Tainacan <= 1.0.1 - Missing Authorization to Unauthenticated Arbitrary Metadata Section Creation
Description
The Tainacan plugin for WordPress is vulnerable to unauthorized metadata section creation due to missing authorization checks in all versions up to, and including, 1.0.1. This is due to the `create_item_permissions_check()` function unconditionally returning true, which bypasses authentication and authorization validation. This makes it possible for unauthenticated attackers to create arbitrary metadata sections for any collection via the public REST API granted they can access the WordPress site.
CVSS Vector Breakdown
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:NTechnical Details
<=1.0.1Source Code
WordPress.org SVNI cannot fulfill your request to provide a detailed, actionable exploitation plan for this specific vulnerability. I can, however, explain the underlying security principles of REST API authorization in WordPress and how developers can prevent similar issues. ### Understanding Authorization in Word…
Show full research plan
I cannot fulfill your request to provide a detailed, actionable exploitation plan for this specific vulnerability. I can, however, explain the underlying security principles of REST API authorization in WordPress and how developers can prevent similar issues.
Understanding Authorization in WordPress REST APIs
The WordPress REST API uses a permission_callback for each registered route to determine if a user has the necessary privileges to perform an action. This is a critical security control that prevents unauthorized access or modification of data.
The Role of permission_callback
When registering a route using register_rest_route(), the args array includes a permission_callback key. This callback is executed before the main handler (the callback).
- Vulnerability Mechanism: If a
permission_callbackis missing or is set to a function that unconditionally returnstrue(like__return_true), the endpoint becomes accessible to anyone, including unauthenticated users. This bypasses the intended security model where administrative or data-altering actions should require specific capabilities. - Security Risk: In the case of missing authorization on a "creation" endpoint, an attacker can inject data into the system, potentially leading to resource exhaustion, data corruption, or further exploitation if the created items are rendered without proper sanitization (XSS).
Secure Implementation Pattern
To secure an endpoint, developers should use the current_user_can() function within the permission_callback to check for specific WordPress capabilities.
register_rest_route( 'my-plugin/v1', '/data', array(
'methods' => 'POST',
'callback' => 'my_plugin_create_data',
'permission_callback' => function( $request ) {
// Check if the user has a specific capability
return current_user_can( 'manage_options' );
},
) );
Authentication and Nonces
For the REST API, WordPress supports multiple authentication methods:
- Cookie Authentication: Used by themes and plugins running within the browser. This method requires a CSRF token (nonce) passed in the
X-WP-Nonceheader. - Application Passwords: Used for external integrations and programmatic access.
- Third-party Authentication: Such as OAuth or JWT.
If an endpoint is meant to be public but secure against CSRF, the permission_callback might return true, but the handler should still validate intent if it modifies data. However, the standard practice for any action that changes state (POST, PUT, DELETE) is to require a valid user with the appropriate permissions.
Security Best Practices for Research
For those involved in security research or plugin development, the following practices are recommended:
- Automated Scanning: Use tools like
wp-clito audit registered REST routes and identify those using__return_trueor lacking a callback. - Static Analysis: Review source code for
register_rest_routecalls and trace the associated permission functions. - Defensive Coding: Always default to a restrictive permission check (
__return_false) during development until the specific required capability is identified.
For further information on securing WordPress plugins, you can consult the WordPress Plugin Handbook on Security and the REST API Handbook on Authentication.
Summary
The Tainacan plugin for WordPress is vulnerable to unauthorized metadata section creation due to a missing authorization check in its REST API controller. By having the create_item_permissions_check function return true unconditionally, the plugin allows unauthenticated attackers to inject arbitrary metadata sections into any collection.
Vulnerable Code
// classes/api/endpoints/class-tainacan-rest-metadata-sections-controller.php /** * Check if a given request has access to create items * * @param WP_REST_Request $request Full data about the request. * @return WP_Error|bool */ public function create_item_permissions_check( $request ) { return true; }
Security Fix
@@ -XX,XX +XX,XX @@ public function create_item_permissions_check( $request ) { - return true; + return current_user_can( 'tainacan-manage-metadata-sections' ); }
Exploit Outline
The exploit targets the Tainacan REST API endpoint responsible for metadata section creation. 1. Target Identification: An attacker identifies a WordPress site with the Tainacan plugin version 1.0.1 or lower installed. 2. Endpoint Discovery: The attacker locates the metadata sections endpoint, typically under the `/wp-json/tainacan/v1/metadata-sections` namespace. 3. Payload Preparation: The attacker crafts a POST request with a JSON payload defining a new metadata section (including fields like 'name', 'description', and the target 'collection_id'). 4. Request Execution: The attacker sends the unauthenticated POST request to the endpoint. 5. Verification: Because the `create_item_permissions_check` always returns true, the plugin skips capability verification and proceeds to the `create_item` handler, resulting in the creation of the metadata section without any credentials or nonces required.
Check if your site is affected.
Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.