CVE-2026-25411

Revision Manager TMC <= 2.8.22 - Cross-Site Request Forgery

mediumCross-Site Request Forgery (CSRF)
4.3
CVSS Score
4.3
CVSS Score
medium
Severity
Unpatched
Patched in
N/A
Time to patch

Description

The Revision Manager TMC plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 2.8.22. This is due to missing or incorrect nonce validation on a function. This makes it possible for unauthenticated attackers to perform an unauthorized action via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

CVSS Vector Breakdown

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
None
Confidentiality
Low
Integrity
None
Availability

Technical Details

Affected versions<=2.8.22
PublishedJanuary 28, 2026
Last updatedFebruary 26, 2026
Affected pluginrevision-manager-tmc
Research Plan
Unverified

This exploitation research plan targets a Cross-Site Request Forgery (CSRF) vulnerability in the **Revision Manager TMC** plugin for WordPress (versions up to and including 2.8.22). --- ### 1. Vulnerability Summary The **Revision Manager TMC** plugin fails to implement proper nonce validation (via…

Show full research plan

This exploitation research plan targets a Cross-Site Request Forgery (CSRF) vulnerability in the Revision Manager TMC plugin for WordPress (versions up to and including 2.8.22).


1. Vulnerability Summary

The Revision Manager TMC plugin fails to implement proper nonce validation (via check_admin_referer or wp_verify_nonce) on several administrative functions, most notably the settings update mechanism. This allows an unauthenticated attacker to perform sensitive state-changing operations—such as modifying plugin settings, changing notification emails, or altering permissions—by tricking an authenticated administrator into interacting with a malicious link or submitting a forged form.

2. Attack Vector Analysis

  • Vulnerable Action: Saving plugin settings (typically handled via POST).
  • Endpoint: wp-admin/admin.php?page=revision-manager-tmc (inferred).
  • Target Hook: admin_init or a specific admin menu callback.
  • Required Authentication: The victim must be an authenticated administrator.
  • Preconditions: The attacker must be able to trick the administrator into visiting a page controlled by the attacker while logged into the WordPress dashboard.

3. Code Flow

The flow of user input reaching the vulnerable sink is as follows:

  1. Entry Point: An administrator's browser sends a POST request to wp-admin/admin.php?page=revision-manager-tmc (inferred).
  2. Hook Registration: The plugin registers an admin_init hook or uses the page callback (likely Revision_Manager_TMC_Admin::settings_page) to process input.
  3. Vulnerable Function: Inside a handler function like save_settings() (inferred) or directly within the settings page logic, the code checks for the existence of a specific POST parameter (e.g., $_POST['tmc_save_settings'] or $_POST['tmc_action'] == 'save').
  4. Missing Security Control: The code proceeds to update settings using update_option() without calling check_admin_referer().
  5. Sink: update_option('tmc_settings', ...) (inferred) updates the database with attacker-controlled values.

4. Nonce Acquisition Strategy

According to the vulnerability description, the nonce validation is missing. Therefore, no nonce is required to exploit this vulnerability. The attacker can simply omit any nonce parameters, or provide a dummy value, and the server will still process the request because the verification step is absent.

5. Exploitation Strategy

The goal is to change a critical plugin setting, such as the "Notification Email" or "User Roles allowed to manage revisions," to demonstrate impact.

Step-by-Step Plan:

  1. Identify Parameters: Access the plugin settings page as an admin and identify the POST parameters used for saving settings.
  2. Construct Payload: Create a POST request that targets the settings update.
  3. Forge Request: Use the http_request tool to simulate an administrator submitting the form.

HTTP Request (Simulated CSRF):

  • Tool: http_request
  • Method: POST
  • URL: http://localhost:8080/wp-admin/admin.php?page=revision-manager-tmc (inferred)
  • Headers:
    • Content-Type: application/x-www-form-urlencoded
    • Cookie: [Victim Admin Cookies]
  • Body (Example):
    tmc_action=save_settings&tmc_notification_email=attacker@evil.com&tmc_user_roles[]=subscriber&tmc_save_settings=1
    
    (Note: Parameter names are inferred based on plugin functionality and must be verified during initial reconnaissance.)

6. Test Data Setup

  1. Plugin Installation: Install and activate Revision Manager TMC version 2.8.22.
  2. Admin User: Ensure an administrator user exists (default: admin / password).
  3. Initial State: Confirm the default notification email in the plugin settings (e.g., admin@example.com).

7. Expected Results

  • HTTP Response: The server should return a 302 Redirect back to the settings page with a success message (e.g., settings-updated=1) or a 200 OK rendering the updated settings.
  • State Change: The plugin's configuration should now reflect the attacker's values (e.g., the notification email is now attacker@evil.com).

8. Verification Steps

After performing the exploit via http_request, verify the change using wp-cli:

# Check the specific option used by the plugin
wp option get tmc_settings

# Or, if parameters are stored individually
wp option get tmc_notification_email

If the output matches attacker@evil.com, the CSRF was successful.

9. Alternative Approaches

If the POST endpoint requires a more complex structure:

  1. AJAX Endpoint: Check if the plugin also uses wp_ajax_tmc_save_settings (inferred). If so, target /wp-admin/admin-ajax.php with the action=tmc_save_settings parameter.
  2. GET-based actions: Some plugins mistakenly use $_REQUEST instead of $_POST. Try converting the payload to a GET request:
    GET /wp-admin/admin.php?page=revision-manager-tmc&tmc_action=save_settings&tmc_notification_email=attacker@evil.com...
  3. Multi-Step Bypass: If a nonce is "incorrectly" validated (e.g., it checks for a nonce but accepts an empty one or a generic one like -1), try providing _wpnonce=&... or _wpnonce=-1&....
Research Findings
Static analysis — not yet PoC-verified

Summary

The Revision Manager TMC plugin for WordPress is vulnerable to Cross-Site Request Forgery (CSRF) in versions up to and including 2.8.22. This vulnerability stems from missing nonce validation when processing plugin settings updates, allowing unauthenticated attackers to modify administrative configurations by tricking a logged-in administrator into submitting a forged request.

Vulnerable Code

// admin/class-revision-manager-tmc-admin.php (inferred file path)

public function save_settings() {
    // Check if the save button was clicked
    if ( isset( $_POST['tmc_save_settings'] ) ) {
        // BUG: Missing check_admin_referer() or wp_verify_nonce() call here
        $new_settings = $_POST['tmc_settings'];
        update_option( 'tmc_settings', $new_settings );
    }
}

Security Fix

--- admin/class-revision-manager-tmc-admin.php
+++ admin/class-revision-manager-tmc-admin.php
@@ -10,6 +10,7 @@
 	public function save_settings() {
 		if ( isset( $_POST['tmc_save_settings'] ) ) {
+			check_admin_referer( 'tmc_save_settings_action', 'tmc_nonce_field' );
 			$new_settings = $_POST['tmc_settings'];
 			update_option( 'tmc_settings', $new_settings );
 		}

Exploit Outline

The exploit targets the administrative settings page of the plugin. An attacker crafts a malicious HTML page containing a hidden form designed to POST to the WordPress admin panel. 1. Identify Target: The attacker identifies the POST parameters for saving settings (e.g., 'tmc_save_settings' and 'tmc_settings[notification_email]'). 2. Construct Payload: The attacker creates a form targeting 'wp-admin/admin.php?page=revision-manager-tmc' with malicious settings values. 3. Delivery: The attacker uses social engineering to trick an authenticated WordPress administrator into visiting the malicious page while logged in. 4. Execution: Upon page load, the form is auto-submitted via JavaScript. Because the plugin lacks CSRF protection (nonces), the WordPress server accepts the request as legitimate, updating the plugin settings to the attacker's preferred values (e.g., changing notification emails or altering user role permissions).

Check if your site is affected.

Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.