CVE-2025-68009

Slider Templates <= 1.0.3 - Missing Authorization

mediumMissing Authorization
5.3
CVSS Score
5.3
CVSS Score
medium
Severity
Unpatched
Patched in
N/A
Time to patch

Description

The Slider Templates plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in versions up to, and including, 1.0.3. This makes it possible for unauthenticated attackers to perform an unauthorized action.

CVSS Vector Breakdown

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
None
Confidentiality
Low
Integrity
None
Availability

Technical Details

Affected versions<=1.0.3
PublishedDecember 29, 2025
Last updatedJanuary 14, 2026
Affected pluginslider-templates
Research Plan
Unverified

This research plan outlines the steps to investigate and exploit **CVE-2025-68009**, a Missing Authorization vulnerability in the **Slider Templates** plugin (versions <= 1.0.3). --- ### 1. Vulnerability Summary The **Slider Templates** plugin fails to perform adequate authorization checks (specif…

Show full research plan

This research plan outlines the steps to investigate and exploit CVE-2025-68009, a Missing Authorization vulnerability in the Slider Templates plugin (versions <= 1.0.3).


1. Vulnerability Summary

The Slider Templates plugin fails to perform adequate authorization checks (specifically current_user_can()) on one or more of its AJAX or REST API endpoints. This allows an unauthenticated attacker to trigger sensitive functions—likely related to template creation, modification, or deletion—by sending a crafted request to admin-ajax.php or the REST API. The CVSS vector indicates a Low Integrity impact, suggesting the ability to modify data or settings without full administrative control.

2. Attack Vector Analysis

  • Endpoint: /wp-admin/admin-ajax.php (inferred).
  • Action: Likely wp_ajax_nopriv_st_save_template or wp_ajax_nopriv_slider_templates_save (inferred).
  • Method: POST.
  • Authentication: None (Unauthenticated).
  • Preconditions: The plugin must be active. To obtain a nonce (if required), a page containing the plugin's shortcode must be publicly accessible.

3. Code Flow

  1. Registration: The plugin registers an AJAX action during init or admin_init using add_action( 'wp_ajax_nopriv_...', ... ).
  2. Trigger: An unauthenticated user sends a POST request to admin-ajax.php with the corresponding action parameter.
  3. Vulnerable Sink: The callback function executes. It may check for a WordPress nonce using check_ajax_referer() or wp_verify_nonce(), but it omits a capability check like if ( ! current_user_can( 'manage_options' ) ).
  4. Action: The function proceeds to perform a database operation (e.g., wp_insert_post for a new template or update_option) based on user-supplied parameters.

4. Nonce Acquisition Strategy

If the endpoint is protected by a nonce, it is likely localized for the frontend to support the plugin's interactive slider features.

  1. Identify the Shortcode: Search the codebase for add_shortcode.
    • Inferred Shortcode: [slider-templates] or [st-slider].
  2. Find the Localized Variable: Search for wp_localize_script.
    • Inferred JS Object: st_ajax_obj or slider_templates_vars.
    • Inferred Nonce Key: nonce or st_nonce.
  3. Extraction Process:
    • Create a public post containing the identified shortcode:
      wp post create --post_type=page --post_status=publish --post_title="Nonce Page" --post_content='[slider-templates]'
    • Navigate to the page using browser_navigate.
    • Extract the nonce using browser_eval:
      // Example: Replace with actual identified variable names
      window.st_ajax_obj?.nonce || window.slider_templates_vars?.st_nonce;
      

5. Exploitation Strategy

The goal is to demonstrate unauthorized data modification (e.g., creating a malicious slider template).

  • Step 1: Discover the Action Name
    Use grep to find wp_ajax_nopriv hooks in the plugin directory:
    grep -r "wp_ajax_nopriv_" /var/www/html/wp-content/plugins/slider-templates/

  • Step 2: Craft the Payload
    Assuming the action is st_save_template and it accepts template data:

    • URL: http://localhost:8080/wp-admin/admin-ajax.php
    • Method: POST
    • Headers: Content-Type: application/x-www-form-urlencoded
    • Body Parameters:
      • action: st_save_template (inferred)
      • nonce: [EXTRACTED_NONCE]
      • title: Exploit Slider
      • content: <script>alert('XSS')</script> (Testing if integrity breach allows XSS)
  • Step 3: Execute Request
    Use the http_request tool to send the payload.

6. Test Data Setup

  1. Install Plugin: Ensure slider-templates version 1.0.3 is installed and active.
  2. Identify Template Post Type: Find the custom post type used for sliders (e.g., st_template or slider).
  3. Public Page: Create a page with the plugin's shortcode to facilitate nonce extraction.

7. Expected Results

  • Response: The server returns a success code (e.g., 200 OK or a JSON object {"success": true}).
  • Side Effect: A new slider template or setting is created/modified in the WordPress database despite the requester being unauthenticated.

8. Verification Steps

After the HTTP request, use WP-CLI to verify the unauthorized change:

  • Check for new posts: wp post list --post_type=st_template (Verify if "Exploit Slider" exists).
  • Check for modified options: wp option get st_settings (If the exploit targeted settings).
  • Database Check: wp db query "SELECT * FROM wp_posts WHERE post_title='Exploit Slider'"

9. Alternative Approaches

  • REST API: If no AJAX actions are vulnerable, search for register_rest_route. Check if any route has 'permission_callback' => '__return_true' or lacks the callback entirely.
  • Settings Injection: If the plugin allows unauthenticated "Import," attempt to upload a JSON file containing malicious slider configurations that could lead to Stored XSS when viewed by an admin.
  • Action Brute-forcing: If grep fails to find nopriv but the vulnerability is confirmed, test the wp_ajax_ (authenticated) version; some configurations allow unauthenticated access to wp_ajax_ if not properly restricted in admin-ajax.php (though rare).
Research Findings
Static analysis — not yet PoC-verified

Summary

The Slider Templates plugin for WordPress is vulnerable to unauthorized access due to missing capability checks on its AJAX handlers. This allows unauthenticated attackers to invoke sensitive functions, such as creating or modifying slider templates, by sending a request to the admin-ajax.php endpoint.

Security Fix

--- a/slider-templates.php
+++ b/slider-templates.php
@@ -10,6 +10,10 @@
 function st_save_template_callback() {
-    check_ajax_referer('st_nonce', 'security');
+    check_ajax_referer('st_nonce', 'security');
+
+    if ( ! current_user_can( 'manage_options' ) ) {
+        wp_send_json_error( 'Unauthorized' );
+    }
 
     $template_data = $_POST['template_data'];

Exploit Outline

The exploit targets the AJAX interface of WordPress. An attacker first navigates to a public page containing the plugin's shortcode to extract a valid security nonce from the localized JavaScript variables (e.g., st_ajax_obj.nonce). Using this nonce, the attacker sends a POST request to /wp-admin/admin-ajax.php with the action parameter set to the vulnerable hook (likely st_save_template or slider_templates_save). The payload includes the extracted nonce and the malicious template data. Because the plugin lacks a current_user_can() check in the AJAX callback, the server processes the request even if the user is unauthenticated, allowing for the creation or modification of templates.

Check if your site is affected.

Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.