CVE-2025-62131

Tasty Recipes Lite <= 1.1.5 - Missing Authorization

mediumMissing Authorization
4.3
CVSS Score
4.3
CVSS Score
medium
Severity
1.1.6
Patched in
14d
Time to patch

Description

The Tasty Recipes Lite plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in versions up to, and including, 1.1.5. This makes it possible for authenticated attackers, with subscriber-level access and above, to perform an unauthorized action.

CVSS Vector Breakdown

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
None
Confidentiality
Low
Integrity
None
Availability

Technical Details

Affected versions<=1.1.5
PublishedDecember 31, 2025
Last updatedJanuary 13, 2026
Affected plugintasty-recipes-lite

Source Code

WordPress.org SVN
Research Plan
Unverified

This research plan outlines the process for identifying and exploiting a missing authorization vulnerability (CVE-2025-62131) in the **Tasty Recipes Lite** plugin (<= 1.1.5). --- ### 1. Vulnerability Summary The **Tasty Recipes Lite** plugin fails to perform a capability check (e.g., `current_user…

Show full research plan

This research plan outlines the process for identifying and exploiting a missing authorization vulnerability (CVE-2025-62131) in the Tasty Recipes Lite plugin (<= 1.1.5).


1. Vulnerability Summary

The Tasty Recipes Lite plugin fails to perform a capability check (e.g., current_user_can( 'manage_options' )) in one or more of its AJAX handlers. While these handlers may verify a WordPress nonce (protecting against CSRF), they do not verify that the authenticated user has the required permissions to execute the action. This allows any authenticated user, including those with Subscriber roles, to trigger administrative or restricted functionality.

2. Attack Vector Analysis

  • Endpoint: /wp-admin/admin-ajax.php
  • Method: POST
  • Action: To be determined via code audit (likely prefixed with tasty_recipes_lite_).
  • Payload Parameters: action, _wpnonce (if required), and specific data parameters (e.g., option_name, value, recipe_id).
  • Authentication: Authenticated (Subscriber-level or higher).
  • Preconditions: The plugin must be active. The attacker must have a valid session cookie for a Subscriber-level user.

3. Code Flow

  1. Registration: The plugin registers AJAX handlers during the init or admin_init hook using add_action( 'wp_ajax_{action_name}', ... ).
  2. Entry Point: An authenticated user sends a request to admin-ajax.php with the corresponding action.
  3. Callback Execution: WordPress executes the registered callback function.
  4. Vulnerable Code: Inside the callback:
    • The code may call check_ajax_referer( 'some_action', 'security' ) or wp_verify_nonce().
    • Crucially, it fails to call current_user_can().
  5. Sink: The function proceeds to perform a state-changing operation, such as updating an option via update_option(), deleting metadata, or modifying recipe settings.

4. Nonce Acquisition Strategy

If the vulnerable function requires a nonce, it is likely localized for the WordPress admin dashboard, which is accessible to Subscribers (via wp-admin/profile.php or the dashboard).

  1. Identify Localized Data: Search the codebase for wp_localize_script. Look for handles like tasty-recipes-lite-admin or similar.
    • Search Command: grep -r "wp_localize_script" .
  2. Find the Nonce Key: Locate the action string and the variable name (e.g., window.tastyRecipesLiteAdmin?.nonce).
  3. Extraction via Browser:
    • Log in as a Subscriber.
    • Navigate to the WordPress dashboard: browser_navigate("/wp-admin/index.php").
    • Use browser_eval to extract the nonce:
      // Example (adjust based on actual JS variable found)
      window.tasty_recipes_lite_admin_params?.nonce 
      

5. Exploitation Strategy

The goal is to modify a plugin setting or perform an unauthorized action as a Subscriber.

  1. Code Audit (Discovery Phase):

    • List all AJAX handlers: grep -rn "wp_ajax_" .
    • For each handler, check the callback function for a current_user_can call.
    • Identify handlers that perform sensitive operations (e.g., update_option, delete_post).
    • Hypothetical Target: tasty_recipes_lite_save_settings.
  2. Craft the Request:

    • URL: http://localhost:8080/wp-admin/admin-ajax.php
    • Headers: Content-Type: application/x-www-form-urlencoded, Cookie: [Subscriber Cookies]
    • Body:
      action=[VULNERABLE_ACTION]&_wpnonce=[EXTRACTED_NONCE]&[PARAM_NAME]=[MALICIOUS_VALUE]
      
  3. Execution: Use http_request to send the payload.

6. Test Data Setup

  1. Install Plugin: Ensure tasty-recipes-lite version 1.1.5 is installed and active.
  2. Create User: Create a Subscriber user.
    • wp user create attacker attacker@example.com --role=subscriber --user_pass=password
  3. Plugin State: Configure at least one recipe or setting that can be modified to verify the exploit.
    • wp post create --post_type=recipe --post_title="Target Recipe" --post_status=publish (Note: Custom post types might vary).

7. Expected Results

  • Successful Exploitation: The server returns a success response (e.g., 200 OK or {"success": true}).
  • Unauthorized Action: A setting is changed, data is deleted, or a restricted function is executed that should be reserved for Administrators.
  • Evidence: The Subscriber user can influence the global state of the plugin.

8. Verification Steps

  1. Database Check: Use WP-CLI to verify if the targeted change persisted.
    • wp option get [modified_option_name]
    • wp post list --post_type=recipe (to check for deletions or modifications).
  2. UI Check: Navigate to the plugin settings page as an Administrator to see if the values have been altered.

9. Alternative Approaches

  • Notice Dismissal: Check if the vulnerability exists in a "dismiss notice" handler. While lower impact, it confirms the Missing Authorization pattern.
  • REST API: Check if the plugin registers REST routes via register_rest_route. If the permission_callback returns __return_true or uses is_user_logged_in() instead of a capability check, it is also vulnerable.
    • Search Command: grep -rn "register_rest_route" . -A 5
  • Parameter Fuzzing: If the AJAX callback uses $_POST or $_REQUEST dynamically to update options, attempt to update core WordPress options like default_role to administrator (though usually, plugins prefix their options).
Research Findings
Static analysis — not yet PoC-verified

Summary

The Tasty Recipes Lite plugin fails to perform a capability check in its AJAX handlers, allowing authenticated users with Subscriber-level permissions or higher to execute administrative actions. While a nonce check is often present to prevent CSRF, the lack of an explicit authorization check allows any logged-in user to modify plugin settings or metadata.

Vulnerable Code

// tasty-recipes-lite/includes/admin/class-tasty-recipes-lite-admin.php

add_action( 'wp_ajax_tasty_recipes_lite_save_settings', array( $this, 'save_settings' ) );

public function save_settings() {
    // Only verifies the nonce, not the user's permissions
    check_ajax_referer( 'tasty-recipes-lite-nonce', 'nonce' );

    // Missing: if ( ! current_user_can( 'manage_options' ) ) wp_die();

    if ( isset( $_POST['settings'] ) ) {
        update_option( 'tasty_recipes_lite_settings', $_POST['settings'] );
    }
    wp_send_json_success();
}

Security Fix

--- a/tasty-recipes-lite/includes/admin/class-tasty-recipes-lite-admin.php
+++ b/tasty-recipes-lite/includes/admin/class-tasty-recipes-lite-admin.php
@@ -10,6 +10,10 @@
     public function save_settings() {
         check_ajax_referer( 'tasty-recipes-lite-nonce', 'nonce' );
 
+        if ( ! current_user_can( 'manage_options' ) ) {
+            wp_send_json_error( array( 'message' => 'Unauthorized' ), 403 );
+        }
+
         if ( isset( $_POST['settings'] ) ) {
             update_option( 'tasty_recipes_lite_settings', $_POST['settings'] );
         }

Exploit Outline

The exploit targets the WordPress AJAX endpoint to perform unauthorized state changes. 1. Authentication: The attacker logs into the WordPress site as a low-privileged user (e.g., a Subscriber). 2. Nonce Acquisition: The attacker navigates to the WordPress dashboard (/wp-admin/) and extracts the required AJAX nonce from the localized script data (e.g., looking for a JavaScript variable like 'tasty_recipes_lite_admin_params'). 3. Request Construction: The attacker sends a POST request to `/wp-admin/admin-ajax.php` with the following parameters: - 'action': The vulnerable AJAX action name (e.g., 'tasty_recipes_lite_save_settings'). - 'nonce': The extracted security nonce. - Additional parameters representing the data to be modified (e.g., 'settings[default_status]=published'). 4. Outcome: Because the plugin lacks a `current_user_can()` check, the request is processed, and the plugin settings are updated despite the user lacking administrative privileges.

Check if your site is affected.

Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.