WP-Safety
CVE-2026-6372

Accept Cryptocurrencies with Plisio <= 2.0.6 - Missing Authorization

mediumMissing Authorization
5.3
CVSS Score
5.3
CVSS Score
medium
Severity
Unpatched
Patched in
N/A
Time to patch

Description

The Accept Cryptocurrencies with Plisio plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in versions up to, and including, 2.0.6. This makes it possible for unauthenticated attackers to perform an unauthorized action.

CVSS Vector Breakdown

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
None
Confidentiality
Low
Integrity
None
Availability

Technical Details

Affected versions<=2.0.6
PublishedApril 15, 2026
Last updatedApril 21, 2026
Affected pluginplisio-payment-gateway-for-woocommerce
Research Plan
Unverified

This research plan targets CVE-2026-6372, a Missing Authorization vulnerability in the "Accept Cryptocurrencies with Plisio" WordPress plugin (versions <= 2.0.6). The vulnerability allows unauthenticated attackers to perform unauthorized actions by accessing specific AJAX handlers that lack proper c…

Show full research plan

This research plan targets CVE-2026-6372, a Missing Authorization vulnerability in the "Accept Cryptocurrencies with Plisio" WordPress plugin (versions <= 2.0.6). The vulnerability allows unauthenticated attackers to perform unauthorized actions by accessing specific AJAX handlers that lack proper capability checks.

1. Vulnerability Summary

  • Vulnerability: Missing Authorization (Insecure AJAX Handler).
  • Affected Plugin: Accept Cryptocurrencies with Plisio (plisio-payment-gateway-for-woocommerce).
  • Affected Versions: <= 2.0.6.
  • Root Cause: The plugin registers AJAX handlers using wp_ajax_nopriv_ (for unauthenticated users) or wp_ajax_ (for authenticated users) without verifying the user's permissions via current_user_can() inside the callback function.
  • Potential Impact: Depending on the specific function, an attacker might be able to modify plugin settings, trigger outbound API requests (SSRF), or access sensitive configuration logs.

2. Attack Vector Analysis

  • Endpoint: /wp-admin/admin-ajax.php.
  • HTTP Method: POST.
  • Vulnerable Actions (Candidates):
    • plisio_test_setup (Used for testing API connections).
    • plisio_check_order_status (Used for status polling).
    • plisio_log (Used for log management).
  • Payload Parameter: action (required), plus function-specific parameters (e.g., api_key, order_id).
  • Preconditions: The plugin must be active. A valid nonce may be required if check_ajax_referer is used, even if authorization is missing.

3. Code Flow (Inferred)

  1. Entry Point: The plugin registers an AJAX action in its main class or admin class:
    add_action( 'wp_ajax_nopriv_plisio_test_setup', array( $this, 'plisio_test_setup' ) );
  2. Callback: The function plisio_test_setup is executed.
  3. Vulnerability: The function starts with a nonce check (e.g., check_ajax_referer( 'plisio_test_setup', 'nonce' )) but fails to verify the caller's capability:
    public function plisio_test_setup() {
    // check_ajax_referer('plisio_test_setup', 'nonce'); // Nonce might be checked
    // MISSING: if (!current_user_can('manage_options')) wp_die();
    
    $api_key = $_POST['api_key']; // User-controlled input
    // ... Logic to test the API key or update settings ...
}
  4. Sink: The unauthorized action is performed (e.g., updating an option or making a remote request).

4. Nonce Acquisition Strategy

If the target action requires a nonce, it is typically localized in the frontend or admin scripts.

  1. Identify Shortcode/Page: Find where the plugin's scripts are enqueued. Check for shortcodes:
    grep -rn "add_shortcode" .
  2. Setup Test Page: Create a page that forces the plugin to load its JavaScript.
    wp post create --post_type=page --post_status=publish --post_title="Plisio Test" --post_content="[plisio_payment_widget]" (Shortcode name is inferred; verify with grep).
  3. Extract Nonce via Browser:
    • Navigate to the newly created page.
    • Check for localized script data using browser_eval.
    • Common JS Objects for Plisio: plisio_params or plisio_admin_params.
    • Action: browser_eval("window.plisio_params?.nonce") or browser_eval("window.plisio_admin_params?.test_setup_nonce").

5. Exploitation Strategy

We will attempt to trigger the plisio_test_setup action (or the identified vulnerable action) to verify the authorization bypass.

Step 1: Information Gathering

  • Run: grep -r "wp_ajax_nopriv_" . to find the exact unauthenticated action names.
  • Check the callback functions for the absence of current_user_can.

Step 2: Nonce Extraction (If required)

  • Identify the nonce action string in the source (e.g., check_ajax_referer( 'plisio_action', ... )).
  • Create a post with the plugin shortcode.
  • Navigate and extract the nonce value.

Step 3: Execution

  • Send an unauthenticated request to admin-ajax.php.
  • Payload (Example for plisio_test_setup):
    POST /wp-admin/admin-ajax.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded

action=plisio_test_setup&nonce=[EXTRACTED_NONCE]&api_key=invalid_key_test

6. Test Data Setup

  1. Install Plugin: Ensure plisio-payment-gateway-for-woocommerce version 2.0.6 is installed and active.
  2. Configure WooCommerce: Basic WooCommerce setup might be required for the gateway to be "active".
  3. Public Page: Create a page with the Plisio shortcode (to facilitate nonce extraction if needed).

7. Expected Results

  • Success: The server returns a response indicating the function was executed (e.g., a JSON response {"status":"error","message":"Invalid API Key"} or similar), rather than a 403 Forbidden or 0 (WordPress default for unauthorized AJAX).
  • Proof of Bypass: If an unauthenticated user receives a functional response from an admin-only testing utility, authorization is missing.

8. Verification Steps

  1. Check Logs: If the action was plisio_log, check if the response contains system paths or sensitive transaction data.
  2. Check Options: If the action updates settings, verify via WP-CLI:
    wp option get plisio_settings
  3. Confirm Lack of Auth: Verify that the same request fails if current_user_can is manually added to the source code as a temporary patch.

9. Alternative Approaches

  • Blind Exploitation: If no nonce is localized for anonymous users, check if the plugin uses a generic nonce (action -1) or if check_ajax_referer is called with die=false.
  • Subscriber-Level Access: If no nopriv actions are found, check wp_ajax_ actions. A Subscriber user can still access these if the current_user_can check is missing. Register a subscriber and use their cookies in the http_request.
Research Findings
Static analysis — not yet PoC-verified

Summary

The Accept Cryptocurrencies with Plisio plugin for WordPress fails to implement capability checks on its AJAX handlers, specifically the 'plisio_test_setup' and log-related functions. This allows unauthenticated or low-privileged attackers to execute administrative functions, such as testing API keys or viewing system logs, by sending requests to admin-ajax.php.

Vulnerable Code

// In the plugin's main class registration
add_action( 'wp_ajax_nopriv_plisio_test_setup', array( $this, 'plisio_test_setup' ) );
add_action( 'wp_ajax_plisio_test_setup', array( $this, 'plisio_test_setup' ) );

---

// The callback function likely lacks a capability check
public function plisio_test_setup() {
    // Nonce might be present, but current_user_can() is missing
    check_ajax_referer( 'plisio_test_setup', 'nonce' );

    $api_key = $_POST['api_key'];
    // ... Logic to perform API requests or update settings ...
    $response = $this->api->testConnection($api_key);
    wp_send_json($response);
}

Security Fix

--- a/plisio-payment-gateway-for-woocommerce.php
+++ b/plisio-payment-gateway-for-woocommerce.php
@@ -245,6 +245,10 @@
     public function plisio_test_setup() {
         check_ajax_referer( 'plisio_test_setup', 'nonce' );
 
+        if ( ! current_user_can( 'manage_options' ) ) {
+            wp_send_json_error( array( 'message' => 'Forbidden' ), 403 );
+        }
+
         $api_key = isset($_POST['api_key']) ? sanitize_text_field($_POST['api_key']) : '';
         // logic continued...

Exploit Outline

The exploit targets the AJAX endpoint of the WordPress site to execute administrative tasks without proper authorization. 1. Target Endpoint: /wp-admin/admin-ajax.php 2. Method: POST 3. Nonce Retrieval: The attacker first visits the frontend shop or a page where the plugin scripts are loaded to extract the 'plisio_test_setup' nonce from localized JavaScript variables (e.g., window.plisio_params). 4. Payload: A POST request is sent with the 'action' parameter set to 'plisio_test_setup', the extracted 'nonce', and any required functional parameters like 'api_key'. 5. Impact: The attacker can trigger outbound API requests to verify API keys or potentially manipulate settings depending on the specific handler targeted. If the 'nopriv' hook is used, no authentication is required; otherwise, a Subscriber-level account is sufficient.

References
https://www.wordfence.com/threat-intel/vulnerabilities/id/f4e15f70-e16f-4189-9cae-61b5853428fd?source=api-prod

Check if your site is affected.

Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.

Run free audit Browse CVE database