Wheel of Life <= 1.2.0 - Missing Authorization
Description
The Wheel of Life: Coaching and Assessment Tool for Life Coach plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in all versions up to, and including, 1.2.0. This makes it possible for unauthenticated attackers to perform an unauthorized action.
CVSS Vector Breakdown
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:NTechnical Details
<=1.2.0What Changed in the Fix
Changes introduced in v1.2.1
Source Code
WordPress.org SVN# Vulnerability Research Plan: CVE-2026-25000 (Missing Authorization) ## 1. Vulnerability Summary The **Wheel of Life** plugin (up to 1.2.0) is vulnerable to **Missing Authorization**. The `Wheel_Of_Life_Ajax` class registers several AJAX actions that lack proper capability checks or nonce verifica…
Show full research plan
Vulnerability Research Plan: CVE-2026-25000 (Missing Authorization)
1. Vulnerability Summary
The Wheel of Life plugin (up to 1.2.0) is vulnerable to Missing Authorization. The Wheel_Of_Life_Ajax class registers several AJAX actions that lack proper capability checks or nonce verification for unauthenticated users. Specifically, the saveWheelReport action is registered via a helper method add_ajax, which makes it accessible to unauthenticated attackers (wp_ajax_nopriv_).
If the callback save_my_wheel_report fails to perform authorization or robust nonce verification, an unauthenticated attacker can perform unauthorized actions, such as creating arbitrary submissions in the wheel-submissions custom post type.
2. Attack Vector Analysis
- Endpoint:
/wp-admin/admin-ajax.php - Action:
saveWheelReport(and potentiallysendMyWheelEmail) - HTTP Method: POST
- Payload Parameters:
action:saveWheelReportsecurity: The AJAX nonce (if checked)data: (Inferred) JSON string or array containing submission details (scores, email, name, etc.)
- Authentication: Unauthenticated (
nopriv) - Preconditions: The
wheeloflife_ajax_noncemust be obtained if the function checks it.
3. Code Flow
- Entry Point: `includes/functions/
Summary
The Wheel of Life plugin for WordPress is vulnerable to unauthorized access and potential data injection due to missing capability checks on its AJAX handlers. This allows unauthenticated attackers to trigger actions such as creating arbitrary assessment submissions or sending unauthorized emails by interacting with functions registered for public access without proper authorization controls.
Vulnerable Code
// includes/functions/AjaxFunctions.php:72 private function init_hooks() { // Register pages add_action( 'wp_ajax_addNewPost', array( $this, 'add_new_wheel_of_life' ) ); add_action( 'wp_ajax_editPost', array( $this, 'edit_wheel_of_life' ) ); add_action( 'wp_ajax_viewPost', array( $this, 'view_submission_wheel_of_life' ) ); add_action( 'wp_ajax_duplicatePost', array( $this, 'copy_wheel_of_life' ) ); add_action( 'wp_ajax_trashPost', array( $this, 'trash_wheel_of_life' ) ); add_action( 'wp_ajax_restorePost', array( $this, 'restore_wheel_of_life' ) ); add_action( 'wp_ajax_deletePost', array( $this, 'delete_wheel_of_life' ) ); add_action( 'wp_ajax_saveSocialShare', array( $this, 'save_social_share' ) ); add_action( 'wp_ajax_saveData', array( $this, 'save_wheel_of_life_setting' ) ); add_action( 'wp_ajax_getFormOption', array( $this, 'get_all_wheel' ) ); add_action( 'wp_ajax_saveCTA', array( $this, 'save_call_to_action' ) ); // Public ajax functions $this->add_ajax( 'getSocialShare', array( $this, 'get_social_share' ) ); $this->add_ajax( 'sendMyWheelEmail', array( $this, 'send_my_wheel_email' ) ); $this->add_ajax( 'saveWheelReport', array( $this, 'save_my_wheel_report' ) ); $this->add_ajax( 'getCTA', array( $this, 'get_call_to_action' ) ); } // includes/functions/AjaxFunctions.php:100 public function add_ajax( $action = false, $callback = false ) { if ( ! $action || ! $callback ) { return; } add_action( "wp_ajax_{$action}", $callback ); add_action( "wp_ajax_nopriv_{$action}", $callback ); }
Security Fix
@@ -101,6 +101,9 @@ public function save_my_wheel_report() { + if ( ! check_ajax_referer( 'wheeloflife_ajax_nonce', 'security', false ) ) { + wp_send_json_error( __( 'Unauthorized access.', 'wheel-of-life' ) ); + } $data = isset( $_POST[ 'data' ] ) ? json_decode( stripslashes_deep( $_POST[ 'data' ] ), true ) : '';
Exploit Outline
An unauthenticated attacker can exploit this vulnerability by sending a POST request to the WordPress AJAX endpoint (`/wp-admin/admin-ajax.php`). By specifying the `action` parameter as `saveWheelReport` or `sendMyWheelEmail`, the attacker can trigger the plugin's submission or email logic. To bypass nonce checks (if present on the unauthenticated actions), the attacker can first visit the site's frontend where the Wheel of Life block is rendered to extract the valid `wheeloflife_ajax_nonce` from the localized script data. The attacker then provides a `data` parameter containing a JSON-encoded payload representing arbitrary scores and metadata, which the plugin will save into the `wheel-submissions` custom post type without verifying if the user is authorized to perform such an action.
Check if your site is affected.
Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.