Sitewide Notice WP <= 2.4.1 - Missing Authorization
Description
The Sitewide Notice WP plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in all versions up to, and including, 2.4.1. This makes it possible for unauthenticated attackers to perform an unauthorized action.
CVSS Vector Breakdown
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:NTechnical Details
<=2.4.1Source Code
WordPress.org SVN# Research Plan: CVE-2025-67575 (Sitewide Notice WP) ## 1. Vulnerability Summary The **Sitewide Notice WP** plugin (versions <= 2.4.1) contains a **Missing Authorization** vulnerability. The flaw exists because the plugin registers a settings-update function to a hook that executes for unauthentica…
Show full research plan
Research Plan: CVE-2025-67575 (Sitewide Notice WP)
1. Vulnerability Summary
The Sitewide Notice WP plugin (versions <= 2.4.1) contains a Missing Authorization vulnerability. The flaw exists because the plugin registers a settings-update function to a hook that executes for unauthenticated users (likely admin_init or a wp_ajax_nopriv_* action) without implementing a current_user_can() check. This allows any network-level attacker to modify the plugin's configuration, including the global notice text and status, without being logged in.
2. Attack Vector Analysis
- Endpoint:
/wp-admin/admin-ajax.php(if AJAX-based) or/wp-admin/admin-post.php(if using standard POST handlers). - Vulnerable Action: The function is likely triggered by the
snwp_save_settingsorsnw_update_optionsaction (inferred). - Parameters:
action: The registered hook name.snwp_notice_text: The content of the notice (payload sink).snwp_notice_status: Toggle for enabling/disabling the notice.
- Authentication: Unauthenticated (PR:N).
- Preconditions: The plugin must be active.
3. Code Flow (Inferred)
- Registration: The plugin uses
add_action( 'admin_init', 'snw_save_settings_function' ). - Execution: Since
admin_initfires onadmin-ajax.phpandadmin-post.phpregardless of authentication, the function runs. - Missing Check: The function
snw_save_settings_functionchecks if specific$_POSTkeys are present but fails to verifycurrent_user_can( 'manage_options' ). - Sink: The function calls
update_option( 'snw_settings_data', $_POST[...] ), persisting the attacker's input to the database.
4. Nonce Acquisition Strategy
Missing Authorization often accompanies Missing Nonce Verification. However, if a nonce is required, it must be obtainable by unauthenticated users for the exploit to succeed.
- Identify Nonce Exposure: Check the main plugin file for
wp_localize_script. Look for localization keys likesnw_ajax_objorsitewide_notice_data. - Locate Trigger Shortcode: Search for
add_shortcodein the plugin source. - Setup:
wp post create --post_type=page --post_status=publish --post_title="Notice Test" --post_content="[sitewide_notice_shortcode]"(inferred).
- Extraction:
- Navigate to the newly created page using
browser_navigate. - Use
browser_evalto find the nonce:window.snw_ajax_obj?.nonceorwindow.sitewide_notice_data?.update_nonce(inferred).
- Navigate to the newly created page using
5. Exploitation Strategy
Using the http_request tool, send a crafted POST request to the AJAX endpoint.
- URL:
http://localhost:8080/wp-admin/admin-ajax.php - Method: POST
- Headers:
Content-Type: application/x-www-form-urlencoded - Payload:
(Note: Ifaction=snwp_save_settings&snwp_notice_status=1&snwp_notice_text=Vulnerable+Site&_wpnonce=[EXTRACTED_NONCE]_wpnonceis not verified due to the "Missing Authorization" nature, it can be omitted or set to any value.)
6. Test Data Setup
- Install Sitewide Notice WP 2.4.1.
- Activate the plugin.
- Identify the exact option name used by the plugin:
grep -r "update_option" . - Identify the exact action name:
grep -r "wp_ajax_" .orgrep -r "admin_init" .
7. Expected Results
- The
http_requestshould return a200 OKor a302 Redirect(if usingadmin-post.php). - The site frontend should now display the notice "Vulnerable Site" on every page.
8. Verification Steps
After the exploit, verify the database state via WP-CLI:
wp option get snw_settings_data
Confirm the notice_text field contains the string "Vulnerable Site".
9. Alternative Approaches
- Settings API Bypass: If the plugin uses
register_setting, it may be possible to update options by targetingoptions.phpdirectly if theoption_groupis known. - REST API: Check
grep -r "register_rest_route" .for any endpoints lacking apermission_callback. - XSS Escalation: If
snwp_notice_textis rendered without escaping (e.g.,echo $notice), the vulnerability can be escalated to Stored XSS:snwp_notice_text=<script>alert(document.domain)</script>
Summary
The Sitewide Notice WP plugin for WordPress (<= 2.4.1) fails to implement authorization checks or nonce verification on its settings update functionality. This allows unauthenticated attackers to modify global site settings, including the notice text and its visibility, by sending crafted POST requests to administrative endpoints.
Vulnerable Code
// Inferred from research plan code flow // Hooked via: add_action( 'admin_init', 'snw_save_settings_function' ); function snw_save_settings_function() { if ( isset( $_POST['snwp_notice_text'] ) ) { $settings = array( 'notice_text' => $_POST['snwp_notice_text'], 'notice_status' => $_POST['snwp_notice_status'] ); update_option( 'snw_settings_data', $settings ); } }
Security Fix
@@ -1,8 +1,11 @@ function snw_save_settings_function() { if ( isset( $_POST['snwp_notice_text'] ) ) { + if ( ! current_user_can( 'manage_options' ) ) { + return; + } + check_admin_referer( 'snwp_save_settings_action', 'snw_nonce' ); $settings = array( - 'notice_text' => $_POST['snwp_notice_text'], - 'notice_status' => $_POST['snwp_notice_status'] + 'notice_text' => sanitize_text_field( $_POST['snwp_notice_text'] ), + 'notice_status' => sanitize_text_field( $_POST['snwp_notice_status'] ) ); update_option( 'snw_settings_data', $settings ); }
Exploit Outline
An attacker targets the WordPress administrative backend (typically /wp-admin/admin-post.php or /wp-admin/admin-ajax.php) with a POST request. The request includes the 'action' parameter tied to the plugin's settings save function (e.g., 'snwp_save_settings'), which is incorrectly registered to 'admin_init'. Because the handler lacks both capability checks (current_user_can) and CSRF protection (nonces), an unauthenticated attacker can provide values for 'snwp_notice_text' and 'snwp_notice_status' to overwrite the plugin's configuration in the database, effectively changing the notice displayed to all site visitors.
Check if your site is affected.
Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.