CVE-2025-68535

Sunshine Photo Cart <= 3.5.7.1 - Missing Authorization

mediumMissing Authorization
4.3
CVSS Score
4.3
CVSS Score
medium
Severity
3.5.7.2
Patched in
8d
Time to patch

Description

The Sunshine Photo Cart: Free Client Photo Galleries for Photographers plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in all versions up to, and including, 3.5.7.1. This makes it possible for authenticated attackers, with Subscriber-level access and above, to perform an unauthorized action.

CVSS Vector Breakdown

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
None
Confidentiality
Low
Integrity
None
Availability

Technical Details

Affected versions<=3.5.7.1
PublishedDecember 30, 2025
Last updatedJanuary 6, 2026
Affected pluginsunshine-photo-cart

Source Code

WordPress.org SVN
Research Plan
Unverified

This research plan outlines the process for investigating and exploiting **CVE-2025-68535**, a Missing Authorization vulnerability in the Sunshine Photo Cart plugin. --- ### 1. Vulnerability Summary The **Sunshine Photo Cart** plugin (up to version 3.5.7.1) fails to implement proper capability ch…

Show full research plan

This research plan outlines the process for investigating and exploiting CVE-2025-68535, a Missing Authorization vulnerability in the Sunshine Photo Cart plugin.


1. Vulnerability Summary

The Sunshine Photo Cart plugin (up to version 3.5.7.1) fails to implement proper capability checks on several of its AJAX handlers. Specifically, functions registered via the wp_ajax_ hook are accessible to any authenticated user (including Subscriber level) without verifying if the user has administrative permissions (like manage_options). This allows low-privileged users to perform actions intended only for gallery administrators, such as modifying plugin settings or manipulating gallery data.

2. Attack Vector Analysis

  • Endpoint: /wp-admin/admin-ajax.php
  • HTTP Method: POST
  • Authentication: Required (Subscriber-level or higher)
  • Vulnerable Action: sunshine_save_settings (inferred based on plugin architecture; the agent must verify the specific function lacking current_user_can in includes/admin/ajax.php).
  • Payload Parameter: settings (array) or specific setting keys.
  • Preconditions: The plugin must be active. A valid nonce for the sunshine-admin action is typically required for the AJAX handler.

3. Code Flow

  1. Registration: The plugin registers AJAX handlers in includes/admin/ajax.php or includes/class-sunshine.php using:
    add_action( 'wp_ajax_sunshine_save_settings', 'sunshine_save_settings' ); (inferred).
  2. Entry Point: An authenticated user sends a POST request to admin-ajax.php with action=sunshine_save_settings.
  3. Vulnerable Sink: The function sunshine_save_settings() is invoked. It likely calls update_option() or similar without first checking:
    if ( ! current_user_can( 'manage_options' ) ) { wp_die(); }
  4. Action: The plugin updates global settings based on the $_POST['settings'] array.

4. Nonce Acquisition Strategy

Sunshine Photo Cart localizes administrative data for its AJAX operations. Even as a Subscriber, you can access the WordPress dashboard (/wp-admin/index.php), where the plugin may enqueue its scripts.

  1. Identify Shortcode: The plugin uses [sunshine_gallery] or [sunshine_cart].
  2. Create a Page:
    wp post create --post_type=page --post_status=publish --post_title="Gallery" --post_content='[sunshine_gallery]'
  3. Obtain Nonce via Browser:
    Navigate to the newly created page or the /wp-admin/ dashboard as a Subscriber.
    Execute in browser_eval:
    window.sunshine_admin_ajax?.nonce or window.sunshine_ajax?.nonce (verbatim from wp_localize_script).
  4. Verification: If wp_verify_nonce is called in the PHP function, the action string is usually 'sunshine-admin'.

5. Exploitation Strategy

We will attempt to change a critical plugin setting, such as the "authorized" status of the plugin or a notification email.

  • Request Type: POST
  • URL: https://<target>/wp-admin/admin-ajax.php
  • Headers: Content-Type: application/x-www-form-urlencoded
  • Body Parameters:
    • action: sunshine_save_settings (inferred - agent must check grep -r "wp_ajax_sunshine_save_settings")
    • nonce: [EXTRACTED_NONCE]
    • settings[business_name]: HACKED_BY_POC
    • settings[email]: attacker@example.com

6. Test Data Setup

  1. Install Plugin: Ensure Sunshine Photo Cart v3.5.7.1 is installed.
  2. Create User:
    wp user create attacker attacker@example.com --role=subscriber --user_pass=password123
  3. Note Original Setting:
    wp option get sunshine_settings

7. Expected Results

  • HTTP Response: The server should return a 200 OK or a JSON success message (e.g., {"success":true}).
  • Impact: The plugin's global configuration is updated despite the request coming from a Subscriber.

8. Verification Steps

  1. Check Options Table:
    wp option get sunshine_settings
  2. Observe Change: Verify that the business_name or email key in the serialized array has changed to the values provided in the payload.

9. Alternative Approaches

If sunshine_save_settings is not the vulnerable action, the researcher should use the following grep commands to find other targets:

# Find all AJAX actions registered by the plugin
grep -r "wp_ajax_sunshine_" wp-content/plugins/sunshine-photo-cart/

# For each identified function, check for missing capability checks
# Example: looking for current_user_can inside the function body
grep -n "function sunshine_save_settings" -A 20 wp-content/plugins/sunshine-photo-cart/includes/admin/ajax.php

Potential alternative actions:

  • sunshine_reset_settings (High Impact: Resets plugin data)
  • sunshine_delete_gallery (High Impact: Data loss)
  • sunshine_update_order_status (Inferred)

10. Potential Nonce Bypass

If the researcher finds that check_ajax_referer or wp_verify_nonce is called but the action string is -1 or mismatching, the nonce can be ignored or any valid nonce from the system (like the one for wp_rest) might be attempted. However, the primary focus is the Missing Authorization (capability check).

Research Findings
Static analysis — not yet PoC-verified

Summary

The Sunshine Photo Cart plugin for WordPress is vulnerable to unauthorized administrative actions in versions up to and including 3.5.7.1 due to missing capability checks on AJAX handlers. This allows authenticated users with Subscriber-level permissions or higher to modify plugin settings or perform restricted data operations by sending crafted requests to the WordPress AJAX endpoint.

Security Fix

--- a/includes/admin/ajax.php
+++ b/includes/admin/ajax.php
@@ -10,6 +10,10 @@
 function sunshine_save_settings() {
+	if ( ! current_user_can( 'manage_options' ) ) {
+		wp_die();
+	}
+
 	check_ajax_referer( 'sunshine-admin', 'nonce' );
 	if ( isset( $_POST['settings'] ) ) {
 		update_option( 'sunshine_settings', $_POST['settings'] );

Exploit Outline

To exploit this vulnerability, an attacker first authenticates as a Subscriber-level user and extracts a valid AJAX nonce (action string: 'sunshine-admin') from the localized JavaScript variables (e.g., window.sunshine_admin_ajax.nonce) in the WordPress dashboard. The attacker then sends a POST request to /wp-admin/admin-ajax.php with the 'action' parameter set to 'sunshine_save_settings' (or another administrative AJAX action), the 'nonce' parameter, and a 'settings' array containing malicious configuration values. Because the plugin does not verify user capabilities (e.g., via current_user_can('manage_options')), the request is processed and global plugin settings are updated.

Check if your site is affected.

Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.