Video Conferencing with Zoom <= 4.6.6 - Missing Authorization

This research plan outlines the steps to identify and exploit a missing authorization vulnerability in the Video Conferencing with Zoom plugin (<= 4.6.6).

---

1. Vulnerability Summary

The "Video Conferencing with Zoom" plugin (slug: video-conferencing-with-zoom-api) fails to implement proper capability checks on several of its AJAX handlers. While these handlers may verify a WordPress nonce to prevent Cross-Site Request Forgery (CSRF), they do not verify that the authenticated user has the necessary permissions (e.g., manage_options) to perform administrative tasks. This allows any authenticated user, including those with Subscriber privileges, to trigger sensitive actions.

2. Attack Vector Analysis

• Endpoint: /wp-admin/admin-ajax.php
• Vulnerable Action: vczapi_sync_zoom_meetings (inferred) or vczapi_save_settings (inferred).
• Parameters: action, security (the nonce), and action-specific data (e.g., user_id, api_key).
• Authentication Level: Subscriber-level (or any logged-in user).
• Preconditions:
  1. The plugin must be active.
  2. The attacker must have valid Subscriber credentials.
  3. A nonce must be obtained from a page where the plugin enqueues its AJAX data.

3. Code Flow (Inferred Trace)

1. Registration: The plugin registers AJAX actions in includes/class-vczapi-ajax.php (or similar file) using add_action( 'wp_ajax_vczapi_...', ... ).
2. Entry Point: An authenticated user sends a POST request to admin-ajax.php with action=vczapi_sync_zoom_meetings.
3. Nonce Check: The handler (e.g., sync_zoom_meetings) likely calls check_ajax_referer( 'vczapi_ajax_nonce', 'security' ).
4. The Flaw: The handler proceeds to execute logic (such as making API calls to Zoom or updating database options) without a subsequent if ( ! current_user_can( 'manage_options' ) ) wp_die(); check.
5. Execution: The sensitive operation is performed on behalf of the subscriber.

4. Nonce Acquisition Strategy

The plugin localizes AJAX data, including the nonce, for use in its JavaScript files. This data is typically tied to the vczapi_ajax variable.

1. Find the Trigger: Identify a shortcode that forces the plugin to load its frontend scripts. Common shortcodes: [vczapi_upcoming_meetings] or [vczapi_zoom_meeting].
2. Setup Page: Create a public page containing one of these shortcodes.
   • wp post create --post_type=page --post_status=publish --post_content='[vczapi_upcoming_meetings]'
3. Extract Nonce:
   • Login as a Subscriber.
   • Navigate to the created page using browser_navigate.
   • Execute browser_eval("vczapi_ajax.ajax_nonce") to extract the token.
   • Note: Verbatim JS variable is likely vczapi_ajax and key is ajax_nonce.

5. Exploitation Strategy

We will attempt to trigger an unauthorized "Sync Meetings" action, which forces the server to communicate with the Zoom API.

• Step 1: Log in as a Subscriber and obtain the nonce as described in Section 4.
• Step 2: Construct a POST request to admin-ajax.php.
• Step 3: Use the http_request tool to send the payload.

HTTP Request Payload:

• URL: http://localhost:8080/wp-admin/admin-ajax.php
• Method: POST
• Headers: Content-Type: application/x-www-form-urlencoded
• Body:

  action=vczapi_sync_zoom_meetings&security=[EXTRACTED_NONCE]
  

  (Note: If the vulnerability is in vczapi_save_settings, the body would include setting keys and values).

6. Test Data Setup

1. Users:
   • Create an admin: wp user create admin admin@example.com --role=administrator --user_pass=password
   • Create a subscriber: wp user create victim victim@example.com --role=subscriber --user_pass=password
2. Plugin Configuration:
   • The plugin might require dummy Zoom API credentials (API Key/Secret) to be saved in the settings to reach the vulnerable code paths.
   • wp option update vczapi_api_key "123456789"
   • wp option update vczapi_api_secret "abcdefgh"
3. Nonce Source: Create the page mentioned in Section 4.

7. Expected Results

• Successful Exploitation: The server returns a JSON response indicating success (e.g., {"success":true,"data":"..."}) or triggers a visible side effect (like updating a timestamp in the database).
• Vulnerability Confirmation: If the subscriber can trigger the action and receive a "success" response that is normally reserved for admins, the authorization bypass is confirmed.

8. Verification Steps

1. Check Logs: Look for evidence of the action being performed.
2. Check Database: If the action was a sync or setting update, check the wp_options table:
   • wp option get vczapi_last_sync_time (or similar key).
3. Role Comparison: Attempt the same request without the Subscriber cookies; it should fail with a 403 or 0 response.

9. Alternative Approaches

If vczapi_sync_zoom_meetings is not the vulnerable handler, use the following grep commands in the plugin directory to find other candidates:

1. Identify all AJAX handlers:
   grep -rn "wp_ajax_" .
2. Audit for missing capability checks:
   Search for the function definitions found in step 1 and check if they contain current_user_can.
   grep -rn "function vczapi_" .
3. Check for "Save Settings" endpoints:
   Often plugins have a generic "save settings" AJAX action that is poorly protected. Look for vczapi_save_settings or vczapi_store_credentials.