WowRevenue <= 2.1.3 Authz Risk: Scanner and Fix Path
WowRevenue versions up to 2.1.3 can expose a high-risk path when authenticated low-privilege users can reach plugin installation or activation logic through AJAX handlers without strict capability checks. The practical fix is to enforce current_user_can('install_plugins') or current_user_can('activate_plugins') at handler entry and keep nonce checks as anti-CSRF only. I built a small scanner that flags this exact pattern in plugin source and returns a non-zero exit code for high-risk findings so teams can wire it into CI and release checks.
What was built
- A Python CLI scanner that checks:
- Version gate (
<= 2.1.3) wp_ajax_*handlers tied to install/activation APIs- Missing admin-level capability enforcement
- Version gate (
- A test suite with positive/negative cases
- A README with migration guidance and secure replacement pattern
Maintained plugin check before custom code
I checked maintained ecosystem options first. Broad vulnerability intelligence is covered by maintained products like WPScan and Wordfence feeds, but I did not find a maintained focused tool for this exact WowRevenue authorization anti-pattern in local source review workflows. Because that gap exists, this project provides a narrow scanner for build-time checks.
Deprecation and migration guidance
Treat this as a deprecated implementation pattern:
- Deprecated:
- Subscriber-reachable
wp_ajax_*handlers that can execute plugin install/activation flows.
- Subscriber-reachable
- Replacement:
- Require
install_pluginsoractivate_pluginscapability at handler entry. - Keep nonce verification, but do not use nonce as authorization.
- Split privileged and non-privileged actions into separate endpoints.
- Require
- Migration:
- Enumerate
wp_ajax_*handlers. - Flag handlers calling
Plugin_Upgrader,activate_plugin,plugins_api, or install helpers. - Add capability checks and explicit forbidden responses.
- Re-test with a subscriber account to confirm denial.
- Enumerate