Exploitation Research Plan: CVE-2025-15635 (Smart Online Order for Clover CSRF)

1. Vulnerability Summary

The Smart Online Order for Clover plugin (up to version 1.6.0) contains a Cross-Site Request Forgery (CSRF) vulnerability. The flaw exists due to missing or inadequate nonce validation (e.g., missing check_admin_referer or check_ajax_referer) on sensitive state-changing functions. This allows an unauthenticated attacker to perform administrative actions (like changing plugin settings, Merchant IDs, or API credentials) by tricking a logged-in administrator into visiting a malicious link or submitting a forged form.

2. Attack Vector Analysis

• Target Endpoint: Likely wp-admin/admin-post.php or wp-admin/admin-ajax.php.
• Vulnerable Hook: (Inferred) admin_post_{action} or wp_ajax_{action} related to settings preservation.
• Payload Parameter: action (to trigger the function) plus configuration parameters like clover_merchant_id, clover_api_token, or general plugin settings.
• Authentication Level: Unauthenticated (Attacker) triggers the action; victim must be an Authenticated Administrator.
• Preconditions: The administrator must have an active session and be tricked into interacting with the attacker's page.

3. Code Flow (Inferred Trace)

1. Entry Point: The administrator's browser sends a POST request to admin-post.php or admin-ajax.php.
2. Hook Registration: The plugin registers a handler via:
   add_action('admin_post_save_moo_settings', 'save_moo_settings_handler'); (Inferred function name).
3. Vulnerable Logic: Inside the handler (e.g., save_moo_settings_handler):
   • The code checks current_user_can('manage_options').
   • CRITICAL FAILURE: The code fails to call check_admin_referer('action_string', 'nonce_name').
4. Sink: User-supplied input from $_POST is passed directly to update_option() or $wpdb->update(), modifying the plugin's configuration.

4. Nonce Acquisition Strategy

The vulnerability description explicitly states "missing or incorrect nonce validation."

• Scenario A (Missing): No nonce is checked. No acquisition is needed. The request will succeed with only the action and data parameters.
• Scenario B (Incorrect/Generic): If the plugin uses a generic nonce (like -1 or a leaked nonce), it must be extracted.

Extraction Steps (if Scenario B):

1. Identify Script/Shortcode: Find where the plugin enqueues its settings page or frontend order page. Look for wp_localize_script.
2. JS Variable: Look for variables like window.moo_orders_vars or window.clover_settings_params. (Inferred).
3. Command:

   // Example browser_eval to find nonces
   browser_eval("window.moo_vars?.nonce || document.querySelector('#_wpnonce')?.value")
   

5. Exploitation Strategy

The goal is to demonstrate that an administrative setting can be changed via an unauthenticated request (simulating a forged request from an admin's browser).

Step 1: Discover the Sink

Search the plugin code for settings-saving logic:

grep -r "update_option" . | grep -v "test"
grep -r "admin_post" .
grep -r "wp_ajax" .

Focus on functions that do not contain nonce.

Step 2: Formulate the Forged Request

Assuming a found action moo_save_settings and a setting clover_api_token:

• URL: http://[target]/wp-admin/admin-post.php (or admin-ajax.php)
• Method: POST
• Content-Type: application/x-www-form-urlencoded
• Body: action=moo_save_settings&clover_api_token=EVIL_TOKEN_123&submit=Save

Step 3: Execution

Use the http_request tool while providing the Admin's cookies to simulate the CSRF attack.

6. Test Data Setup

1. Install Plugin: Ensure clover-online-orders version 1.6.0 is active.
2. Admin User: Ensure a user with the administrator role exists.
3. Initial State: Set a "legitimate" API token or Merchant ID via the plugin UI or WP-CLI:
   wp option update moo_clover_api_token "LEGIT_TOKEN" (Inferred option name).

7. Expected Results

• HTTP Response: A 302 Found (redirect) to the settings page with a settings-updated=true parameter, or a 200 OK for AJAX.
• State Change: The WordPress database will now reflect the attacker-supplied value for the targeted option.

8. Verification Steps

After sending the POST request via http_request:

1. Check Database: Use WP-CLI to verify the change:
   wp option get moo_clover_api_token (Inferred).
2. Confirm Lack of Nonce: Attempt the same request again but explicitly change the _wpnonce parameter to a random string (e.g., nonce=12345). If it still succeeds, the nonce check is truly missing or bypassed.

9. Alternative Approaches

• Targeting Hooks: If admin-post.php is protected, check for wp_ajax_nopriv_ hooks that might accidentally perform sensitive updates (this would upgrade the vulnerability from CSRF to Unauthenticated IDOR).
• Open Redirect: Check if the _wp_http_referer or a custom redirect_to parameter in the form can be manipulated to redirect the admin to a phishing page after the settings are changed.
• XSS Injection: Attempt to set an option value to <script>alert(1)</script>. If the settings page does not escape the output, the CSRF leads to Stored XSS.