Review Schema – Review & Structure Data Schema Plugin <= 2.2.6 - Authenticated (Subscriber+) Information Exposure

This research plan outlines the technical steps required to exploit CVE-2026-25344, a Sensitive Information Exposure vulnerability in the Review Schema plugin for WordPress.

1. Vulnerability Summary

The Review Schema plugin (up to version 2.2.6) contains an authenticated information exposure vulnerability. The plugin registers several AJAX actions that fail to implement proper capability checks (e.g., current_user_can( 'manage_options' )). Specifically, the rtrs_get_settings action allows any authenticated user, including those with Subscriber-level permissions, to retrieve sensitive plugin configuration data. This data includes settings stored in the WordPress options table, which may contain reCAPTCHA keys, social media profile links, and internal plugin configurations.

2. Attack Vector Analysis

• Endpoint: /wp-admin/admin-ajax.php
• Action: rtrs_get_settings (Inferred from RadiusTheme patterns and AjaxController.php initialization).
• HTTP Method: POST
• Authentication: Authenticated (Subscriber-level and above).
• Vulnerable Parameters:
  • tab: Specifies which settings group to retrieve (e.g., review, schema, woocommerce, media, misc).
  • section: Specifies a subsection within a tab (e.g., social_profiles for the schema tab).
• Nonce Requirement: Yes, the action requires a nonce (likely with the action string rtrs-nonce).

3. Code Flow

1. Entry Point: The AjaxController (in app/Controllers/Ajax/AjaxController.php) initializes the Review AJAX controller.
2. Registration: The Review controller (or similar) registers wp_ajax_rtrs_get_settings.
3. Missing Check: The handler for rtrs_get_settings (likely inside an unprovided Review.php or Migration.php file) uses logic similar to AdminSettings::setTabs() to construct an option name.
4. Data Retrieval: It calls get_option() on the constructed option name (e.g., review_settings) and returns the JSON-encoded value.
5. Sink: The handler uses wp_send_json_success() to output the data to the requester without verifying if the user has administrative privileges.

4. Nonce Acquisition Strategy

RadiusTheme plugins typically localize nonces for AJAX actions. To obtain a valid nonce as a Subscriber:

1. Shortcode Identification: The plugin uses shortcodes like [rtrs-affiliate] (from AddMetaBox.php).
2. Page Creation: Create a public page containing the shortcode. This ensures the plugin's scripts and localized variables are loaded.
3. Execution:
   • Use wp post create to create a page with [rtrs-affiliate id="1"].
   • Navigate to the page as a Subscriber.
   • Use browser_eval to extract the nonce from the rtrs_ajax or rtrs_admin object.
4. Verbatim Identifiers:
   • JS Variable: `window.rtrs_ajax