WP-Safety
CVE-2026-25384

WP-Lister Lite for eBay <= 3.8.5 - Missing Authorization

mediumMissing Authorization
5.3
CVSS Score
5.3
CVSS Score
medium
Severity
3.8.6
Patched in
6d
Time to patch

Description

The WP-Lister Lite for eBay plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in versions up to, and including, 3.8.5. This makes it possible for unauthenticated attackers to perform an unauthorized action.

CVSS Vector Breakdown

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
None
Confidentiality
Low
Integrity
None
Availability

Technical Details

Affected versions<=3.8.5
PublishedFebruary 19, 2026
Last updatedFebruary 24, 2026
Affected pluginwp-lister-for-ebay
Research Plan
Unverified

This research plan outlines the technical steps to exploit **CVE-2026-25384** in WP-Lister Lite for eBay. The vulnerability stems from a missing authorization check (capability check) in an AJAX handler, allowing unauthenticated users to perform unauthorized actions. --- ## 1. Vulnerability Summar…

Show full research plan

This research plan outlines the technical steps to exploit CVE-2026-25384 in WP-Lister Lite for eBay. The vulnerability stems from a missing authorization check (capability check) in an AJAX handler, allowing unauthenticated users to perform unauthorized actions.

1. Vulnerability Summary

  • Vulnerability: Missing Authorization
  • Plugin: WP-Lister Lite for eBay (slug: wp-lister-for-ebay)
  • Affected Versions: <= 3.8.5
  • Vulnerable Component: AJAX registration in WPL_Ajax or WPL_Admin (inferred)
  • Impact: Unauthenticated attackers can trigger sensitive operations. Given the CVSS (5.3), the action likely involves dismissing notices, clearing caches, or modifying non-critical settings that affect the plugin's UI/state for legitimate administrators.

2. Attack Vector Analysis

  • Endpoint: /wp-admin/admin-ajax.php
  • Action Hook: wp_ajax_nopriv_wpl_dismiss_notice (inferred) or wp_ajax_nopriv_wpl_dismiss_pointer (inferred)
  • Vulnerable Parameter: action, id or notice_id
  • Preconditions: The plugin must be active. The exploit requires a valid WordPress nonce if the handler calls check_ajax_referer.

3. Code Flow (Inferred Trace)

  1. Entry Point: An unauthenticated user sends a POST request to admin-ajax.php.
  2. Hook Execution: WordPress triggers the hook wp_ajax_nopriv_wpl_dismiss_notice.
  3. Target Function: The function WPL_Ajax::dismiss_notice() (or similar) is called.
  4. Vulnerability: The function logic performs an operation (e.g., update_option( 'wpl_dismissed_' . $id, true )) without verifying if the request comes from an administrator using current_user_can( 'manage_options' ).
  5. Sink: update_option() or delete_transient() updates the database state based on unauthenticated input.

4. Nonce Acquisition Strategy

WP-Lister Lite enqueues scripts that contain nonces for its AJAX operations.

  1. Identify Script Localization: The plugin typically uses wp_localize_script to pass a nonce to the frontend, often under a variable like wpl_lite_vars or wpl_ajax_settings.
  2. Page for Extraction: The scripts are often loaded on the plugin's settings pages, but we need a public-facing page. If the plugin uses a shortcode (e.g., [wplister]), we will create a page with it.
  3. JS Variable Path (Inferred): window.wpl_lite_vars?.ajax_nonce or window.wpl_ajax_obj?.nonce.

Manual Verification Steps for Agent:

  • Search the codebase for wp_localize_script to find the exact variable name.
  • Search for wp_create_nonce to find the action string.

5. Exploitation Strategy

We will attempt to dismiss a notice/pointer or trigger a cache rebuild via AJAX.

Step 1: Discover the exact AJAX action

Grep the plugin for wp_ajax_nopriv_ to identify all unauthenticated entry points.

grep -rn "wp_ajax_nopriv_" /var/www/html/wp-content/plugins/wp-lister-for-ebay/

Step 2: Extract Nonce

If a nonce is required, identify where it is localized.
Example: If WPL_Admin enqueues a script:

  1. Create a post: wp post create --post_type=page --post_status=publish --post_content='[wplister]' (if shortcode exists) or just visit the home page.
  2. Navigate to the page using browser_navigate.
  3. Extract: nonce = browser_eval("wpl_lite_vars.ajax_nonce").

Step 3: Send Malicious Request

Using the http_request tool:

  • Method: POST
  • URL: http://localhost:8080/wp-admin/admin-ajax.php
  • Headers: Content-Type: application/x-www-form-urlencoded
  • Body: 
    action=wpl_dismiss_notice&id=ebay_token_expiration&security=[NONCE]
    (Note: Replace id and security parameter names based on the grep results in Step 1)

6. Test Data Setup

  1. Install Plugin: Ensure WP-Lister Lite for eBay 3.8.5 is installed and active.
  2. Generate a Notice: Ensure there is a dismissible notice or pointer in the database (or just try to create the 'dismissed' option).
  3. Identify Target Option: Find the naming convention for dismissed notices (e.g., wpl_notice_dismissed_%s).

7. Expected Results

  • Response: The server returns a 200 OK or success: true (JSON).
  • Effect: A specific WordPress option or user meta entry is created or updated, indicating the action was performed.

8. Verification Steps

After the exploit, use wp-cli to verify the state change:

# Check if the "dismissed" option was created
wp option get wpl_notice_dismissed_ebay_token_expiration

If the command returns true or 1 and was not set before, the exploit is successful.

9. Alternative Approaches

If wpl_dismiss_notice is not the vulnerable action, search for:

  1. wpl_rebuild_cache: Attempt to clear the plugin's internal cache.
  2. wpl_hide_pointer: Similar to dismissing notices.
  3. Check includes/WPL_Ajax.php for any function registered with add_action( 'wp_ajax_nopriv_...', ... ) that lacks a current_user_can check.

Grep for Sinks:

# Find AJAX handlers that use update_option or delete_option
grep -rnE "update_option|delete_option|update_site_option" /var/www/html/wp-content/plugins/wp-lister-for-ebay/ | grep -v "test"
Research Findings
Static analysis — not yet PoC-verified

Summary

The WP-Lister Lite for eBay plugin for WordPress is vulnerable to unauthorized action execution due to missing capability checks in its AJAX handlers. Unauthenticated attackers can exploit this by sending requests to the admin-ajax.php endpoint to trigger functions intended for administrators, such as dismissing plugin notices or pointers.

Exploit Outline

1. Identify the unauthenticated AJAX action, such as wpl_dismiss_notice, which is registered via wp_ajax_nopriv_ hooks in the plugin code. 2. Extract the required AJAX nonce if the handler implements check_ajax_referer; this is typically found localized in the plugin's frontend scripts under variables such as wpl_lite_vars or wpl_ajax_obj. 3. Send a POST request to /wp-admin/admin-ajax.php with the action parameter set to the target function and the necessary identifiers (e.g., id or notice_id for the item to be dismissed). 4. The server processes the request and updates plugin-related options (e.g., via update_option) without verifying the user's administrative privileges.

References
https://www.wordfence.com/threat-intel/vulnerabilities/id/5cc5662e-a9c3-4a15-bf68-0ec5835d3f3b?source=api-prod

Check if your site is affected.

Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.

Run free audit Browse CVE database