Exploitation Research Plan: CVE-2025-67973 (Sunshine Photo Cart)

1. Vulnerability Summary

The Sunshine Photo Cart plugin for WordPress is vulnerable to Missing Authorization in versions up to and including 3.5.6.2. The vulnerability exists because the plugin registers an AJAX handler intended for administrative use (dismissing notices) using both wp_ajax_ and wp_ajax_nopriv_ hooks without implementing any capability checks (current_user_can()) or nonce verification.

This allows unauthenticated attackers to perform an unauthorized action: updating the WordPress options table by creating or modifying options prefixed with sunshine_notice_dismissed_.

2. Attack Vector Analysis

• Endpoint: /wp-admin/admin-ajax.php
• HTTP Method: POST
• Action: sunshine_dismiss_notice (Inferred)
• Parameters:
  • action: sunshine_dismiss_notice
  • notice: A string that will be appended to the option name.
• Authentication: None (Unauthenticated)
• Preconditions: The plugin must be active.

3. Code Flow

The vulnerability likely follows this execution path in version 3.5.6.2:

1. Registration (in includes/admin/admin.php or includes/ajax.php):

   add_action( 'wp_ajax_sunshine_dismiss_notice', 'sunshine_ajax_dismiss_notice' );
   add_action( 'wp_ajax_nopriv_sunshine_dismiss_notice', 'sunshine_ajax_dismiss_notice' ); // VULNERABLE: Exposed to guests
   

2. Callback Function:
   The function sunshine_ajax_dismiss_notice (or similar) executes:

   function sunshine_ajax_dismiss_notice() {
       $notice = sanitize_text_field( $_POST['notice'] ); // Input from attacker
       update_option( 'sunshine_notice_dismissed_' . $notice, 1 ); // SINK: Unauthorized option update
       wp_die();
   }
   

3. Sink: The update_option function is called with a name partially controlled by the user, allowing for arbitrary "notice dismissed" flags to be set in the database.

4. Nonce Acquisition Strategy

Based on the "Missing Authorization" and "Unauthenticated" classification, this specific endpoint in 3.5.6.2 is likely missing both capability and nonce checks.

If a nonce check were present, the strategy would be:

1. Identify a page where the plugin enqueues its scripts (usually a Gallery page).
2. Create a Gallery: wp post create --post_type=sunshine-gallery --post_status=publish --post_title="Pwn Gallery".
3. Navigate to the Gallery URL.
4. Use browser_eval to extract the nonce:
   • browser_eval("window.sunshine_vars?.nonce") (inferred key)
   • browser_eval("window.sunshine_admin?.nonce") (inferred key)

However, for this specific "Missing Authorization" vulnerability, the exploitation is expected to work without a nonce.

5. Exploitation Strategy

The goal is to demonstrate that an unauthenticated user can modify the WordPress database.

1. Target: http://<target-ip>:8080/wp-admin/admin-ajax.php
2. Payload:
   • action=sunshine_dismiss_notice
   • notice=exploit_poc_test
3. HTTP Request:

   POST /wp-admin/admin-ajax.php HTTP/1.1
   Host: localhost:8080
   Content-Type: application/x-www-form-urlencoded
   
   action=sunshine_dismiss_notice&notice=exploit_poc_test
   

4. Expected Response: 200 OK (usually empty or 0 depending on wp_die()).

6. Test Data Setup

1. Plugin Activation: Ensure sunshine-photo-cart version 3.5.6.2 is active.
2. Environment: A standard WordPress installation. No specific galleries or orders are required for this AJAX action to fire, as the handler is registered globally on init.

7. Expected Results

• The AJAX request returns a success status.
• A new option is created in the wp_options table: sunshine_notice_dismissed_exploit_poc_test.
• The value of this option is 1.

8. Verification Steps

After sending the HTTP request, use WP-CLI to verify the change:

# Check if the option was successfully created/updated
wp option get sunshine_notice_dismissed_exploit_poc_test

Success Criteria: The command returns 1.

9. Alternative Approaches

If sunshine_dismiss_notice is not the correct action name, investigate other nopriv registrations:

1. Search for wp_ajax_nopriv in the plugin folder:

   grep -rn "wp_ajax_nopriv" /var/www/html/wp-content/plugins/sunshine-photo-cart/
   

2. Look for any handler that calls update_option, update_user_meta, or update_post_meta without a current_user_can() check.
3. If the integrity impact is higher, check for sunshine_save_settings or sunshine_ajax_save_design_preview (inferred) to see if they are also missing authorization.