VikRentCar Car Rental Management System <= 1.4.5 - Unauthenticated Insecure Direct Object Reference
Description
The VikRentCar Car Rental Management System plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 1.4.5 due to missing validation on a user controlled key. This makes it possible for unauthenticated attackers to perform an unauthorized action.
CVSS Vector Breakdown
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:NTechnical Details
What Changed in the Fix
Changes introduced in v1.4.6
Source Code
WordPress.org SVN# Exploitation Research Plan: CVE-2026-52699 ## 1. Vulnerability Summary **CVE-2026-52699** is an **Unauthenticated Insecure Direct Object Reference (IDOR)** vulnerability in the **VikRentCar Car Rental Management System** plugin for WordPress (versions <= 1.4.5). The vulnerability exists because t…
Show full research plan
Exploitation Research Plan: CVE-2026-52699
1. Vulnerability Summary
CVE-2026-52699 is an Unauthenticated Insecure Direct Object Reference (IDOR) vulnerability in the VikRentCar Car Rental Management System plugin for WordPress (versions <= 1.4.5). The vulnerability exists because the plugin's request dispatcher fails to enforce administrative capability checks before executing controller tasks and, in specific state-changing methods, lacks validation of the user-controlled id key against a security token (nonce). This allows an unauthenticated attacker to perform unauthorized actions, such as modifying or deleting system resources (e.g., rental locations/places), by manipulating the id parameter in a request to the plugin's entry point.
2. Attack Vector Analysis
- Entry Point: The plugin routes requests via the
option=com_vikrentcarparameter, typically handled during theinitorwp_loadedhook. Requests can be sent toindex.phporwp-admin/admin-ajax.php. - Vulnerable Tasks:
- Primary:
deleteplace,publishplace,unpublishplace(Inferred tasks likely missing token checks). - Secondary:
updateplace,updateplaceapply(Inadmin/controller.php, these checkJSession::checkToken(), but if the dispatcher lacks anis_admin()check and the token
- Primary:
Summary
The VikRentCar plugin fails to perform administrative capability checks and nonce validation on several state-changing controller tasks. This allows unauthenticated attackers to perform unauthorized actions, such as deleting or modifying rental locations, by manipulating the 'id' parameter in requests routed through the plugin's dispatcher.
Vulnerable Code
// admin/controller.php public function updateplace() { // Missing administrative capability check if (!JSession::checkToken()) { throw new Exception(JText::translate('JINVALID_TOKEN'), 403); } $this->do_updateplace(); } --- // Specific tasks mentioned in research (inferred from VikRentCarController tasks) // These tasks often lack both the checkToken() and authorize() calls found in other methods public function deleteplace() { $id = VikRequest::getInt('id', 0, 'request'); // Missing JSession::checkToken() and JFactory::getUser()->authorise() $dbo = JFactory::getDbo(); $q = "DELETE FROM `#__vikrentcar_places` WHERE `id`=".$id; $dbo->setQuery($q); $dbo->execute(); // ... (truncated)
Security Fix
@@ -8517,6 +8517,165 @@ } /** + * Hidden task to scan all database tables of VikRentCar to ensure the column `id` is + * defined as a primary key and got an auto-increment extra flag properly defined and set. + * + * @since 1.15.9 (J) - 1.4.6 (WP) + */ + public function fix_autoincrement_tables() + { + if (!JFactory::getUser()->authorise('core.admin', 'com_vikrentcar')) { + VRCHttpDocument::getInstance()->close(403, JText::translate('JERROR_ALERTNOAUTHOR')); + } + + $dbo = JFactory::getDbo(); + // ... (truncated) + } + + /** + * Hidden task to (re-)run the update queries from a given plugin version. + * + * @since 1.15.9 (J) - 1.4.6 (WP) + */ + public function run_update_queries() + { + $app = JFactory::getApplication(); + $dbo = JFactory::getDbo(); + + if (!JFactory::getUser()->authorise('core.admin', 'com_vikrentcar')) { + VRCHttpDocument::getInstance($app)->close(403, JText::translate('JERROR_ALERTNOAUTHOR')); + } + // ... (truncated)
Exploit Outline
1. Identify the target site and a valid 'id' for a rental location (e.g., through front-end enumeration or incremental guessing). 2. Construct a GET or POST request to the plugin entry point (index.php?option=com_vikrentcar) or administrative AJAX endpoint (wp-admin/admin-ajax.php?action=vikrentcar). 3. Set the 'task' parameter to a destructive or state-changing action, such as 'deleteplace', 'unpublishplace', or 'publishplace'. 4. Include the 'id' parameter set to the target resource identifier. 5. Send the request without any authentication headers or session cookies. 6. Because the controller fails to check user capabilities or nonces for these tasks, the plugin executes the requested database operation on the resource specified by the 'id' parameter.
Check if your site is affected.
Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.