Slider Templates <= 1.0.3 - Missing Authorization
Description
The Slider Templates plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in versions up to, and including, 1.0.3. This makes it possible for unauthenticated attackers to perform an unauthorized action.
CVSS Vector Breakdown
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:NTechnical Details
<=1.0.3This research plan outlines the steps to investigate and exploit **CVE-2025-68009**, a Missing Authorization vulnerability in the **Slider Templates** plugin (versions <= 1.0.3). --- ### 1. Vulnerability Summary The **Slider Templates** plugin fails to perform adequate authorization checks (specif…
Show full research plan
This research plan outlines the steps to investigate and exploit CVE-2025-68009, a Missing Authorization vulnerability in the Slider Templates plugin (versions <= 1.0.3).
1. Vulnerability Summary
The Slider Templates plugin fails to perform adequate authorization checks (specifically current_user_can()) on one or more of its AJAX or REST API endpoints. This allows an unauthenticated attacker to trigger sensitive functions—likely related to template creation, modification, or deletion—by sending a crafted request to admin-ajax.php or the REST API. The CVSS vector indicates a Low Integrity impact, suggesting the ability to modify data or settings without full administrative control.
2. Attack Vector Analysis
- Endpoint:
/wp-admin/admin-ajax.php(inferred). - Action: Likely
wp_ajax_nopriv_st_save_templateorwp_ajax_nopriv_slider_templates_save(inferred). - Method: POST.
- Authentication: None (Unauthenticated).
- Preconditions: The plugin must be active. To obtain a nonce (if required), a page containing the plugin's shortcode must be publicly accessible.
3. Code Flow
- Registration: The plugin registers an AJAX action during
initoradmin_initusingadd_action( 'wp_ajax_nopriv_...', ... ). - Trigger: An unauthenticated user sends a POST request to
admin-ajax.phpwith the correspondingactionparameter. - Vulnerable Sink: The callback function executes. It may check for a WordPress nonce using
check_ajax_referer()orwp_verify_nonce(), but it omits a capability check likeif ( ! current_user_can( 'manage_options' ) ). - Action: The function proceeds to perform a database operation (e.g.,
wp_insert_postfor a new template orupdate_option) based on user-supplied parameters.
4. Nonce Acquisition Strategy
If the endpoint is protected by a nonce, it is likely localized for the frontend to support the plugin's interactive slider features.
- Identify the Shortcode: Search the codebase for
add_shortcode.- Inferred Shortcode:
[slider-templates]or[st-slider].
- Inferred Shortcode:
- Find the Localized Variable: Search for
wp_localize_script.- Inferred JS Object:
st_ajax_objorslider_templates_vars. - Inferred Nonce Key:
nonceorst_nonce.
- Inferred JS Object:
- Extraction Process:
- Create a public post containing the identified shortcode:
wp post create --post_type=page --post_status=publish --post_title="Nonce Page" --post_content='[slider-templates]' - Navigate to the page using
browser_navigate. - Extract the nonce using
browser_eval:// Example: Replace with actual identified variable names window.st_ajax_obj?.nonce || window.slider_templates_vars?.st_nonce;
- Create a public post containing the identified shortcode:
5. Exploitation Strategy
The goal is to demonstrate unauthorized data modification (e.g., creating a malicious slider template).
Step 1: Discover the Action Name
Usegrepto findwp_ajax_noprivhooks in the plugin directory:grep -r "wp_ajax_nopriv_" /var/www/html/wp-content/plugins/slider-templates/Step 2: Craft the Payload
Assuming the action isst_save_templateand it accepts template data:- URL:
http://localhost:8080/wp-admin/admin-ajax.php - Method: POST
- Headers:
Content-Type: application/x-www-form-urlencoded - Body Parameters:
action:st_save_template(inferred)nonce:[EXTRACTED_NONCE]title:Exploit Slidercontent:<script>alert('XSS')</script>(Testing if integrity breach allows XSS)
- URL:
Step 3: Execute Request
Use thehttp_requesttool to send the payload.
6. Test Data Setup
- Install Plugin: Ensure
slider-templatesversion 1.0.3 is installed and active. - Identify Template Post Type: Find the custom post type used for sliders (e.g.,
st_templateorslider). - Public Page: Create a page with the plugin's shortcode to facilitate nonce extraction.
7. Expected Results
- Response: The server returns a success code (e.g.,
200 OKor a JSON object{"success": true}). - Side Effect: A new slider template or setting is created/modified in the WordPress database despite the requester being unauthenticated.
8. Verification Steps
After the HTTP request, use WP-CLI to verify the unauthorized change:
- Check for new posts:
wp post list --post_type=st_template(Verify if "Exploit Slider" exists). - Check for modified options:
wp option get st_settings(If the exploit targeted settings). - Database Check:
wp db query "SELECT * FROM wp_posts WHERE post_title='Exploit Slider'"
9. Alternative Approaches
- REST API: If no AJAX actions are vulnerable, search for
register_rest_route. Check if any route has'permission_callback' => '__return_true'or lacks the callback entirely. - Settings Injection: If the plugin allows unauthenticated "Import," attempt to upload a JSON file containing malicious slider configurations that could lead to Stored XSS when viewed by an admin.
- Action Brute-forcing: If
grepfails to findnoprivbut the vulnerability is confirmed, test thewp_ajax_(authenticated) version; some configurations allow unauthenticated access towp_ajax_if not properly restricted inadmin-ajax.php(though rare).
Summary
The Slider Templates plugin for WordPress is vulnerable to unauthorized access due to missing capability checks on its AJAX handlers. This allows unauthenticated attackers to invoke sensitive functions, such as creating or modifying slider templates, by sending a request to the admin-ajax.php endpoint.
Security Fix
@@ -10,6 +10,10 @@ function st_save_template_callback() { - check_ajax_referer('st_nonce', 'security'); + check_ajax_referer('st_nonce', 'security'); + + if ( ! current_user_can( 'manage_options' ) ) { + wp_send_json_error( 'Unauthorized' ); + } $template_data = $_POST['template_data'];
Exploit Outline
The exploit targets the AJAX interface of WordPress. An attacker first navigates to a public page containing the plugin's shortcode to extract a valid security nonce from the localized JavaScript variables (e.g., st_ajax_obj.nonce). Using this nonce, the attacker sends a POST request to /wp-admin/admin-ajax.php with the action parameter set to the vulnerable hook (likely st_save_template or slider_templates_save). The payload includes the extracted nonce and the malicious template data. Because the plugin lacks a current_user_can() check in the AJAX callback, the server processes the request even if the user is unauthenticated, allowing for the creation or modification of templates.
Check if your site is affected.
Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.