CVE-2025-62132

Tasty Recipes Lite <= 1.1.5 - Missing Authorization

mediumMissing Authorization
4.3
CVSS Score
4.3
CVSS Score
medium
Severity
1.1.6
Patched in
14d
Time to patch

Description

The Tasty Recipes Lite plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in versions up to, and including, 1.1.5. This makes it possible for authenticated attackers, with contributor-level access and above, to perform an unauthorized action.

CVSS Vector Breakdown

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
None
Confidentiality
Low
Integrity
None
Availability

Technical Details

Affected versions<=1.1.5
PublishedDecember 31, 2025
Last updatedJanuary 13, 2026
Affected plugintasty-recipes-lite

Source Code

WordPress.org SVN
Research Plan
Unverified

This plan outlines the steps required to demonstrate a Missing Authorization vulnerability in Tasty Recipes Lite (<= 1.1.5). This vulnerability allows a Contributor-level user to perform unauthorized actions, typically saving plugin settings, due to a missing `current_user_can()` check in an AJAX ha…

Show full research plan

This plan outlines the steps required to demonstrate a Missing Authorization vulnerability in Tasty Recipes Lite (<= 1.1.5). This vulnerability allows a Contributor-level user to perform unauthorized actions, typically saving plugin settings, due to a missing current_user_can() check in an AJAX handler.

1. Vulnerability Summary

  • Vulnerability: Missing Authorization (Broken Access Control)
  • Target: Tasty Recipes Lite plugin (<= 1.1.5)
  • Vulnerable Component: AJAX handler for saving settings (inferred: tasty_recipes_save_settings)
  • Root Cause: The plugin registers an AJAX action for authenticated users but only performs a nonce check (check_ajax_referer) without verifying the user's capabilities (e.g., current_user_can('manage_options')).
  • Impact: A Contributor can modify plugin settings, which may lead to Stored XSS or disruption of recipe functionality.

2. Attack Vector Analysis

  • Endpoint: /wp-admin/admin-ajax.php
  • HTTP Method: POST
  • Action: tasty_recipes_save_settings (inferred)
  • Required Parameter: nonce (extracted from the admin interface)
  • Payload Parameters: settings (array of plugin options)
  • Authentication: Contributor-level credentials (minimum).

3. Code Flow (Inferred)

  1. Registration: The plugin registers the AJAX hook in an admin-related class (likely Tasty_Recipes_Admin or Tasty_Recipes_Settings).
    • add_action( 'wp_ajax_tasty_recipes_save_settings', [ $this, 'save_settings' ] );
  2. Entry Point: An authenticated user (Contributor+) sends a request to admin-ajax.php?action=tasty_recipes_save_settings.
  3. Vulnerable Function: The handler save_settings() is invoked.
  4. Security Check (Weak): The handler calls check_ajax_referer( 'tasty_recipes_admin', 'nonce' );.
  5. Missing Check: The handler does not call current_user_can( 'manage_options' ).
  6. Sink: The handler calls update_option( 'tasty_recipes_settings', ... ) based on the $_POST['settings'] data.

4. Nonce Acquisition Strategy

Nonces in this plugin are typically localized for the admin scripts. Even though a Contributor cannot see the settings page, they can often access the nonce if the script is enqueued on pages they can access (like the Dashboard or the Post Editor).

  1. Identify Script: Look for wp_localize_script calls in the plugin source related to tasty-recipes-admin.
  2. Variable Name: Usually tastyRecipesAdmin or tastyRecipesSettings (inferred).
  3. Extraction Method:
    • Log in as a Contributor.
    • Navigate to /wp-admin/.
    • Execute JS via browser_eval to find the nonce.
    • JS Code: window.tastyRecipesAdmin?.nonce || window.tastyRecipesSettings?.nonce

5. Test Data Setup

  1. Install Plugin: Ensure Tasty Recipes Lite <= 1.1.5 is installed.
  2. Create User:
    wp user create attacker attacker@example.com --role=contributor --user_pass=password123
    
  3. Identify Settings: Check the current value of the settings option.
    wp option get tasty_recipes_settings
    

6. Exploitation Strategy

  1. Login: Use the browser_navigate and browser_type tools to log in as the Contributor user.

  2. Extract Nonce:

    • Navigate to the Dashboard: /wp-admin/.
    • Run browser_eval("window.tastyRecipesAdmin?.nonce").
    • If that fails, search the page source for "nonce" or "tasty_recipes".
  3. Send Exploit Request:
    Use http_request to send a POST request to the AJAX endpoint.

    • URL: http://localhost:8080/wp-admin/admin-ajax.php
    • Method: POST
    • Headers: Content-Type: application/x-www-form-urlencoded
    • Body:
      action=tasty_recipes_save_settings&nonce=[EXTRACTED_NONCE]&settings[template]=<script>alert('XSS')</script>
      

    (Note: Replace tasty_recipes_save_settings and the setting name template with the actual ones found during discovery).

7. Expected Results

  • HTTP Response: A 200 OK response, likely returning a JSON success message (e.g., {"success": true}).
  • System State: The tasty_recipes_settings option in the WordPress database is updated with the Contributor's provided values.

8. Verification Steps

After the http_request, confirm the change using WP-CLI:

# Check if the settings were modified
wp option get tasty_recipes_settings --format=json

Check for the injected value (e.g., the script tag or modified template name).

9. Alternative Approaches

  • Identify Correct Action: If tasty_recipes_save_settings is incorrect, grep the plugin directory for AJAX registrations:
    grep -rn "wp_ajax_" wp-content/plugins/tasty-recipes-lite/
    
  • Identify Settings Option: If tasty_recipes_settings is not the option name, check for update_option calls in the identified AJAX handler:
    grep -rn "update_option" wp-content/plugins/tasty-recipes-lite/
    
  • REST API: Check if the plugin registers any REST routes with permission_callback => '__return_true' or missing callbacks:
    grep -rn "register_rest_route" wp-content/plugins/tasty-recipes-lite/
    
Research Findings
Static analysis — not yet PoC-verified

Summary

The Tasty Recipes Lite plugin for WordPress is vulnerable to unauthorized settings modification because it fails to perform a capability check in its AJAX handler for saving settings. Authenticated users with contributor-level access or higher can exploit this to change plugin configurations, potentially leading to Stored Cross-Site Scripting (XSS) if the settings are subsequently rendered unsafely.

Vulnerable Code

/**
 * Likely located in inc/admin/class-tasty-recipes-admin.php or similar
 */
public function save_settings() {
    check_ajax_referer( 'tasty_recipes_admin', 'nonce' );

    // The code fails to verify the user's capability here (e.g., current_user_can( 'manage_options' ))

    if ( isset( $_POST['settings'] ) ) {
        $settings = $_POST['settings'];
        update_option( 'tasty_recipes_settings', $settings );
    }

    wp_send_json_success();
}

Security Fix

--- a/inc/admin/class-tasty-recipes-admin.php
+++ b/inc/admin/class-tasty-recipes-admin.php
@@ -... @@
 public function save_settings() {
     check_ajax_referer( 'tasty_recipes_admin', 'nonce' );
 
+    if ( ! current_user_can( 'manage_options' ) ) {
+        wp_send_json_error( array( 'message' => 'Unauthorized' ), 403 );
+    }
+
     if ( isset( $_POST['settings'] ) ) {
         $settings = $_POST['settings'];
         update_option( 'tasty_recipes_settings', $settings );

Exploit Outline

The exploit targets the AJAX endpoint for plugin settings management. 1. Authentication: The attacker logs into the WordPress site with at least Contributor-level privileges. 2. Nonce Extraction: The attacker retrieves the required security nonce (typically named 'tasty_recipes_admin' or similar) by viewing the source of an admin page where the plugin's scripts are localized, such as the Post Editor or Dashboard. 3. Payload Delivery: The attacker sends a POST request to /wp-admin/admin-ajax.php with the following parameters: - action: tasty_recipes_save_settings - nonce: [EXTRACTED_NONCE] - settings: An array containing the malicious configuration values (e.g., injecting HTML/JS into a template field). 4. Verification: The attacker confirms the change by observing the modified settings in the plugin's output or the database via WP-CLI.

Check if your site is affected.

Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.