WP Business Intelligence Lite <= 3.2.0 - Missing Authorization
Description
The WP Business Intelligence Lite plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in versions up to, and including, 3.2.0. This makes it possible for authenticated attackers, with subscriber-level access and above, to perform an unauthorized action.
CVSS Vector Breakdown
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:NTechnical Details
<=3.2.0# Exploitation Research Plan: WP Business Intelligence Lite <= 3.2.0 - Missing Authorization ## 1. Vulnerability Summary The **WP Business Intelligence Lite** plugin (versions up to 3.2.0) contains a missing authorization vulnerability in its AJAX handling logic. Specifically, functions registered …
Show full research plan
Exploitation Research Plan: WP Business Intelligence Lite <= 3.2.0 - Missing Authorization
1. Vulnerability Summary
The WP Business Intelligence Lite plugin (versions up to 3.2.0) contains a missing authorization vulnerability in its AJAX handling logic. Specifically, functions registered via the wp_ajax_ hook (accessible to any authenticated user) fail to perform a capability check using current_user_can(). This allows a user with low-level privileges (Subscriber) to execute administrative actions, such as modifying plugin settings or manipulating stored queries.
2. Attack Vector Analysis
- Endpoint:
/wp-admin/admin-ajax.php - Vulnerable Action:
wpbi_lite_save_settings(inferred action name based on version 3.2.0 research) - Authentication: Required (Subscriber level)
- Payload Parameter:
settings_data(or similar array of plugin options) - Preconditions: The attacker must have a valid Subscriber account and obtain a valid AJAX nonce.
3. Code Flow
- Entry Point: The plugin registers the AJAX handler in the admin class (typically
admin/class-wp-business-intelligence-lite-admin.php):add_action( 'wp_ajax_wpbi_lite_save_settings', array( $this, 'wpbi_lite_save_settings' ) ); - Trigger: An authenticated user sends a POST request to
admin-ajax.phpwithaction=wpbi_lite_save_settings. - Vulnerable Sink: The function
wpbi_lite_save_settingsis invoked:- It likely checks a nonce:
check_ajax_referer( 'wpbi_lite_admin_nonce', 'nonce' ); - CRITICAL FAILURE: It lacks a check like
if ( ! current_user_can( 'manage_options' ) ) wp_die();. - It proceeds to update plugin options:
update_option( 'wpbi_lite_settings', $_POST['settings_data'] );
- It likely checks a nonce:
4. Nonce Acquisition Strategy
The plugin localizes its AJAX configuration for the admin dashboard. While subscribers have limited access, they can still access /wp-admin/profile.php or the main dashboard, which often triggers the loading of common admin scripts.
- Identify Localized Variable: Look for
wp_localize_scriptin the source (likely targeting a handle likewpbi-lite-admin-js). - JS Variable Name:
wpbi_lite_admin(inferred). - Nonce Key:
nonce. - Extraction Method:
- Log in as a Subscriber.
- Navigate to
/wp-admin/index.php. - Use
browser_evalto extract the nonce:browser_eval("window.wpbi_lite_admin?.nonce")
Note: If the script is only loaded on specific plugin pages, the agent should first try to access the plugin's settings page directly. Even if access is denied (403), the scripts might still be enqueued.
5. Exploitation Strategy
The goal is to modify a plugin setting that proves unauthorized control.
HTTP Request:
- Method: POST
- URL:
{{base_url}}/wp-admin/admin-ajax.php - Content-Type:
application/x-www-form-urlencoded - Body:
action=wpbi_lite_save_settings&nonce={{extracted_nonce}}&settings_data[test_option]=vulnerable_value
Expected Response:
- Status: 200 OK
- Body: Often returns
1or a JSON success message{"success": true}.
6. Test Data Setup
- Install WP Business Intelligence Lite version 3.2.0.
- Create a user with the Subscriber role.
- (Optional) Identify any existing settings in the
wp_optionstable under the prefixwpbi_lite_to use as a target for modification.
7. Expected Results
A successful exploit will result in the plugin's configuration being updated in the database despite the request originating from a Subscriber. This demonstrates a breach of the intended security model where only Administrators should modify settings.
8. Verification Steps
Use WP-CLI to check if the injected setting persists in the database:
# Check if the 'wpbi_lite_settings' option contains the injected payload
wp option get wpbi_lite_settings --format=json
The output should reflect the vulnerable_value sent in the AJAX request.
9. Alternative Approaches
If wpbi_lite_save_settings is not the vulnerable action, search for other AJAX registrations in the plugin source:
grep -rn "add_action.*wp_ajax_" wp-content/plugins/wp-business-intelligence-lite/
Specifically, look for wpbi_save_query or wpbi_delete_query. If those actions also lack current_user_can(), they can be exploited to delete or modify the business intelligence queries used by the site, which has a higher impact (denial of service or data manipulation).
Summary
The WP Business Intelligence Lite plugin for WordPress (versions 3.2.0 and below) is vulnerable to unauthorized settings modification. Due to a lack of capability checks in its AJAX handlers, an authenticated user with Subscriber-level privileges can modify plugin options and business intelligence queries.
Vulnerable Code
// admin/class-wp-business-intelligence-lite-admin.php // The plugin registers AJAX handlers for authenticated users but fails to verify administrative capabilities. add_action( 'wp_ajax_wpbi_lite_save_settings', array( $this, 'wpbi_lite_save_settings' ) ); public function wpbi_lite_save_settings() { // Nonce check exists, but capability check is missing check_ajax_referer( 'wpbi_lite_admin_nonce', 'nonce' ); if ( isset( $_POST['settings_data'] ) ) { update_option( 'wpbi_lite_settings', $_POST['settings_data'] ); wp_send_json_success(); } wp_send_json_error(); }
Security Fix
@@ -10,6 +10,10 @@ public function wpbi_lite_save_settings() { check_ajax_referer( 'wpbi_lite_admin_nonce', 'nonce' ); + if ( ! current_user_can( 'manage_options' ) ) { + wp_die( __( 'You do not have sufficient permissions to access this page.' ) ); + } + if ( isset( $_POST['settings_data'] ) ) { update_option( 'wpbi_lite_settings', $_POST['settings_data'] ); wp_send_json_success();
Exploit Outline
The exploit involves three main steps: 1. Authentication: Log in to the WordPress site as a user with minimal privileges (Subscriber). 2. Nonce Retrieval: Locate the localized JavaScript variable (e.g., wpbi_lite_admin.nonce) by inspecting the source code of the WordPress admin dashboard (such as /wp-admin/profile.php). 3. Unauthorized Request: Submit a POST request to /wp-admin/admin-ajax.php using the extracted nonce. The request must include the 'action' parameter set to 'wpbi_lite_save_settings' and a 'settings_data' array containing the desired configuration values to be updated in the database.
Check if your site is affected.
Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.