Bugfix: Missing Authorization Vulnerability in AJAX Handlers (CVE-2024)

Plugin Version: 2.0.0 – 2.0.1

Severity: Medium (CVSS 4.3)

Reference: https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/vgw-metis/vg-wort-metis-200-missing-authorization

Description:
The VG Wort METIS plugin is vulnerable to unauthorized access due to missing capability checks in multiple AJAX handlers. While the plugin correctly implements nonce verification, this only confirms that the request originated from a logged-in user’s session – it does not verify whether that user has the appropriate permissions to perform the requested action.

This means any authenticated WordPress user (including subscribers) could potentially:

• Assign or remove pixels from posts
• Manage participant data
• Access pixel validation endpoints

Affected Functions:

• assign_pixel_to_post_ajax() in includes/actions/assign_pixel.php
• remove_pixel_from_post_ajax() in includes/actions/remove_pixel.php
• manually_assign_pixel_to_post_ajax() in includes/actions/manualy_assign_pixel.php
• metabox_check_validity_and_ownership() in includes/actions/check_validity_and_ownership.php
• get_posts_count() in includes/actions/get_posts_count.php
• participant_save() in admin/page_participants.php
• participant_delete() in admin/page_participants.php
• manual_assign_pixel_action() in classes/metabox.php
• is_valid_and_ownership_check() in classes/metabox.php
• automatic_assign_pixel_action() in classes/metabox.php

Fix:
Add current_user_can() capability checks at the beginning of each AJAX handler, before any other logic is executed.

For pixel-related operations (requires edit_posts capability):

function assign_pixel_to_post_ajax() {
    // SECURITY FIX: Check user capability (CVE-2024 Missing Authorization)
    if ( ! current_user_can( 'edit_posts' ) ) {
        wp_send_json_error( array( 'message' => 'Keine Berechtigung für diese Aktion.' ) );
        return;
    }
    
    // ... existing code ...
}

For administrative operations like participant management (requires manage_options capability):

public function participant_save(): void {
    // Security: Verify nonce
    if ( ! wp_verify_nonce( $_REQUEST['_wpnonce'] ?? '', 'participant_save_nonce' ) ) {
        wp_die( 'Security check failed' );
    }

    // SECURITY FIX: Check user capability (CVE-2024 Missing Authorization)
    if ( ! current_user_can( 'manage_options' ) ) {
        wp_send_json_error( 'Keine Berechtigung für diese Aktion.' );
        return;
    }
    
    // ... existing code ...
}

Important: The capability check must be placed before the nonce verification or immediately after it, but always before any business logic is executed.

Files requiring modification:

1. includes/actions/assign_pixel.php – add edit_posts check
2. includes/actions/remove_pixel.php – add edit_posts check
3. includes/actions/manualy_assign_pixel.php – add edit_posts check
4. includes/actions/check_validity_and_ownership.php – add edit_posts check
5. includes/actions/get_posts_count.php – add edit_posts check
6. admin/page_participants.php – add manage_options check to both participant_save() and participant_delete()
7. classes/metabox.php – add edit_posts check to manual_assign_pixel_action(), is_valid_and_ownership_check(), and automatic_assign_pixel_action()