Ryviu – Product Reviews for WooCommerce <= 3.1.26 - Missing Authorization

This research plan outlines the steps to investigate and exploit CVE-2026-24562, a Missing Authorization vulnerability in the Ryviu – Product Reviews for WooCommerce plugin.

1. Vulnerability Summary

The Ryviu plugin (<= 3.1.26) contains an AJAX handler that lacks proper capability checks (current_user_can) or is registered using the wp_ajax_nopriv_ hook without adequate authorization logic. This allows unauthenticated attackers to perform actions intended for administrators, such as modifying plugin settings, triggering review imports, or manipulating existing review data.

2. Attack Vector Analysis

• Endpoint: /wp-admin/admin-ajax.php
• Method: POST
• Action (Inferred): The vulnerability likely resides in actions such as ryviu_save_setting, ryviu_import_reviews, or similar administrative functions found in the plugin's AJAX registration.
• Payload Parameters: action, nonce (if checked), and the settings data (e.g., option_name, option_value).
• Authentication: None (Unauthenticated).

3. Code Flow (Inferred)

1. The plugin registers AJAX handlers during init or admin_init.
2. A handler is registered via add_action( 'wp_ajax_nopriv_[ACTION_NAME]', ... ) or via wp_ajax_ but fails to check current_user_can( 'manage_options' ) inside the callback.
3. The callback function extracts parameters from $_POST.
4. The function calls update_option() or performs a sensitive database operation based on these parameters without verifying the requester's authority.

4. Nonce Acquisition Strategy

If the vulnerable function uses check_ajax_referer() or wp_verify_nonce(), we must retrieve a valid nonce. Ryviu typically enqueues its scripts on WooCommerce product pages.

Steps to obtain the nonce:

1. Identify Shortcode: Search for add_shortcode in the plugin files to find the Ryviu review widget shortcode (e.g., [ryviu_widget]).
2. Create Trigger Page: Create a public page/product containing this shortcode to ensure the plugin's JS and localized data are loaded.

   wp post create --post_type=product --post_title="Test Product" --post_status=publish --post_content='[ryviu_widget]'
   

3. Navigate and Extract: Use the browser_navigate tool to go to the new product page.
4. Extract JS Variable: Ryviu typically localizes data under a specific variable. Check the source for wp_localize_script.
   • Inferred JS Object: window.ryviu_localize or window.ryviu_admin.
   • Inferred Nonce Key: ajax_nonce or nonce.
   • Command: browser_eval("window.ryviu_localize?.nonce") (Replace with actual variable/key found).

5. Exploitation Strategy

Once the endpoint and nonce are identified:

1. Locate the Handler:
   Search for wp_ajax_nopriv_ in the plugin directory:

   grep -r "wp_ajax_nopriv_" /var/www/html/wp-content/plugins/ryviu/
   

2. Verify Missing Auth:
   Examine the callback function. Look for the absence of:

   if ( ! current_user_can( 'manage_options' ) ) { ... }
   

3. Craft the Request:
   Assume the vulnerable action is ryviu_save_setting (common pattern).
   • URL: http://localhost:8080/wp-admin/admin-ajax.php
   • Headers: Content-Type: application/x-www-form-urlencoded
   • Body: action=ryviu_save_setting&nonce=[NONCE]&setting_key=ryviu_api_key&setting_value=ATTACKER_CONTROLLED_VALUE

6. Test Data Setup

1. Plugin Installation: Ensure Ryviu version <= 3.1.26 is active.
2. WooCommerce: Ensure WooCommerce is active as Ryviu depends on it.
3. Create Product: Create a WooCommerce product to serve as the nonce source.
4. Baseline Check: Check the current state of a plugin option:

   wp option get ryviu_settings
   

7. Expected Results

• Response: The server should return a 200 OK or a JSON success message (e.g., {"success": true}).
• Impact: An administrative setting within the wp_options table (specifically those starting with ryviu_) will be modified despite the request being unauthenticated.

8. Verification Steps

1. CLI Check: Verify the modification in the database:

   wp option get ryviu_settings
   # OR if it saves individual keys
   wp option get ryviu_api_key
   

2. Log Review: Check the WordPress debug logs if errors occurred (if WP_DEBUG is on).

9. Alternative Approaches

• Direct Option Manipulation: If the action allows arbitrary option updates (rare but possible), attempt to change users_can_register to 1 and default_role to administrator.
• Review Injection: If the vulnerable action is ryviu_import_reviews, try to inject a malicious review with an XSS payload in the author or comment fields to target the admin dashboard.
• Check admin_init hooks: Some plugins use admin_init for processing form submissions. Since admin_init runs on admin-ajax.php, if there is no capability check, any user can trigger it.

  grep -r "add_action.*admin_init" /var/www/html/wp-content/plugins/ryviu/