WF-b1971bb8-fb24-40f6-bbd8-60b5dc1f0822-wp-business-intelligence-lite

WP Business Intelligence Lite <= 3.2.0 - Missing Authorization

mediumMissing Authorization
4.3
CVSS Score
4.3
CVSS Score
medium
Severity
Unpatched
Patched in
N/A
Time to patch

Description

The WP Business Intelligence Lite plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in versions up to, and including, 3.2.0. This makes it possible for authenticated attackers, with subscriber-level access and above, to perform an unauthorized action.

CVSS Vector Breakdown

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
None
Confidentiality
Low
Integrity
None
Availability

Technical Details

Affected versions<=3.2.0
PublishedMay 5, 2026
Last updatedMay 11, 2026
Research Plan
Unverified

# Exploitation Research Plan: WP Business Intelligence Lite <= 3.2.0 - Missing Authorization ## 1. Vulnerability Summary The **WP Business Intelligence Lite** plugin (versions up to 3.2.0) contains a missing authorization vulnerability in its AJAX handling logic. Specifically, functions registered …

Show full research plan

Exploitation Research Plan: WP Business Intelligence Lite <= 3.2.0 - Missing Authorization

1. Vulnerability Summary

The WP Business Intelligence Lite plugin (versions up to 3.2.0) contains a missing authorization vulnerability in its AJAX handling logic. Specifically, functions registered via the wp_ajax_ hook (accessible to any authenticated user) fail to perform a capability check using current_user_can(). This allows a user with low-level privileges (Subscriber) to execute administrative actions, such as modifying plugin settings or manipulating stored queries.

2. Attack Vector Analysis

  • Endpoint: /wp-admin/admin-ajax.php
  • Vulnerable Action: wpbi_lite_save_settings (inferred action name based on version 3.2.0 research)
  • Authentication: Required (Subscriber level)
  • Payload Parameter: settings_data (or similar array of plugin options)
  • Preconditions: The attacker must have a valid Subscriber account and obtain a valid AJAX nonce.

3. Code Flow

  1. Entry Point: The plugin registers the AJAX handler in the admin class (typically admin/class-wp-business-intelligence-lite-admin.php):
    add_action( 'wp_ajax_wpbi_lite_save_settings', array( $this, 'wpbi_lite_save_settings' ) );
    
  2. Trigger: An authenticated user sends a POST request to admin-ajax.php with action=wpbi_lite_save_settings.
  3. Vulnerable Sink: The function wpbi_lite_save_settings is invoked:
    • It likely checks a nonce: check_ajax_referer( 'wpbi_lite_admin_nonce', 'nonce' );
    • CRITICAL FAILURE: It lacks a check like if ( ! current_user_can( 'manage_options' ) ) wp_die();.
    • It proceeds to update plugin options: update_option( 'wpbi_lite_settings', $_POST['settings_data'] );

4. Nonce Acquisition Strategy

The plugin localizes its AJAX configuration for the admin dashboard. While subscribers have limited access, they can still access /wp-admin/profile.php or the main dashboard, which often triggers the loading of common admin scripts.

  1. Identify Localized Variable: Look for wp_localize_script in the source (likely targeting a handle like wpbi-lite-admin-js).
  2. JS Variable Name: wpbi_lite_admin (inferred).
  3. Nonce Key: nonce.
  4. Extraction Method:
    • Log in as a Subscriber.
    • Navigate to /wp-admin/index.php.
    • Use browser_eval to extract the nonce:
      browser_eval("window.wpbi_lite_admin?.nonce")

Note: If the script is only loaded on specific plugin pages, the agent should first try to access the plugin's settings page directly. Even if access is denied (403), the scripts might still be enqueued.

5. Exploitation Strategy

The goal is to modify a plugin setting that proves unauthorized control.

HTTP Request:

  • Method: POST
  • URL: {{base_url}}/wp-admin/admin-ajax.php
  • Content-Type: application/x-www-form-urlencoded
  • Body:
    action=wpbi_lite_save_settings&nonce={{extracted_nonce}}&settings_data[test_option]=vulnerable_value
    

Expected Response:

  • Status: 200 OK
  • Body: Often returns 1 or a JSON success message {"success": true}.

6. Test Data Setup

  1. Install WP Business Intelligence Lite version 3.2.0.
  2. Create a user with the Subscriber role.
  3. (Optional) Identify any existing settings in the wp_options table under the prefix wpbi_lite_ to use as a target for modification.

7. Expected Results

A successful exploit will result in the plugin's configuration being updated in the database despite the request originating from a Subscriber. This demonstrates a breach of the intended security model where only Administrators should modify settings.

8. Verification Steps

Use WP-CLI to check if the injected setting persists in the database:

# Check if the 'wpbi_lite_settings' option contains the injected payload
wp option get wpbi_lite_settings --format=json

The output should reflect the vulnerable_value sent in the AJAX request.

9. Alternative Approaches

If wpbi_lite_save_settings is not the vulnerable action, search for other AJAX registrations in the plugin source:

grep -rn "add_action.*wp_ajax_" wp-content/plugins/wp-business-intelligence-lite/

Specifically, look for wpbi_save_query or wpbi_delete_query. If those actions also lack current_user_can(), they can be exploited to delete or modify the business intelligence queries used by the site, which has a higher impact (denial of service or data manipulation).

Research Findings
Static analysis — not yet PoC-verified

Summary

The WP Business Intelligence Lite plugin for WordPress (versions 3.2.0 and below) is vulnerable to unauthorized settings modification. Due to a lack of capability checks in its AJAX handlers, an authenticated user with Subscriber-level privileges can modify plugin options and business intelligence queries.

Vulnerable Code

// admin/class-wp-business-intelligence-lite-admin.php

// The plugin registers AJAX handlers for authenticated users but fails to verify administrative capabilities.
add_action( 'wp_ajax_wpbi_lite_save_settings', array( $this, 'wpbi_lite_save_settings' ) );

public function wpbi_lite_save_settings() {
    // Nonce check exists, but capability check is missing
    check_ajax_referer( 'wpbi_lite_admin_nonce', 'nonce' );

    if ( isset( $_POST['settings_data'] ) ) {
        update_option( 'wpbi_lite_settings', $_POST['settings_data'] );
        wp_send_json_success();
    }
    wp_send_json_error();
}

Security Fix

--- admin/class-wp-business-intelligence-lite-admin.php
+++ admin/class-wp-business-intelligence-lite-admin.php
@@ -10,6 +10,10 @@
 public function wpbi_lite_save_settings() {
     check_ajax_referer( 'wpbi_lite_admin_nonce', 'nonce' );
 
+    if ( ! current_user_can( 'manage_options' ) ) {
+        wp_die( __( 'You do not have sufficient permissions to access this page.' ) );
+    }
+
     if ( isset( $_POST['settings_data'] ) ) {
         update_option( 'wpbi_lite_settings', $_POST['settings_data'] );
         wp_send_json_success();

Exploit Outline

The exploit involves three main steps: 1. Authentication: Log in to the WordPress site as a user with minimal privileges (Subscriber). 2. Nonce Retrieval: Locate the localized JavaScript variable (e.g., wpbi_lite_admin.nonce) by inspecting the source code of the WordPress admin dashboard (such as /wp-admin/profile.php). 3. Unauthorized Request: Submit a POST request to /wp-admin/admin-ajax.php using the extracted nonce. The request must include the 'action' parameter set to 'wpbi_lite_save_settings' and a 'settings_data' array containing the desired configuration values to be updated in the database.

Check if your site is affected.

Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.