How a CORS Flaw Chains Into RCE on WordPress
Misconfigured CORS headers in WordPress plugins can chain with CSRF and file upload flaws into full RCE. A technical breakdown for bug bounty researchers.
This piece examines three real WordPress vulnerability chains discovered and patched during 2024-2025 bug bounty engagements, showing how a misconfigured CORS policy escalates into full Remote Code Execution when combined with CSRF, privilege escalation, or nonce leakage. The root cause lies in plugins that reflect the Origin header into Access-Control-Allow-Origin while also setting Access-Control-Allow-Credentials: true on admin-ajax.php, letting any external site make authenticated, cookie-carrying requests against a victim's WordPress session.
In the first documented chain, an attacker leverages the CORS flaw to read a time-limited but predictable WordPress nonce cross-origin, then uses that nonce to upload a PHP webshell disguised inside a JPEG file through a plugin's file upload AJAX action. The article also catalogs common upload validation bypasses — double extensions, null bytes, .htaccess overrides, and content-type spoofing — that let malicious files execute as PHP despite basic filtering.
For engineers, the takeaway is structural: WordPress's plugin architecture, where every extension can register its own AJAX endpoints and CORS logic, makes this bug class endemic rather than incidental. Security teams are urged to treat permissive CORS headers not as a minor data-leak risk but as a critical attack surface once combined with authentication and file-handling logic.