CVE-2025-62092

Wiremo <= 1.4.99 - Missing Authorization

mediumMissing Authorization
5.3
CVSS Score
5.3
CVSS Score
medium
Severity
Unpatched
Patched in
N/A
Time to patch

Description

The Wiremo plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in versions up to, and including, 1.4.99. This makes it possible for unauthenticated attackers to perform an unauthorized action.

CVSS Vector Breakdown

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
None
Confidentiality
Low
Integrity
None
Availability

Technical Details

Affected versions<=1.4.99
PublishedDecember 31, 2025
Last updatedJanuary 5, 2026
Affected pluginwoo-reviews-by-wiremo
Research Plan
Unverified

# Exploitation Research Plan - CVE-2025-62092 (Wiremo <= 1.4.99) ## 1. Vulnerability Summary The **Wiremo – Product Reviews for WooCommerce** plugin (versions up to 1.4.99) contains a missing authorization vulnerability. Specifically, it exposes administrative or sensitive functionality via WordPre…

Show full research plan

Exploitation Research Plan - CVE-2025-62092 (Wiremo <= 1.4.99)

1. Vulnerability Summary

The Wiremo – Product Reviews for WooCommerce plugin (versions up to 1.4.99) contains a missing authorization vulnerability. Specifically, it exposes administrative or sensitive functionality via WordPress AJAX or REST API endpoints without implementing sufficient capability checks (e.g., current_user_can()). This allows unauthenticated attackers to perform actions such as modifying plugin settings, triggering data synchronizations, or potentially altering review data.

2. Attack Vector Analysis

  • Endpoint: wp-admin/admin-ajax.php
  • Vulnerable Action: Likely a wp_ajax_nopriv_ registered hook or a wp_ajax_ hook that fails to check capabilities. Based on the plugin's purpose, the target function likely manages the API connection between WordPress and the Wiremo SaaS platform.
  • Payload Parameter: action, wiremo_api_key (inferred), or settings (inferred).
  • Authentication: Unauthenticated (No login required).
  • Preconditions: The plugin must be active.

3. Code Flow

  1. Entry Point: The plugin registers AJAX handlers during the init or admin_init hook.
  2. Registration: Search for registrations like:
    add_action( 'wp_ajax_nopriv_wiremo_save_settings', [ $this, 'wiremo_save_settings' ] );
    or any function hooked to admin_init that processes $_POST data without a current_user_can check.
  3. Vulnerable Sink: The handler function (e.g., save_settings, connect_wiremo) directly interacts with update_option() or wpdb using user-supplied parameters without verifying the requester's identity or permissions.

4. Nonce Acquisition Strategy

If the vulnerable endpoint uses check_ajax_referer or wp_verify_nonce, the nonce is likely localized for use in the admin or product pages.

  1. Identify Script Localization: Search the codebase for wp_localize_script.
    • grep -r "wp_localize_script" .
  2. Identify Variable Name: Look for a localization call in includes/class-wiremo.php or includes/class-wiremo-admin.php.
    • Example (Inferred): wp_localize_script( 'wiremo-admin-js', 'wiremo_vars', [...] )
  3. Setup Page: If the script only loads on specific pages (like the settings page or a page with a shortcode), create a post containing the Wiremo shortcode:
    • wp post create --post_type=page --post_status=publish --post_content='[wiremo_reviews]'
  4. Extract Nonce:
    • Navigate to the newly created page.
    • Execute: browser_eval("window.wiremo_vars?.nonce") (Verify exact key names in source).

5. Exploitation Strategy

The goal is to demonstrate unauthorized modification of plugin settings (e.g., the API Key or Wiremo ID).

Step 1: Discovery

Find the exact unauthenticated AJAX action:

grep -rn "wp_ajax_nopriv_" .

Identify functions that handle data updates. Let's assume the action is wiremo_save_settings.

Step 2: Craft Request

Use http_request to trigger the vulnerable action.

Example Payload (Inferred):

  • URL: http://localhost:8080/wp-admin/admin-ajax.php
  • Method: POST
  • Headers: Content-Type: application/x-www-form-urlencoded
  • Body:
    action=wiremo_save_settings&nonce=[EXTRACTED_NONCE]&wiremo_api_key=pwned_key_123&wiremo_identifier=pwned_id
    

Step 3: Trigger Execution

Submit the request. If successful, the server should return a 200 OK or a JSON success message like {"success": true}.

6. Test Data Setup

  1. Install Plugin: Ensure woo-reviews-by-wiremo version 1.4.99 is installed.
  2. Initialize Settings: Set a dummy API key via WP-CLI to provide a baseline for verification.
    • wp option update wiremo_api_key "original_secure_key"
  3. Create Public Page: (If nonce is required) Create a page with the plugin's shortcode to facilitate nonce extraction.
    • wp post create --post_type=page --post_status=publish --post_content='[wiremo_reviews]' --post_title='Wiremo Test'

7. Expected Results

  • The AJAX request should bypass authorization checks.
  • The plugin's internal settings (stored in wp_options) should be overwritten by the attacker-supplied values.
  • No "403 Forbidden" or "Cheatin' uh?" errors should occur despite being unauthenticated.

8. Verification Steps

After the exploit, verify the integrity loss using WP-CLI:

# Check if the API key was modified
wp option get wiremo_api_key

# Check for other modified settings
wp option get wiremo_settings

If the output is pwned_key_123, the "Missing Authorization" vulnerability is confirmed.

9. Alternative Approaches

If no wp_ajax_nopriv_ is found, investigate functions hooked to admin_init.
Logic: admin_init runs when admin-ajax.php is accessed, even by unauthenticated users. If a function hooked to admin_init processes $_POST and updates options without calling current_user_can('manage_options'), it is vulnerable to unauthenticated exploitation.

Grep Command:

grep -rn "add_action.*admin_init" .

Examine each callback function for missing capability checks and $_POST usage.

Research Findings
Static analysis — not yet PoC-verified

Summary

The Wiremo plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on administrative functions in versions up to, and including, 1.4.99. This allows unauthenticated attackers to perform unauthorized actions, such as modifying plugin settings and API keys, by sending crafted requests to administrative or AJAX endpoints.

Exploit Outline

An attacker targets the `/wp-admin/admin-ajax.php` endpoint by identifying a registered AJAX action or a function hooked to `admin_init` (such as one that handles plugin configuration) that lacks a `current_user_can()` check. By sending a POST request containing the vulnerable `action` and desired setting values (like `wiremo_api_key`), the attacker can overwrite the plugin's configuration. If a nonce is required for the request, it can typically be retrieved from the frontend of the site by inspecting localized scripts on public pages where the plugin's review widget or shortcodes are active.

Check if your site is affected.

Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.