WaMate Confirm <= 2.0.1 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Phone Number Blocking/Unblocking

This research plan outlines the steps required to analyze and exploit the Missing Authorization vulnerability in the WaMate Confirm – Order Confirmation plugin.

1. Vulnerability Summary

The WaMate Confirm – Order Confirmation plugin (up to version 2.0.1) contains a vulnerability where authenticated users with Subscriber-level permissions or higher can block and unblock arbitrary phone numbers. This is caused by an AJAX handler that fails to verify the user's capabilities (e.g., current_user_can('manage_options')) before modifying the plugin's blocklist.

2. Attack Vector Analysis

• Endpoint: /wp-admin/admin-ajax.php
• Authentication: Authenticated (Subscriber+)
• Vulnerable Action(s): Likely wamate_confirm_block_phone and wamate_confirm_unblock_phone (inferred from plugin functionality).
• Parameters:
  • action: The AJAX action name.
  • phone: The phone number to block/unblock.
  • _ajax_nonce or nonce: A CSRF token.
• Precondition: The attacker must have a valid Subscriber-level account and a valid nonce for the specific action.

3. Code Flow (Inferred)

1. Registration: The plugin registers AJAX actions in its initialization phase:

   // Inferred registration pattern
   add_action( 'wp_ajax_wamate_confirm_block_number', array( $this, 'block_number_callback' ) );
   add_action( 'wp_ajax_wamate_confirm_unblock_number', array( $this, 'unblock_number_callback' ) );
   

2. Handler Execution: The handler function (e.g., block_number_callback) is called.
3. Missing Check: The handler likely calls check_ajax_referer() (verifying the nonce) but omits current_user_can().
4. Database/Option Update: The handler updates a plugin setting (likely in wp_options) that contains the array of blocked phone numbers.

4. Nonce Acquisition Strategy

Even though the functionality is intended for administrators, WordPress nonces for admin-side AJAX are often exposed to all users who can access the WordPress dashboard (/wp-admin/), including Subscribers.

1. Identify Localization: Look for wp_localize_script in the plugin source to find the variable name holding the nonce.
   • Grep Command: grep -rn "wp_localize_script" .
2. Create Test Page (if needed): If the script is only loaded on specific admin pages, a Subscriber might be able to find it on the main dashboard if it's enqueued globally.
3. Extraction via Browser:
   • Login as Subscriber.
   • Navigate to /wp-admin/.
   • Use browser_eval to extract the nonce.
   • Hypothetical JS: window.wamate_confirm_admin?.nonce (Verify exact name during research).

5. Exploitation Strategy

Once the Subscriber credentials and nonce are obtained:

1. Identify exact action and parameters:
   • Search the codebase for the string "block" in relation to wp_ajax.
   • Grep Command: grep -r "wp_ajax_.*block" .
2. Craft the Payload:
   • Method: POST
   • URL: https://<target>/wp-admin/admin-ajax.php
   • Content-Type: application/x-www-form-urlencoded
   • Body: action=<ACTION_NAME>&phone=1234567890&_ajax_nonce=<NONCE>
3. Execute Request: Use the http_request tool.

6. Test Data Setup

1. Install WaMate Confirm – Order Confirmation <= 2.0.1.
2. Create a Subscriber user: wp user create attacker attacker@example.com --role=subscriber --user_pass=password123.
3. Identify where the blocklist is stored (e.g., a specific option name like wamate_confirm_blocklist).

7. Expected Results

• The server should return a successful response (e.g., {"success":true} or 1).
• The provided phone number should be added to or removed from the plugin's blocked numbers list.
• Administrative users should now see the number as "Blocked" in the plugin settings UI.

8. Verification Steps

After sending the exploit request, verify the change using WP-CLI:

1. Check the relevant WordPress option:
   wp option get wamate_confirm_settings (or the specific option name found during research).
2. Verify the phone number exists within the data structure.
3. Check the UI as an admin to confirm the number appears in the "Blocked Numbers" section.

9. Alternative Approaches

If the Subscriber cannot access the nonce via the standard dashboard:

• Check if the plugin enqueues the script on the login page or frontend pages.
• Check if the nonce is generated using a generic action like -1 or wp_rest, which might be accessible via other endpoints.
• Check for REST API endpoints (/wp-json/) that might mirror the AJAX functionality and lack permission_callback.