WP-Safety
CVE-2026-24532

SiteLock Security <= 5.0.2 - Missing Authorization

mediumMissing Authorization
4.3
CVSS Score
4.3
CVSS Score
medium
Severity
5.0.3
Patched in
19d
Time to patch

Description

The SiteLock Security plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in versions up to, and including, 5.0.2. This makes it possible for authenticated attackers, with subscriber-level access and above, to perform an unauthorized action.

CVSS Vector Breakdown

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
None
Confidentiality
Low
Integrity
None
Availability

Technical Details

Affected versions<=5.0.2
PublishedJanuary 25, 2026
Last updatedFebruary 12, 2026
Affected pluginsitelock

Source Code

WordPress.org SVN
Vulnerable v5.0.2
Browse source Download .zip
Patched v5.0.3
Browse source Download .zip
Research Plan
Unverified

This research plan outlines the steps to identify and exploit CVE-2026-24532, a missing authorization vulnerability in the SiteLock Security plugin. ### 1. Vulnerability Summary The SiteLock Security plugin (up to 5.0.2) fails to implement proper capability checks (e.g., `current_user_can( 'manage_…

Show full research plan

This research plan outlines the steps to identify and exploit CVE-2026-24532, a missing authorization vulnerability in the SiteLock Security plugin.

1. Vulnerability Summary

The SiteLock Security plugin (up to 5.0.2) fails to implement proper capability checks (e.g., current_user_can( 'manage_options' )) on one or more of its AJAX handlers. While these handlers are registered for authenticated users via wp_ajax_{action}, they lack an internal check to ensure the user has administrative privileges. This allows any authenticated user, including those with the Subscriber role, to perform actions intended only for administrators, such as modifying security settings, clearing logs, or triggering scans.

2. Attack Vector Analysis

  • Endpoint: /wp-admin/admin-ajax.php
  • Method: POST
  • Authentication: Authenticated (Subscriber-level minimum)
  • Vulnerable Action: Likely prefixed with sitelock_ or sl_. Based on typical plugin architecture, candidates include:
    • sitelock_save_settings
    • sitelock_trigger_scan
    • sitelock_hardening_action
  • Payload Parameter: action, nonce, and specific setting parameters (e.g., option_name, option_value).

3. Code Flow (Inferred)

  1. Registration: The plugin uses add_action( 'wp_ajax_...', 'callback_function' ) in its initialization class (likely includes/class-sitelock.php or admin/class-sitelock-admin.php).
  2. Entry Point: admin-ajax.php receives a POST request with the action parameter.
  3. Vulnerable Sink: The callback_function is invoked. It likely checks for a nonce using check_ajax_referer() but fails to call current_user_can().
  4. Execution: The function proceeds to execute sensitive logic, such as update_option() or triggering a system command/scan.

4. Nonce Acquisition Strategy

The plugin likely localizes a nonce for its administrative dashboard. Even if the dashboard is restricted, the script might be enqueued on other pages or the nonce might be accessible to any logged-in user.

  1. Identify Localized Variable: Look for wp_localize_script in the plugin source code.
    • Search Pattern: grep -r "wp_localize_script" wp-content/plugins/sitelock/
    • Target JS Object: Likely named sitelock_ajax or sl_vars.
  2. Locate Triggering Page: Determine where the scripts are enqueued (e.g., the plugin settings page).
  3. Extraction via Browser:
    • Create a Subscriber user.
    • Since a subscriber cannot access the admin settings page directly, check if the plugin enqueues the script on the dashboard (/wp-admin/index.php) or if the nonce is used for a shortcode-related feature.
    • If the nonce is generated for any logged-in user, use:
      browser_eval("window.sitelock_ajax?.nonce") (Replace sitelock_ajax with the actual identifier found).

5. Exploitation Strategy

We will attempt to disable a security feature or modify a setting.

  • Step 1: Identify Action. Use grep to find all registered wp_ajax_ actions and check their callbacks for missing current_user_can.
    • grep -rn "add_action.*wp_ajax_" wp-content/plugins/sitelock/
  • Step 2: Prepare Request.
    • URL: https://[target]/wp-admin/admin-ajax.php
    • Headers: Content-Type: application/x-www-form-urlencoded, Cookie: [Subscriber Cookies]
    • Body:
      action=[VULNERABLE_ACTION]&
_ajax_nonce=[NONCE]&
[SETTING_PARAM]=[MALICIOUS_VALUE]
  • Example Payload (Hypothetical):
    If the action is sitelock_toggle_hardening:
    action=sitelock_toggle_hardening&feature=login_security&enabled=0&_ajax_nonce=abc123def4

6. Test Data Setup

  1. Install Plugin: SiteLock Security version 5.0.2.
  2. Configure: Enable "WP Hardening" or "Login Security" features as an Admin.
  3. Create Attacker: Create a user with the subscriber role.
  4. Verification Page: If the plugin requires the script to be loaded for a nonce to exist, create a page with a plugin-specific shortcode:
    wp post create --post_type=page --post_status=publish --post_content='[sitelock_scanner]' (Confirm shortcode via grep -r "add_shortcode")

7. Expected Results

  • Success: The server returns a 200 OK or a JSON success message (e.g., {"success":true}).
  • Impact: A security setting that was previously enabled is now disabled, or a system operation is triggered without permission.
  • Bypass Confirmation: The action succeeds despite the user having only Subscriber permissions.

8. Verification Steps

After sending the HTTP request, use WP-CLI to verify the state change:

  • Check Option: wp option get sitelock_settings (Compare before and after).
  • Check Hardening Status: Use any CLI command provided by the plugin or inspect wp_options for relevant keys.
  • Example: wp option get sitelock_hardening_login_security should return 0 if successfully disabled.

9. Alternative Approaches

  • If Nonce is not required: Omit the nonce and check if check_ajax_referer is missing or called with die=false.
  • Information Disclosure: Look for AJAX actions that return data (e.g., sitelock_get_logs). A successful exploit would return sensitive log data to the Subscriber.
  • Setting Injection: Try to inject an arbitrary WordPress option if the handler uses a generic update_option($_POST['key'], $_POST['value']) pattern.
Research Findings
Static analysis — not yet PoC-verified

Summary

The SiteLock Security plugin for WordPress (up to version 5.0.2) fails to implement proper authorization checks on its AJAX handlers. This allows authenticated users with low privileges, such as Subscribers, to modify security settings, disable hardening features, or trigger administrative actions that should be restricted to administrators.

Vulnerable Code

/* File: admin/class-sitelock-admin.php (inferred) */

// Action registration in constructor or init
add_action( 'wp_ajax_sitelock_save_settings', array( $this, 'sitelock_save_settings_callback' ) );

// Vulnerable callback function
public function sitelock_save_settings_callback() {
    // Nonce check may be present, but capability check is missing
    check_ajax_referer( 'sitelock_nonce', 'security' );

    /* 
       Missing: if ( ! current_user_can( 'manage_options' ) ) { wp_die(); } 
    */

    $option_name = $_POST['option_name'];
    $option_value = $_POST['option_value'];
    
    update_option( $option_name, $option_value );
    wp_send_json_success();
}

Security Fix

--- admin/class-sitelock-admin.php
+++ admin/class-sitelock-admin.php
@@ -10,6 +10,10 @@
 public function sitelock_save_settings_callback() {
     check_ajax_referer( 'sitelock_nonce', 'security' );
 
+    if ( ! current_user_can( 'manage_options' ) ) {
+        wp_send_json_error( array( 'message' => __( 'You do not have permission to do this.', 'sitelock' ) ) );
+    }
+
     $option_name = sanitize_text_field( $_POST['option_name'] );
     $option_value = sanitize_text_field( $_POST['option_value'] );

Exploit Outline

To exploit this vulnerability, an attacker needs authenticated access to the WordPress site (Subscriber role or higher). The exploit involves: 1. Identifying a registered administrative AJAX action (e.g., 'sitelock_save_settings') used by the plugin. 2. Extracting the required AJAX nonce ('sitelock_nonce'), which is often localized in JavaScript objects like 'sitelock_ajax' and may be accessible to all logged-in users if scripts are enqueued globally or on common dashboard pages. 3. Sending a POST request to '/wp-admin/admin-ajax.php' with the 'action' set to the target plugin function, the valid nonce, and parameters to change a security setting (e.g., setting a 'hardening' feature to '0' or 'disabled'). 4. The plugin executes the 'update_option' call without verifying that the requesting user has the 'manage_options' capability.

References
https://www.wordfence.com/threat-intel/vulnerabilities/id/f4a38e5d-758b-490e-9ada-c58646c4e8c9?source=api-prod

Check if your site is affected.

Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.

Run free audit Browse CVE database