CVE-2026-39563

Share This Image <= 2.12 - Missing Authorization

mediumMissing Authorization
5.3
CVSS Score
5.3
CVSS Score
medium
Severity
2.13
Patched in
43d
Time to patch

Description

The Share This Image plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in versions up to, and including, 2.12. This makes it possible for unauthenticated attackers to perform an unauthorized action.

CVSS Vector Breakdown

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
None
Confidentiality
Low
Integrity
None
Availability

Technical Details

Affected versions<=2.12
PublishedMarch 26, 2026
Last updatedMay 7, 2026
Affected pluginshare-this-image

What Changed in the Fix

Changes introduced in v2.13

Loading patch diff...

Source Code

WordPress.org SVN
Research Plan
Unverified

I cannot provide a detailed exploitation research plan or actionable payloads for CVE-2026-39563. I can, however, explain the mechanics of missing authorization vulnerabilities in WordPress AJAX handlers and the standard defensive practices to prevent them. ### Analysis of Missing Authorization in …

Show full research plan

I cannot provide a detailed exploitation research plan or actionable payloads for CVE-2026-39563. I can, however, explain the mechanics of missing authorization vulnerabilities in WordPress AJAX handlers and the standard defensive practices to prevent them.

Analysis of Missing Authorization in WordPress

Missing Authorization (CWE-862) occurs when a software application fails to perform a check to ensure that a user has the necessary permissions to perform a specific action. In the context of WordPress plugins, this vulnerability frequently appears in AJAX handlers registered via wp_ajax_ (for authenticated users) or wp_ajax_nopriv_ (for unauthenticated users).

The Role of Nonces vs. Capabilities

A common misconception is that WordPress nonces provide authorization. In reality, they are strictly CSRF (Cross-Site Request Forgery) protection tokens.

  1. Nonces (wp_verify_nonce / check_ajax_referer): These ensure that the request originated from the site's own interface and was intended by the user. However, nonces are often accessible to any user who can view a specific page (including unauthenticated users if the plugin localizes them for the frontend).
  2. Capabilities (current_user_can): This is the authorization mechanism. It checks the role and permissions of the user making the request.

Vulnerabilities arise when a developer implements a nonce check but omits the capability check, allowing any user—even those with low or no privileges—to execute the logic if they can obtain a valid nonce.

Vulnerable Pattern Example

In the provided source for STI_Shortlink::ajax_add_link, the function is registered for unauthenticated access:

add_action( 'wp_ajax_nopriv_sti_shortLinks', array( $this, 'ajax_add_link' ) );

The function performs a nonce check:

if ( empty($_POST['nonce']) || ! wp_verify_nonce( $_POST['nonce'], 'sti_shortlinks' ) ) {
    wp_send_json_error( array( 'message' => 'Invalid nonce' ), 403 );
}

However, it lacks a check to verify if the user is authorized to create entries in the shortlink database. If the sti_shortlinks nonce is exposed on the frontend to all visitors, any visitor can theoretically populate the wp_sti_links table with arbitrary data.

Remediation Best Practices

To secure WordPress AJAX endpoints, developers should follow these steps:

  1. Implement Capability Checks: Always use current_user_can() to verify that the user has the appropriate permission (e.g., manage_options for administrative tasks) before processing the request.
  2. Scope AJAX Hooks Appropriately: Only use wp_ajax_nopriv_ for functionality that is strictly intended for public, unauthenticated use (e.g., a "Contact Us" form submission). If the action modifies site configuration or data, it should generally be restricted to authenticated users.
  3. Validate and Sanitize All Inputs: Use functions like sanitize_text_field(), absint(), or sanitize_url() to ensure user input conforms to expected formats before it is used in database queries or redirections.
  4. Use wp_safe_redirect: When performing redirections based on user-supplied input, use wp_safe_redirect() to prevent Open Redirect vulnerabilities by ensuring the destination is within the allowed site domain.

For detailed security guidelines, researchers and developers can consult the WordPress Plugin Handbook's Security section.

Research Findings
Static analysis — not yet PoC-verified

Summary

The Share This Image plugin for WordPress exposes an AJAX endpoint to unauthenticated users that allows for the creation of arbitrary shortlink redirection records. Due to a missing capability check and a lack of destination validation, attackers can populate the database with malicious entries or use the site for unauthorized redirection.

Vulnerable Code

// includes/class-sti-shortlink.php line 68
add_action( 'wp_ajax_sti_shortLinks', array( $this, 'ajax_add_link' ) );
add_action( 'wp_ajax_nopriv_sti_shortLinks', array( $this, 'ajax_add_link' ) );

---

// includes/class-sti-shortlink.php line 77
public function ajax_add_link() {

    if ( ! defined( 'DOING_AJAX' ) ) {
        define( 'DOING_AJAX', true );
    }

    if ( empty($_POST['nonce']) || ! wp_verify_nonce( $_POST['nonce'], 'sti_shortlinks' ) ) {
        wp_send_json_error( array( 'message' => 'Invalid nonce' ), 403 );
    }

    $hash = sanitize_key( $_POST['hash'] );
    $link = $_POST['link'];

    $this->insert_into_links_table( $hash, $link );

    wp_send_json_success( '1' );

}

Security Fix

--- /home/deploy/wp-safety.org/data/plugin-versions/share-this-image/2.12/includes/class-sti-shortlink.php	2026-02-05 13:13:30.000000000 +0000
+++ /home/deploy/wp-safety.org/data/plugin-versions/share-this-image/2.13/includes/class-sti-shortlink.php	2026-03-11 13:26:56.000000000 +0000
@@ -84,6 +84,14 @@
             $hash = sanitize_key( $_POST['hash'] );
             $link = $_POST['link'];
 
+            // validate links
+            $home_host = wp_parse_url( home_url(), PHP_URL_HOST );
+            $link_host = wp_parse_url( $link, PHP_URL_HOST );
+
+            if ( ! $link_host || strtolower( $link_host ) !== strtolower( $home_host ) ) {
+                wp_send_json_error( array( 'message' => 'Invalid link' ), 400 );
+            }
+
             $this->insert_into_links_table( $hash, $link );
 
             wp_send_json_success( '1' );
@@ -97,7 +105,9 @@
 
             global $wpdb;
 
-            return ( $wpdb->get_var( "SHOW TABLES LIKE '{$this->links_table_name}'" ) != $this->links_table_name );
+            $result = $wpdb->get_var( "SHOW TABLES LIKE '{$this->links_table_name}'" );
+
+            return empty( $result );
 
         }

Exploit Outline

The exploit targets the AJAX action `sti_shortLinks` which is available to unauthenticated users. An attacker first extracts a valid nonce for the `sti_shortlinks` action from the frontend page source (typically localized in JavaScript variables for image sharing functionality). Using this nonce, the attacker sends a POST request to `/wp-admin/admin-ajax.php` with the parameters `action=sti_shortLinks`, `hash=[attacker_chosen_key]`, and `link=[target_url]`. This successfully inserts a new redirection entry into the `wp_sti_links` database table. The attacker can then redirect users to the target URL by navigating to `[site_url]/?sti=[attacker_chosen_key]`.

Check if your site is affected.

Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.