SALESmanago <= 3.9.0 - Missing Authorization
Description
The SALESmanago & Leadoo plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in all versions up to, and including, 3.9.0. This makes it possible for unauthenticated attackers to perform an unauthorized action.
CVSS Vector Breakdown
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:NTechnical Details
<=3.9.0Source Code
WordPress.org SVNThis research plan outlines the investigation and exploitation of **CVE-2025-68571**, a missing authorization vulnerability in the **SALESmanago & Leadoo** plugin (version <= 3.9.0). --- ### 1. Vulnerability Summary The SALESmanago & Leadoo plugin fails to implement proper authorization checks (ca…
Show full research plan
This research plan outlines the investigation and exploitation of CVE-2025-68571, a missing authorization vulnerability in the SALESmanago & Leadoo plugin (version <= 3.9.0).
1. Vulnerability Summary
The SALESmanago & Leadoo plugin fails to implement proper authorization checks (capability checks) on certain AJAX or initialization handlers. This allows unauthenticated attackers to trigger sensitive actions—potentially modifying plugin settings, such as API credentials or integration configurations—that should be restricted to administrators.
2. Attack Vector Analysis
- Endpoint:
/wp-admin/admin-ajax.php(inferred) or a directPOSTto a page triggeringadmin_init. - Vulnerable Action: An AJAX action registered via
wp_ajax_nopriv_that performs administrative tasks, or a handler hooked toinit/admin_initlackingcurrent_user_can(). - Payload Parameter: Likely
POSTparameters corresponding to plugin settings (e.g.,sm_client_id,sm_api_secret,sm_endpoint). - Authentication: Unauthenticated (No login required).
- Preconditions: The plugin must be installed and active.
3. Code Flow (Inferred)
- The plugin registers an entry point, likely in the main plugin file or an admin controller:
add_action( 'wp_ajax_nopriv_sm_save_settings', 'sm_save_settings_callback' );(inferred) - The callback function
sm_save_settings_callback()(inferred) is executed. - The function retrieves values from
$_POST. - The Flaw: The function lacks a check for
current_user_can( 'manage_options' )and may also lack a valid nonce verification for unauthenticated users. - The function calls
update_option()to save the attacker-supplied values into the WordPress database.
4. Nonce Acquisition Strategy
If the plugin uses wp_localize_script to provide a nonce for its AJAX actions:
- Identify the Shortcode: Search the plugin code for
add_shortcode. If the scripts only load on specific pages, we need to create a page with that shortcode.- CLI Search:
grep -r "add_shortcode" /var/www/html/wp-content/plugins/salesmanago/
- CLI Search:
- Create Test Page:
wp post create --post_type=page --post_status=publish --post_title="SmTest" --post_content='[salesmanago_shortcode]'(shortcode name is inferred). - Navigate and Extract: Use
browser_navigateto visit the new page. - Extract via Browser: Use
browser_evalto find the nonce in the global JS object.- Inferred JS Variable:
window.sm_ajax_obj?.nonceorwindow.SM_Data?.ajax_nonce.
- Inferred JS Variable:
5. Exploitation Strategy
This plan assumes the vulnerability allows updating plugin settings via admin-ajax.php.
Step 1: Identify the exact AJAX action.
Run a grep to find all wp_ajax_nopriv actions in the plugin:grep -rn "wp_ajax_nopriv_" /var/www/html/wp-content/plugins/salesmanago/
Step 2: Analyze the callback.
Locate the function associated with the nopriv action and check if it calls update_option. Note the parameter names (e.g., clientId, apiKey).
Step 3: Construct the Exploit Request.
Use the http_request tool to send a malicious POST request.
- URL:
http://localhost:8080/wp-admin/admin-ajax.php - Method:
POST - Headers:
Content-Type: application/x-www-form-urlencoded - Body:
action=[INFERRED_ACTION]&sm_client_id=ATTACKER_ID&sm_api_secret=ATTACKER_SECRET&nonce=[EXTRACTED_NONCE]
6. Test Data Setup
- Install Plugin: Ensure
salesmanagoversion 3.9.0 is installed. - Initial State: Check existing settings to ensure they are empty or set to defaults.
wp option get salesmanago_settings(option name inferred). - Public Page: If a nonce is required, create a page with the plugin's shortcode as described in Section 4.
7. Expected Results
- HTTP Response: The server should return a
200 OKor a JSON success message (e.g.,{"success":true}). - Data Modification: The plugin settings in the
wp_optionstable should be updated to the attacker's values. - Impact: By changing the API credentials, the attacker can redirect lead data to their own SALESmanago account or disable the integration.
8. Verification Steps
After sending the HTTP request, verify the change using WP-CLI:
wp option get salesmanago_settings(inferred option name).- Verify if the
sm_client_idor equivalent matchesATTACKER_ID.
9. Alternative Approaches
- Setting Injection via init: If no AJAX action is found, check for
add_action( 'init', ... )oradd_action( 'admin_init', ... )in the main plugin files. Sometimes plugins process$_POSTglobally without checking if the user is in the admin dashboard. - Check for
sm_prefixes: Many SALESmanago parameters will likely be prefixed withsm_. Search forupdate_optioncalls that use$_POSTor$_REQUESTvalues directly.grep -rn "update_option" /var/www/html/wp-content/plugins/salesmanago/ | grep "POST"
Summary
The SALESmanago & Leadoo plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on its settings-handling functions in versions up to 3.9.0. This allows unauthenticated attackers to modify critical plugin configurations, such as API credentials, which can lead to lead data redirection or service disruption.
Exploit Outline
1. Identify the specific AJAX action registered via wp_ajax_nopriv_ or an unprotected admin_init handler that processes the plugin's configuration update logic. 2. If the plugin utilizes a nonce for security, visit a public-facing page where the plugin's shortcode or scripts are active to extract the nonce from the localized JavaScript object (e.g., window.SM_Data). 3. Construct a POST request to /wp-admin/admin-ajax.php containing the identified action and malicious parameters for the settings (e.g., sm_client_id, sm_api_secret). 4. Upon execution, the server processes the request without verifying the user's administrative privileges, overwriting the integration settings in the database.
Check if your site is affected.
Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.