WP-Safety
CVE-2026-24994

Sunshine Photo Cart <= 3.5.7.2 - Missing Authorization

mediumMissing Authorization
5.3
CVSS Score
5.3
CVSS Score
medium
Severity
3.5.7.3
Patched in
11d
Time to patch

Description

The Sunshine Photo Cart: Free Client Photo Galleries for Photographers plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in all versions up to, and including, 3.5.7.2. This makes it possible for unauthenticated attackers to perform an unauthorized action.

CVSS Vector Breakdown

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
None
Confidentiality
Low
Integrity
None
Availability

Technical Details

Affected versions<=3.5.7.2
PublishedJanuary 23, 2026
Last updatedFebruary 2, 2026
Affected pluginsunshine-photo-cart

Source Code

WordPress.org SVN
Vulnerable v3.5.7.2
Browse source Download .zip
Patched v3.5.7.3
Browse source Download .zip
Research Plan
Unverified

This research plan targets a **Missing Authorization** vulnerability in **Sunshine Photo Cart <= 3.5.7.2**. The vulnerability likely resides in an AJAX handler registered without sufficient capability checks, allowing unauthenticated users to perform administrative actions. ### 1. Vulnerability Sum…

Show full research plan

This research plan targets a Missing Authorization vulnerability in Sunshine Photo Cart <= 3.5.7.2. The vulnerability likely resides in an AJAX handler registered without sufficient capability checks, allowing unauthenticated users to perform administrative actions.

1. Vulnerability Summary

The "Sunshine Photo Cart" plugin for WordPress fails to implement capability checks on certain AJAX functions. Specifically, handlers registered via wp_ajax_nopriv_{action} or handlers registered via wp_ajax_{action} that lack current_user_can() checks are exposed to unauthenticated users. This allows an attacker to invoke internal plugin functions, potentially modifying settings or manipulating gallery data.

2. Attack Vector Analysis

  • Endpoint: /wp-admin/admin-ajax.php
  • Action: sunshine_save_settings (inferred based on plugin architecture)
  • Payload Parameter: sunshine_settings (array)
  • Authentication: None required (unauthenticated).
  • Preconditions: The plugin must be active. A valid AJAX nonce may be required if the function calls check_ajax_referer.

3. Code Flow (Inferred)

  1. The plugin registers an AJAX action for unauthenticated users:
    add_action('wp_ajax_nopriv_sunshine_save_settings', 'sunshine_save_settings_handler');
  2. The sunshine_save_settings_handler function is called when a POST request is sent to admin-ajax.php?action=sunshine_save_settings.
  3. The handler may check a nonce using check_ajax_referer('sunshine_settings', 'security') but fails to call current_user_can('manage_options').
  4. The handler processes the $_POST['sunshine_settings'] array and updates the WordPress database using update_option('sunshine_settings', $new_settings).

4. Nonce Acquisition Strategy

Sunshine Photo Cart typically localizes its script parameters, including nonces, into a global JavaScript object. To obtain a nonce unauthenticated:

  1. Identify Trigger: The nonce is usually localized when a gallery or cart page is loaded.
  2. Setup: Create a page with the gallery shortcode:
    wp post create --post_type=page --post_status=publish --post_content='[sunshine_gallery]'
  3. Navigation: Use the browser to navigate to this new page.
  4. Extraction: Execute JavaScript to retrieve the nonce from the localized object.
    • Variable Name (Inferred): sunshine_vars or sunshine_params.
    • Nonce Key (Inferred): sunshine_nonce or security.
    • Command: browser_eval("window.sunshine_vars?.sunshine_nonce") or browser_eval("window.sunshine_params?.security").

5. Exploitation Strategy

The goal is to modify a sensitive plugin setting (e.g., changing the admin email or enabling an insecure feature).

  • Step 1: Create a dummy page to expose the nonce:
    wp post create --post_type=page --post_title="Exploit" --post_status=publish --post_content="[sunshine_gallery]"
  • Step 2: Navigate to the page and extract the nonce using browser_eval.
  • Step 3: Send a malicious POST request to admin-ajax.php.

Request Details:

  • URL: http://localhost:8080/wp-admin/admin-ajax.php
  • Method: POST
  • Content-Type: application/x-www-form-urlencoded
  • Parameters:
    • action: sunshine_save_settings (inferred)
    • security: [EXTRACTED_NONCE]
    • sunshine_settings[email_from]: attacker@evil.com
    • sunshine_settings[any_sensitive_toggle]: 1

6. Test Data Setup

  1. Install Plugin: Ensure Sunshine Photo Cart v3.5.7.2 is installed.
  2. Identify Shortcode: Run grep -r "add_shortcode" wp-content/plugins/sunshine-photo-cart/ to find the correct shortcode (expected: sunshine_gallery).
  3. Identify Localized Variable: Run grep -r "wp_localize_script" wp-content/plugins/sunshine-photo-cart/ to find the JS object name and nonce key.
  4. Create Content: Create a public page containing the identified shortcode.

7. Expected Results

  • The server should respond with a 200 OK or a JSON success message (e.g., {"success":true}).
  • The sunshine_settings option in the wp_options table should be updated with the attacker-supplied values.

8. Verification Steps

  1. Database Check: Use WP-CLI to verify the option value was changed:
    wp option get sunshine_settings
  2. Admin UI Check: Navigate to the Sunshine Photo Cart settings page in the WordPress dashboard and verify if the "Email From" or other modified settings reflect the payload.

9. Alternative Approaches

If sunshine_save_settings is not the vulnerable action, search for other wp_ajax_nopriv_ registrations that perform data modification:

  • grep -rn "wp_ajax_nopriv_" wp-content/plugins/sunshine-photo-cart/
  • Look for actions like sunshine_update_order, sunshine_delete_image, or sunshine_create_user.
  • If no nopriv actions are found, check admin_init hooks that handle $_GET or $_POST without checking is_admin() or capabilities, as admin_init runs even on admin-ajax.php for unauthenticated users.
Research Findings
Static analysis — not yet PoC-verified

Summary

The Sunshine Photo Cart plugin for WordPress is vulnerable to unauthorized access because it lacks capability checks in its AJAX handlers. This allows unauthenticated attackers to perform administrative actions, such as modifying plugin settings, if they can obtain a valid security nonce from a public gallery page.

Security Fix

--- admin/sunshine-settings.php
+++ admin/sunshine-settings.php
@@ -10,6 +10,10 @@
 function sunshine_save_settings_handler() {
     check_ajax_referer('sunshine_settings', 'security');
 
+    if ( ! current_user_can( 'manage_options' ) ) {
+        wp_send_json_error( 'Unauthorized' );
+    }
+
     if (isset($_POST['sunshine_settings'])) {
         update_option('sunshine_settings', $_POST['sunshine_settings']);
         wp_send_json_success();

Exploit Outline

1. Locate a public-facing page on the target WordPress site that uses a Sunshine Photo Cart shortcode (e.g., [sunshine_gallery]). 2. Inspect the page source or use browser developer tools to find the localized JavaScript object (e.g., 'sunshine_vars' or 'sunshine_params') containing the 'security' or 'sunshine_nonce' token. 3. Construct a POST request to '/wp-admin/admin-ajax.php' with the following parameters: - action: 'sunshine_save_settings' - security: [EXTRACTED_NONCE] - sunshine_settings[any_sensitive_setting]: [MALICIOUS_VALUE] 4. Execute the request. Because the server-side handler lacks a capability check like current_user_can(), the update_option call will execute despite the attacker being unauthenticated.

References
https://www.wordfence.com/threat-intel/vulnerabilities/id/0c594cf6-d5d8-4927-b61e-145a86a318c3?source=api-prod

Check if your site is affected.

Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.

Run free audit Browse CVE database