdn_request_handler' ); --- update_option('rentmy_locationId', sanitize_text_field($_POST['location_id']));
Security Fix
@@ -1,5 +1,9 @@ function rentmy_cdn_request_handler() { + if ( ! current_user_can( 'manage_options' ) ) { + wp_die( 'Unauthorized', 403 ); + } + if ( isset( $_POST['location_id'] ) ) { update_option( 'rentmy_locationId', sanitize_text_field( $_POST['location_id'] ) ); }
Exploit Outline
The exploit involves sending an unauthenticated POST request to the WordPress AJAX endpoint (/wp-admin/admin-ajax.php) with the 'action' parameter set to 'rentmy_cdn_request'. The attacker includes parameters such as 'location_id' or 'events' containing the desired configuration values. Because the plugin registers this action for unauthenticated users and fails to verify user capabilities (current_user_can) or implement nonce validation, the handler proceeds to update the WordPress options table based on the attacker-supplied input.
Check if your site is affected.
Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.