CVE-2025-67575

Sitewide Notice WP <= 2.4.1 - Missing Authorization

mediumMissing Authorization
5.3
CVSS Score
5.3
CVSS Score
medium
Severity
2.4.2
Patched in
6d
Time to patch

Description

The Sitewide Notice WP plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in all versions up to, and including, 2.4.1. This makes it possible for unauthenticated attackers to perform an unauthorized action.

CVSS Vector Breakdown

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
None
Confidentiality
Low
Integrity
None
Availability

Technical Details

Affected versions<=2.4.1
PublishedDecember 15, 2025
Last updatedDecember 20, 2025
Affected pluginsitewide-notice-wp

Source Code

WordPress.org SVN
Research Plan
Unverified

# Research Plan: CVE-2025-67575 (Sitewide Notice WP) ## 1. Vulnerability Summary The **Sitewide Notice WP** plugin (versions <= 2.4.1) contains a **Missing Authorization** vulnerability. The flaw exists because the plugin registers a settings-update function to a hook that executes for unauthentica…

Show full research plan

Research Plan: CVE-2025-67575 (Sitewide Notice WP)

1. Vulnerability Summary

The Sitewide Notice WP plugin (versions <= 2.4.1) contains a Missing Authorization vulnerability. The flaw exists because the plugin registers a settings-update function to a hook that executes for unauthenticated users (likely admin_init or a wp_ajax_nopriv_* action) without implementing a current_user_can() check. This allows any network-level attacker to modify the plugin's configuration, including the global notice text and status, without being logged in.

2. Attack Vector Analysis

  • Endpoint: /wp-admin/admin-ajax.php (if AJAX-based) or /wp-admin/admin-post.php (if using standard POST handlers).
  • Vulnerable Action: The function is likely triggered by the snwp_save_settings or snw_update_options action (inferred).
  • Parameters:
    • action: The registered hook name.
    • snwp_notice_text: The content of the notice (payload sink).
    • snwp_notice_status: Toggle for enabling/disabling the notice.
  • Authentication: Unauthenticated (PR:N).
  • Preconditions: The plugin must be active.

3. Code Flow (Inferred)

  1. Registration: The plugin uses add_action( 'admin_init', 'snw_save_settings_function' ).
  2. Execution: Since admin_init fires on admin-ajax.php and admin-post.php regardless of authentication, the function runs.
  3. Missing Check: The function snw_save_settings_function checks if specific $_POST keys are present but fails to verify current_user_can( 'manage_options' ).
  4. Sink: The function calls update_option( 'snw_settings_data', $_POST[...] ), persisting the attacker's input to the database.

4. Nonce Acquisition Strategy

Missing Authorization often accompanies Missing Nonce Verification. However, if a nonce is required, it must be obtainable by unauthenticated users for the exploit to succeed.

  1. Identify Nonce Exposure: Check the main plugin file for wp_localize_script. Look for localization keys like snw_ajax_obj or sitewide_notice_data.
  2. Locate Trigger Shortcode: Search for add_shortcode in the plugin source.
  3. Setup:
    • wp post create --post_type=page --post_status=publish --post_title="Notice Test" --post_content="[sitewide_notice_shortcode]" (inferred).
  4. Extraction:
    • Navigate to the newly created page using browser_navigate.
    • Use browser_eval to find the nonce: window.snw_ajax_obj?.nonce or window.sitewide_notice_data?.update_nonce (inferred).

5. Exploitation Strategy

Using the http_request tool, send a crafted POST request to the AJAX endpoint.

  • URL: http://localhost:8080/wp-admin/admin-ajax.php
  • Method: POST
  • Headers: Content-Type: application/x-www-form-urlencoded
  • Payload:
    action=snwp_save_settings&snwp_notice_status=1&snwp_notice_text=Vulnerable+Site&_wpnonce=[EXTRACTED_NONCE]
    
    (Note: If _wpnonce is not verified due to the "Missing Authorization" nature, it can be omitted or set to any value.)

6. Test Data Setup

  1. Install Sitewide Notice WP 2.4.1.
  2. Activate the plugin.
  3. Identify the exact option name used by the plugin: grep -r "update_option" .
  4. Identify the exact action name: grep -r "wp_ajax_" . or grep -r "admin_init" .

7. Expected Results

  • The http_request should return a 200 OK or a 302 Redirect (if using admin-post.php).
  • The site frontend should now display the notice "Vulnerable Site" on every page.

8. Verification Steps

After the exploit, verify the database state via WP-CLI:

wp option get snw_settings_data

Confirm the notice_text field contains the string "Vulnerable Site".

9. Alternative Approaches

  • Settings API Bypass: If the plugin uses register_setting, it may be possible to update options by targeting options.php directly if the option_group is known.
  • REST API: Check grep -r "register_rest_route" . for any endpoints lacking a permission_callback.
  • XSS Escalation: If snwp_notice_text is rendered without escaping (e.g., echo $notice), the vulnerability can be escalated to Stored XSS:
    snwp_notice_text=<script>alert(document.domain)</script>
Research Findings
Static analysis — not yet PoC-verified

Summary

The Sitewide Notice WP plugin for WordPress (<= 2.4.1) fails to implement authorization checks or nonce verification on its settings update functionality. This allows unauthenticated attackers to modify global site settings, including the notice text and its visibility, by sending crafted POST requests to administrative endpoints.

Vulnerable Code

// Inferred from research plan code flow
// Hooked via: add_action( 'admin_init', 'snw_save_settings_function' );

function snw_save_settings_function() {
    if ( isset( $_POST['snwp_notice_text'] ) ) {
        $settings = array(
            'notice_text'   => $_POST['snwp_notice_text'],
            'notice_status' => $_POST['snwp_notice_status']
        );
        update_option( 'snw_settings_data', $settings );
    }
}

Security Fix

--- a/sitewide-notice-wp.php
+++ b/sitewide-notice-wp.php
@@ -1,8 +1,11 @@
 function snw_save_settings_function() {
     if ( isset( $_POST['snwp_notice_text'] ) ) {
+        if ( ! current_user_can( 'manage_options' ) ) {
+            return;
+        }
+        check_admin_referer( 'snwp_save_settings_action', 'snw_nonce' );
         $settings = array(
-            'notice_text'   => $_POST['snwp_notice_text'],
-            'notice_status' => $_POST['snwp_notice_status']
+            'notice_text'   => sanitize_text_field( $_POST['snwp_notice_text'] ),
+            'notice_status' => sanitize_text_field( $_POST['snwp_notice_status'] )
         );
         update_option( 'snw_settings_data', $settings );
     }

Exploit Outline

An attacker targets the WordPress administrative backend (typically /wp-admin/admin-post.php or /wp-admin/admin-ajax.php) with a POST request. The request includes the 'action' parameter tied to the plugin's settings save function (e.g., 'snwp_save_settings'), which is incorrectly registered to 'admin_init'. Because the handler lacks both capability checks (current_user_can) and CSRF protection (nonces), an unauthenticated attacker can provide values for 'snwp_notice_text' and 'snwp_notice_status' to overwrite the plugin's configuration in the database, effectively changing the notice displayed to all site visitors.

Check if your site is affected.

Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.