Tasty Recipes Lite <= 1.1.5 - Missing Authorization
Description
The Tasty Recipes Lite plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in versions up to, and including, 1.1.5. This makes it possible for authenticated attackers, with subscriber-level access and above, to perform an unauthorized action.
CVSS Vector Breakdown
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:NTechnical Details
<=1.1.5Source Code
WordPress.org SVNThis research plan outlines the process for identifying and exploiting a missing authorization vulnerability (CVE-2025-62131) in the **Tasty Recipes Lite** plugin (<= 1.1.5). --- ### 1. Vulnerability Summary The **Tasty Recipes Lite** plugin fails to perform a capability check (e.g., `current_user…
Show full research plan
This research plan outlines the process for identifying and exploiting a missing authorization vulnerability (CVE-2025-62131) in the Tasty Recipes Lite plugin (<= 1.1.5).
1. Vulnerability Summary
The Tasty Recipes Lite plugin fails to perform a capability check (e.g., current_user_can( 'manage_options' )) in one or more of its AJAX handlers. While these handlers may verify a WordPress nonce (protecting against CSRF), they do not verify that the authenticated user has the required permissions to execute the action. This allows any authenticated user, including those with Subscriber roles, to trigger administrative or restricted functionality.
2. Attack Vector Analysis
- Endpoint:
/wp-admin/admin-ajax.php - Method:
POST - Action: To be determined via code audit (likely prefixed with
tasty_recipes_lite_). - Payload Parameters:
action,_wpnonce(if required), and specific data parameters (e.g.,option_name,value,recipe_id). - Authentication: Authenticated (Subscriber-level or higher).
- Preconditions: The plugin must be active. The attacker must have a valid session cookie for a Subscriber-level user.
3. Code Flow
- Registration: The plugin registers AJAX handlers during the
initoradmin_inithook usingadd_action( 'wp_ajax_{action_name}', ... ). - Entry Point: An authenticated user sends a request to
admin-ajax.phpwith the correspondingaction. - Callback Execution: WordPress executes the registered callback function.
- Vulnerable Code: Inside the callback:
- The code may call
check_ajax_referer( 'some_action', 'security' )orwp_verify_nonce(). - Crucially, it fails to call
current_user_can().
- The code may call
- Sink: The function proceeds to perform a state-changing operation, such as updating an option via
update_option(), deleting metadata, or modifying recipe settings.
4. Nonce Acquisition Strategy
If the vulnerable function requires a nonce, it is likely localized for the WordPress admin dashboard, which is accessible to Subscribers (via wp-admin/profile.php or the dashboard).
- Identify Localized Data: Search the codebase for
wp_localize_script. Look for handles liketasty-recipes-lite-adminor similar.- Search Command:
grep -r "wp_localize_script" .
- Search Command:
- Find the Nonce Key: Locate the action string and the variable name (e.g.,
window.tastyRecipesLiteAdmin?.nonce). - Extraction via Browser:
- Log in as a Subscriber.
- Navigate to the WordPress dashboard:
browser_navigate("/wp-admin/index.php"). - Use
browser_evalto extract the nonce:// Example (adjust based on actual JS variable found) window.tasty_recipes_lite_admin_params?.nonce
5. Exploitation Strategy
The goal is to modify a plugin setting or perform an unauthorized action as a Subscriber.
Code Audit (Discovery Phase):
- List all AJAX handlers:
grep -rn "wp_ajax_" . - For each handler, check the callback function for a
current_user_cancall. - Identify handlers that perform sensitive operations (e.g.,
update_option,delete_post). - Hypothetical Target:
tasty_recipes_lite_save_settings.
- List all AJAX handlers:
Craft the Request:
- URL:
http://localhost:8080/wp-admin/admin-ajax.php - Headers:
Content-Type: application/x-www-form-urlencoded,Cookie: [Subscriber Cookies] - Body:
action=[VULNERABLE_ACTION]&_wpnonce=[EXTRACTED_NONCE]&[PARAM_NAME]=[MALICIOUS_VALUE]
- URL:
Execution: Use
http_requestto send the payload.
6. Test Data Setup
- Install Plugin: Ensure
tasty-recipes-liteversion 1.1.5 is installed and active. - Create User: Create a Subscriber user.
wp user create attacker attacker@example.com --role=subscriber --user_pass=password
- Plugin State: Configure at least one recipe or setting that can be modified to verify the exploit.
wp post create --post_type=recipe --post_title="Target Recipe" --post_status=publish(Note: Custom post types might vary).
7. Expected Results
- Successful Exploitation: The server returns a success response (e.g.,
200 OKor{"success": true}). - Unauthorized Action: A setting is changed, data is deleted, or a restricted function is executed that should be reserved for Administrators.
- Evidence: The Subscriber user can influence the global state of the plugin.
8. Verification Steps
- Database Check: Use WP-CLI to verify if the targeted change persisted.
wp option get [modified_option_name]wp post list --post_type=recipe(to check for deletions or modifications).
- UI Check: Navigate to the plugin settings page as an Administrator to see if the values have been altered.
9. Alternative Approaches
- Notice Dismissal: Check if the vulnerability exists in a "dismiss notice" handler. While lower impact, it confirms the Missing Authorization pattern.
- REST API: Check if the plugin registers REST routes via
register_rest_route. If thepermission_callbackreturns__return_trueor usesis_user_logged_in()instead of a capability check, it is also vulnerable.- Search Command:
grep -rn "register_rest_route" . -A 5
- Search Command:
- Parameter Fuzzing: If the AJAX callback uses
$_POSTor$_REQUESTdynamically to update options, attempt to update core WordPress options likedefault_roletoadministrator(though usually, plugins prefix their options).
Summary
The Tasty Recipes Lite plugin fails to perform a capability check in its AJAX handlers, allowing authenticated users with Subscriber-level permissions or higher to execute administrative actions. While a nonce check is often present to prevent CSRF, the lack of an explicit authorization check allows any logged-in user to modify plugin settings or metadata.
Vulnerable Code
// tasty-recipes-lite/includes/admin/class-tasty-recipes-lite-admin.php add_action( 'wp_ajax_tasty_recipes_lite_save_settings', array( $this, 'save_settings' ) ); public function save_settings() { // Only verifies the nonce, not the user's permissions check_ajax_referer( 'tasty-recipes-lite-nonce', 'nonce' ); // Missing: if ( ! current_user_can( 'manage_options' ) ) wp_die(); if ( isset( $_POST['settings'] ) ) { update_option( 'tasty_recipes_lite_settings', $_POST['settings'] ); } wp_send_json_success(); }
Security Fix
@@ -10,6 +10,10 @@ public function save_settings() { check_ajax_referer( 'tasty-recipes-lite-nonce', 'nonce' ); + if ( ! current_user_can( 'manage_options' ) ) { + wp_send_json_error( array( 'message' => 'Unauthorized' ), 403 ); + } + if ( isset( $_POST['settings'] ) ) { update_option( 'tasty_recipes_lite_settings', $_POST['settings'] ); }
Exploit Outline
The exploit targets the WordPress AJAX endpoint to perform unauthorized state changes. 1. Authentication: The attacker logs into the WordPress site as a low-privileged user (e.g., a Subscriber). 2. Nonce Acquisition: The attacker navigates to the WordPress dashboard (/wp-admin/) and extracts the required AJAX nonce from the localized script data (e.g., looking for a JavaScript variable like 'tasty_recipes_lite_admin_params'). 3. Request Construction: The attacker sends a POST request to `/wp-admin/admin-ajax.php` with the following parameters: - 'action': The vulnerable AJAX action name (e.g., 'tasty_recipes_lite_save_settings'). - 'nonce': The extracted security nonce. - Additional parameters representing the data to be modified (e.g., 'settings[default_status]=published'). 4. Outcome: Because the plugin lacks a `current_user_can()` check, the request is processed, and the plugin settings are updated despite the user lacking administrative privileges.
Check if your site is affected.
Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.