CVE-2026-28104

Site Suggest <= 1.3.9 - Missing Authorization

mediumMissing Authorization
5.3
CVSS Score
5.3
CVSS Score
medium
Severity
Unpatched
Patched in
N/A
Time to patch

Description

The Site Suggest plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in versions up to, and including, 1.3.9. This makes it possible for unauthenticated attackers to perform an unauthorized action.

CVSS Vector Breakdown

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
None
Confidentiality
Low
Integrity
None
Availability

Technical Details

Affected versions<=1.3.9
PublishedFebruary 26, 2026
Last updatedMarch 5, 2026
Affected pluginsite-suggest
Research Plan
Unverified

Since the source files for **Site Suggest <= 1.3.9** are not provided, this research plan is based on the vulnerability description (Missing Authorization), the CVSS vector (Unauthenticated, Integrity impact), and standard WordPress plugin architecture. ### 1. Vulnerability Summary The **Site Sugge…

Show full research plan

Since the source files for Site Suggest <= 1.3.9 are not provided, this research plan is based on the vulnerability description (Missing Authorization), the CVSS vector (Unauthenticated, Integrity impact), and standard WordPress plugin architecture.

1. Vulnerability Summary

The Site Suggest plugin for WordPress (versions up to 1.3.9) contains a missing authorization vulnerability. Specifically, an AJAX handler or a function hooked to admin_init (which runs on admin-ajax.php) fails to verify the user's capabilities via current_user_can(). This allows an unauthenticated attacker to trigger a state-changing action, likely related to the plugin's suggestion or configuration features.

2. Attack Vector Analysis

  • Endpoint: /wp-admin/admin-ajax.php
  • Method: POST
  • Action (Inferred): Likely site_suggest_submit, site_suggest_save, or site_suggest_dismiss_notice.
  • Parameters: action, security (if nonce-protected), and payload parameters (e.g., suggestion_data, setting_name, value).
  • Preconditions: The plugin must be active. If the vulnerability is in a wp_ajax_nopriv_ handler, no authentication is required. If it's in an admin_init hook, it can be triggered by any visitor hitting admin-ajax.php.

3. Code Flow (Inferred)

  1. Entry Point: An unauthenticated user sends a POST request to admin-ajax.php.
  2. Hook Registration: The plugin registers a handler:
    // Inferred registration
    add_action( 'wp_ajax_nopriv_site_suggest_action', 'site_suggest_handle_request' );
    // OR
    add_action( 'admin_init', 'site_suggest_check_settings_save' );
    
  3. Vulnerable Function: The callback function (e.g., site_suggest_handle_request) is executed.
  4. The Flaw: The function proceeds to update options (update_option), modify the database, or send emails without checking current_user_can( 'manage_options' ). It may also lack a nonce check (check_ajax_referer).

4. Nonce Acquisition Strategy

If the vulnerable endpoint checks for a nonce, it is likely localized for front-end use.

  1. Identify Script Localization: Search the plugin code for wp_localize_script.
    • grep -r "wp_localize_script" .
  2. Identify Shortcode/Page: Find which shortcode or widget enqueues the script.
    • grep -r "add_shortcode" .
  3. Setup Test Page:
    • wp post create --post_type=page --post_status=publish --post_title="Suggestion Page" --post_content='[site_suggest_form]' (using the inferred shortcode name).
  4. Extract Nonce:
    • Navigate to the new page using browser_navigate.
    • Use browser_eval to extract the nonce from the global JS object:
      • Example: browser_eval("window.siteSuggestConfig?.nonce") (Replace siteSuggestConfig with the actual localized object name found in step 1).

5. Exploitation Strategy

The goal is to perform an unauthorized action, such as modifying a plugin setting or injecting a malicious suggestion.

Step 1: Discovery
Verify the exact AJAX action by searching the plugin source:

grep -rn "wp_ajax_nopriv_" .

Identify the callback function and check if it modifies data (e.g., uses update_option, wp_insert_post, or $wpdb->insert).

Step 2: Craft Payload
Assuming the action is site_suggest_save_settings (inferred) and it accepts a settings array:

  • URL: http://localhost:8080/wp-admin/admin-ajax.php
  • Content-Type: application/x-www-form-urlencoded
  • Body: action=site_suggest_save_settings&setting_name=some_option&setting_value=malicious_value (Add nonce=... if required).

Step 3: Execute Request
Use the http_request tool to send the POST payload.

6. Test Data Setup

  1. Install and activate the site-suggest plugin (version <= 1.3.9).
  2. Ensure the plugin is configured with default settings.
  3. Create a public page containing the plugin's suggestion form if a nonce is required for unauthenticated users.

7. Expected Results

  • Response: A successful response (e.g., 200 OK, {"success":true}, or 1).
  • Effect: A plugin setting is changed, or a new "suggestion" entry appears in the database/admin dashboard that was not previously there.

8. Verification Steps

After the exploit, verify the impact using WP-CLI:

  • Check Options: wp option get site_suggest_settings (Verify if the value was updated).
  • Check Suggestions: wp post list --post_type=site_suggestion (Check for unauthorized post creation if the plugin uses a custom post type).
  • Check Database: wp db query "SELECT * FROM wp_options WHERE option_name LIKE '%site_suggest%'".

9. Alternative Approaches

  • Admin-Init Bypass: If no wp_ajax_nopriv is found, check for functions hooked to admin_init. Since admin-ajax.php triggers admin_init, any function there that doesn't check capabilities can be reached by an unauthenticated user by calling admin-ajax.php?action=anything.
  • Parameter Fuzzing: If the callback uses $_REQUEST or $_POST dynamically, attempt to overwrite sensitive WordPress options like users_can_register or default_role (though this is less likely in a Missing Authorization vulnerability than a Settings Update vulnerability).

Check if your site is affected.

Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.