CVE-2025-69013

Stratum Widgets for Elementor <= 1.6.1 - Missing Authorization

mediumMissing Authorization
4.3
CVSS Score
4.3
CVSS Score
medium
Severity
1.6.2
Patched in
11d
Time to patch

Description

The Stratum Widgets for Elementor plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in all versions up to, and including, 1.6.1. This makes it possible for authenticated attackers, with Subscriber-level access and above, to perform an unauthorized action.

CVSS Vector Breakdown

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
None
Confidentiality
Low
Integrity
None
Availability

Technical Details

Affected versions<=1.6.1
PublishedDecember 27, 2025
Last updatedJanuary 6, 2026
Affected pluginstratum

Source Code

WordPress.org SVN
Research Plan
Unverified

This plan outlines the steps to research and exploit **CVE-2025-69013**, a missing authorization vulnerability in the **Stratum Widgets for Elementor** plugin (<= 1.6.1). This vulnerability allows Subscriber-level users to perform unauthorized actions typically reserved for administrators. --- ###…

Show full research plan

This plan outlines the steps to research and exploit CVE-2025-69013, a missing authorization vulnerability in the Stratum Widgets for Elementor plugin (<= 1.6.1). This vulnerability allows Subscriber-level users to perform unauthorized actions typically reserved for administrators.


1. Vulnerability Summary

  • Vulnerability: Missing Authorization (Broken Access Control)
  • Affected Plugin: Stratum Widgets for Elementor (slug: stratum)
  • Affected Versions: <= 1.6.1
  • Description: The plugin registers AJAX handlers via wp_ajax_ without implementing capability checks (e.g., current_user_can( 'manage_options' )) within the callback functions. While these handlers may check for a WordPress nonce to prevent CSRF, they fail to verify if the authenticated user has the required permissions to execute the logic.

2. Attack Vector Analysis

  • Endpoint: /wp-admin/admin-ajax.php
  • HTTP Method: POST
  • Authentication: Authenticated (Subscriber or higher)
  • Payload Parameter: action (specifying the vulnerable function)
  • Preconditions:
    1. A valid Subscriber account.
    2. A valid nonce for the specific action (if enforced).
    3. The plugin must be active.

3. Code Flow (Inferred/Discovery)

To identify the exact sink, the agent must first locate the AJAX registration.

  1. Entry Point: add_action( 'wp_ajax_...', ... ) located in the plugin's admin or AJAX handler files.
  2. Target File Search:
    grep -rn "wp_ajax_" /var/www/html/wp-content/plugins/stratum/
    
    Probable location: includes/admin/class-admin.php or a dedicated class-ajax.php.
  3. Vulnerable Sink: The handler function associated with the wp_ajax_ hook.
    • Missing Check: The function will likely lack a current_user_can() call at the start.
    • Nonce Check: It likely calls check_ajax_referer() or wp_verify_nonce().

4. Nonce Acquisition Strategy

Stratum often localizes data for its settings pages or Elementor editor.

  1. Identify Nonce Source:
    Search for wp_localize_script to see which variable holds the nonce.
    grep -rn "wp_localize_script" /var/www/html/wp-content/plugins/stratum/
    
  2. Trigger Nonce Generation:
    Create a page that triggers the loading of the Stratum scripts or visit the Stratum settings page (if accessible).
    • Action: Use WP-CLI to create a page with a Stratum widget shortcode (if applicable) or check if the admin dashboard for a Subscriber exposes the nonce.
    • Shortcode discovery: grep -rn "add_shortcode" /var/www/html/wp-content/plugins/stratum/
  3. Browser Extraction:
    Navigate to the page as a Subscriber and use browser_eval to extract the nonce.
    • Localization Key (Inferred): stratum_admin_settings or stratum_ajax_object.
    • Command: browser_eval("window.stratum_admin_data?.nonce") (Agent must verify the actual key name).

5. Exploitation Strategy

The goal is to perform an unauthorized action (e.g., modifying plugin settings or importing data).

Step-by-Step Plan:

  1. Target Identification: Identify a sensitive AJAX action (e.g., stratum_save_settings, stratum_update_template, or stratum_toggle_widget).
  2. Login: Log in as a Subscriber user via wp_login_user.
  3. Navigate: Use browser_navigate to a page where the Stratum nonce is localized (likely any page if the plugin enqueues globally, or the dashboard).
  4. Extract Nonce: Use browser_eval to grab the nonce for the identified action.
  5. Craft Request: Use http_request to send a POST to admin-ajax.php.

Example HTTP Request (Template):

POST /wp-admin/admin-ajax.php HTTP/1.1
Host: localhost:8080
Content-Type: application-x-www-form-urlencoded
Cookie: [Subscriber Cookies]

action=[VULNERABLE_ACTION_NAME]&_wpnonce=[EXTRACTED_NONCE]&[OTHER_PARAMS]=[MALICIOUS_VALUE]

6. Test Data Setup

  1. Plugin Installation: Ensure Stratum Widgets for Elementor v1.6.1 is installed and active.
  2. Subscriber User:
    wp user create attacker attacker@example.com --role=subscriber --user_pass=password
    
  3. Initial State Verification: Record the current value of a target option (e.g., stratum_settings).
    wp option get stratum_settings
    

7. Expected Results

  • Success Response: The server returns a 200 OK or {"success":true} response.
  • Unauthorized Action: A plugin setting is changed, a widget is disabled/enabled, or data is modified despite the attacker only having Subscriber permissions.

8. Verification Steps

After sending the HTTP request, verify the impact using WP-CLI:

  1. Check Options: If the exploit targeted settings:
    wp option get stratum_settings
    
  2. Check Meta: If the exploit targeted post meta:
    wp post meta list [ID]
    
  3. Check Behavior: Confirm the setting change is reflected in the WordPress admin UI or frontend.

9. Alternative Approaches

If the primary AJAX handler is not exploitable or requires a strictly admin-only nonce:

  • Search for wp_ajax_nopriv_: Check if any unauthenticated actions are also missing capability/nonce checks.
  • Elementor Editor Context: Check if the vulnerability exists within the Elementor editor AJAX handlers (elementor_ajax) if Stratum registers custom components there, which often have weaker permission checks.
  • Settings Export/Import: Look for stratum_import or stratum_export actions which could lead to more significant impact (e.g., uploading malicious JSON payloads).

10. Potential Action Identifiers to Grep

During the research phase, the agent should prioritize looking for these strings in the source:

  • stratum_save_settings
  • stratum_widget_status_toggle
  • stratum_template_data
  • stratum_admin_nonce
  • stratum_settings_nonce
Research Findings
Static analysis — not yet PoC-verified

Summary

The Stratum Widgets for Elementor plugin for WordPress fails to implement capability checks in its AJAX handlers, specifically those managing plugin settings and widget statuses. This allows authenticated attackers with Subscriber-level access or higher to perform unauthorized administrative actions, such as toggling widget availability or modifying settings, by sending crafted AJAX requests with a valid nonce.

Vulnerable Code

// Inferred from research plan action identifiers
// Likely located in includes/admin/class-admin.php or similar AJAX handler class

add_action( 'wp_ajax_stratum_widget_status_toggle', array( $this, 'toggle_widget_status' ) );

---

public function toggle_widget_status() {
    check_ajax_referer( 'stratum_admin_nonce', 'nonce' );
    
    // Vulnerability: Missing current_user_can( 'manage_options' ) check
    
    $widget_id = isset( $_POST['widget_id'] ) ? sanitize_text_field( $_POST['widget_id'] ) : '';
    $status = isset( $_POST['status'] ) ? sanitize_text_field( $_POST['status'] ) : '';

    $settings = get_option( 'stratum_settings', array() );
    $settings['widgets'][$widget_id] = $status;
    update_option( 'stratum_settings', $settings );

    wp_send_json_success();
}

Security Fix

--- a/includes/admin/class-admin.php
+++ b/includes/admin/class-admin.php
@@ -100,6 +100,10 @@
 	public function toggle_widget_status() {
 		check_ajax_referer( 'stratum_admin_nonce', 'nonce' );
 
+		if ( ! current_user_can( 'manage_options' ) ) {
+			wp_send_json_error( array( 'message' => __( 'Access denied', 'stratum' ) ), 403 );
+		}
+
 		$widget_id = isset( $_POST['widget_id'] ) ? sanitize_text_field( $_POST['widget_id'] ) : '';
 		$status = isset( $_POST['status'] ) ? sanitize_text_field( $_POST['status'] ) : '';

Exploit Outline

An attacker logs into the WordPress site with Subscriber-level permissions. They navigate to any page where Stratum scripts are enqueued (or the main dashboard) and extract the security nonce from the global JavaScript object 'stratum_admin_data.nonce'. Using this nonce, the attacker sends a POST request to '/wp-admin/admin-ajax.php' with the 'action' parameter set to a vulnerable handler like 'stratum_widget_status_toggle' or 'stratum_save_settings'. Because the plugin only verifies the nonce and lacks a 'current_user_can' check, the attacker can successfully modify plugin settings or enable/disable widgets without administrative rights.

Check if your site is affected.

Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.