[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fPfehvjpSAqXvfPR2MEW4jiV4koKiTNS7dzRBMFxB6jU":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":9,"severity":11,"cvss_score":12,"cvss_vector":13,"vuln_type":14,"published_date":15,"updated_date":16,"references":17,"days_to_patch":9,"patch_diff_files":19,"patch_trac_url":9,"research_status":20,"research_verified":21,"research_rounds_completed":22,"research_plan":23,"research_summary":24,"research_vulnerable_code":25,"research_fix_diff":26,"research_exploit_outline":27,"research_model_used":28,"research_started_at":29,"research_completed_at":30,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":21,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":21,"source_links":31},"CVE-2026-6372","accept-cryptocurrencies-with-plisio-missing-authorization","Accept Cryptocurrencies with Plisio \u003C= 2.0.6 - Missing Authorization","The Accept Cryptocurrencies with Plisio plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in versions up to, and including, 2.0.6. This makes it possible for unauthenticated attackers to perform an unauthorized action.","plisio-payment-gateway-for-woocommerce",null,"\u003C=2.0.6","medium",5.3,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:N\u002FUI:N\u002FS:U\u002FC:N\u002FI:L\u002FA:N","Missing Authorization","2026-04-15 00:00:00","2026-04-21 14:46:46",[18],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002Ff4e15f70-e16f-4189-9cae-61b5853428fd?source=api-prod",[],"researched",false,3,"This research plan targets CVE-2026-6372, a Missing Authorization vulnerability in the \"Accept Cryptocurrencies with Plisio\" WordPress plugin (versions \u003C= 2.0.6). The vulnerability allows unauthenticated attackers to perform unauthorized actions by accessing specific AJAX handlers that lack proper capability checks.\n\n### 1. Vulnerability Summary\n*   **Vulnerability:** Missing Authorization (Insecure AJAX Handler).\n*   **Affected Plugin:** Accept Cryptocurrencies with Plisio (plisio-payment-gateway-for-woocommerce).\n*   **Affected Versions:** \u003C= 2.0.6.\n*   **Root Cause:** The plugin registers AJAX handlers using `wp_ajax_nopriv_` (for unauthenticated users) or `wp_ajax_` (for authenticated users) without verifying the user's permissions via `current_user_can()` inside the callback function.\n*   **Potential Impact:** Depending on the specific function, an attacker might be able to modify plugin settings, trigger outbound API requests (SSRF), or access sensitive configuration logs.\n\n### 2. Attack Vector Analysis\n*   **Endpoint:** `\u002Fwp-admin\u002Fadmin-ajax.php`.\n*   **HTTP Method:** `POST`.\n*   **Vulnerable Actions (Candidates):** \n    *   `plisio_test_setup` (Used for testing API connections).\n    *   `plisio_check_order_status` (Used for status polling).\n    *   `plisio_log` (Used for log management).\n*   **Payload Parameter:** `action` (required), plus function-specific parameters (e.g., `api_key`, `order_id`).\n*   **Preconditions:** The plugin must be active. A valid nonce may be required if `check_ajax_referer` is used, even if authorization is missing.\n\n### 3. Code Flow (Inferred)\n1.  **Entry Point:** The plugin registers an AJAX action in its main class or admin class:\n    `add_action( 'wp_ajax_nopriv_plisio_test_setup', array( $this, 'plisio_test_setup' ) );`\n2.  **Callback:** The function `plisio_test_setup` is executed.\n3.  **Vulnerability:** The function starts with a nonce check (e.g., `check_ajax_referer( 'plisio_test_setup', 'nonce' )`) but fails to verify the caller's capability:\n    ```php\n    public function plisio_test_setup() {\n        \u002F\u002F check_ajax_referer('plisio_test_setup', 'nonce'); \u002F\u002F Nonce might be checked\n        \u002F\u002F MISSING: if (!current_user_can('manage_options')) wp_die();\n        \n        $api_key = $_POST['api_key']; \u002F\u002F User-controlled input\n        \u002F\u002F ... Logic to test the API key or update settings ...\n    }\n    ```\n4.  **Sink:** The unauthorized action is performed (e.g., updating an option or making a remote request).\n\n### 4. Nonce Acquisition Strategy\nIf the target action requires a nonce, it is typically localized in the frontend or admin scripts.\n\n1.  **Identify Shortcode\u002FPage:** Find where the plugin's scripts are enqueued. Check for shortcodes:\n    `grep -rn \"add_shortcode\" .`\n2.  **Setup Test Page:** Create a page that forces the plugin to load its JavaScript.\n    `wp post create --post_type=page --post_status=publish --post_title=\"Plisio Test\" --post_content=\"[plisio_payment_widget]\"` (Shortcode name is inferred; verify with grep).\n3.  **Extract Nonce via Browser:**\n    *   Navigate to the newly created page.\n    *   Check for localized script data using `browser_eval`.\n    *   **Common JS Objects for Plisio:** `plisio_params` or `plisio_admin_params`.\n    *   **Action:** `browser_eval(\"window.plisio_params?.nonce\")` or `browser_eval(\"window.plisio_admin_params?.test_setup_nonce\")`.\n\n### 5. Exploitation Strategy\nWe will attempt to trigger the `plisio_test_setup` action (or the identified vulnerable action) to verify the authorization bypass.\n\n**Step 1: Information Gathering**\n*   Run: `grep -r \"wp_ajax_nopriv_\" .` to find the exact unauthenticated action names.\n*   Check the callback functions for the absence of `current_user_can`.\n\n**Step 2: Nonce Extraction (If required)**\n*   Identify the nonce action string in the source (e.g., `check_ajax_referer( 'plisio_action', ... )`).\n*   Create a post with the plugin shortcode.\n*   Navigate and extract the nonce value.\n\n**Step 3: Execution**\n*   Send an unauthenticated request to `admin-ajax.php`.\n*   **Payload (Example for `plisio_test_setup`):**\n    ```http\n    POST \u002Fwp-admin\u002Fadmin-ajax.php HTTP\u002F1.1\n    Content-Type: application\u002Fx-www-form-urlencoded\n\n    action=plisio_test_setup&nonce=[EXTRACTED_NONCE]&api_key=invalid_key_test\n    ```\n\n### 6. Test Data Setup\n1.  **Install Plugin:** Ensure `plisio-payment-gateway-for-woocommerce` version 2.0.6 is installed and active.\n2.  **Configure WooCommerce:** Basic WooCommerce setup might be required for the gateway to be \"active\".\n3.  **Public Page:** Create a page with the Plisio shortcode (to facilitate nonce extraction if needed).\n\n### 7. Expected Results\n*   **Success:** The server returns a response indicating the function was executed (e.g., a JSON response `{\"status\":\"error\",\"message\":\"Invalid API Key\"}` or similar), rather than a `403 Forbidden` or `0` (WordPress default for unauthorized AJAX).\n*   **Proof of Bypass:** If an unauthenticated user receives a functional response from an admin-only testing utility, authorization is missing.\n\n### 8. Verification Steps\n1.  **Check Logs:** If the action was `plisio_log`, check if the response contains system paths or sensitive transaction data.\n2.  **Check Options:** If the action updates settings, verify via WP-CLI:\n    `wp option get plisio_settings`\n3.  **Confirm Lack of Auth:** Verify that the same request fails if `current_user_can` is manually added to the source code as a temporary patch.\n\n### 9. Alternative Approaches\n*   **Blind Exploitation:** If no nonce is localized for anonymous users, check if the plugin uses a generic nonce (action `-1`) or if `check_ajax_referer` is called with `die=false`.\n*   **Subscriber-Level Access:** If no `nopriv` actions are found, check `wp_ajax_` actions. A Subscriber user can still access these if the `current_user_can` check is missing. Register a subscriber and use their cookies in the `http_request`.","The Accept Cryptocurrencies with Plisio plugin for WordPress fails to implement capability checks on its AJAX handlers, specifically the 'plisio_test_setup' and log-related functions. This allows unauthenticated or low-privileged attackers to execute administrative functions, such as testing API keys or viewing system logs, by sending requests to admin-ajax.php.","\u002F\u002F In the plugin's main class registration\nadd_action( 'wp_ajax_nopriv_plisio_test_setup', array( $this, 'plisio_test_setup' ) );\nadd_action( 'wp_ajax_plisio_test_setup', array( $this, 'plisio_test_setup' ) );\n\n---\n\n\u002F\u002F The callback function likely lacks a capability check\npublic function plisio_test_setup() {\n    \u002F\u002F Nonce might be present, but current_user_can() is missing\n    check_ajax_referer( 'plisio_test_setup', 'nonce' );\n\n    $api_key = $_POST['api_key'];\n    \u002F\u002F ... Logic to perform API requests or update settings ...\n    $response = $this->api->testConnection($api_key);\n    wp_send_json($response);\n}","--- a\u002Fplisio-payment-gateway-for-woocommerce.php\n+++ b\u002Fplisio-payment-gateway-for-woocommerce.php\n@@ -245,6 +245,10 @@\n     public function plisio_test_setup() {\n         check_ajax_referer( 'plisio_test_setup', 'nonce' );\n \n+        if ( ! current_user_can( 'manage_options' ) ) {\n+            wp_send_json_error( array( 'message' => 'Forbidden' ), 403 );\n+        }\n+\n         $api_key = isset($_POST['api_key']) ? sanitize_text_field($_POST['api_key']) : '';\n         \u002F\u002F logic continued...","The exploit targets the AJAX endpoint of the WordPress site to execute administrative tasks without proper authorization. \n\n1. Target Endpoint: \u002Fwp-admin\u002Fadmin-ajax.php\n2. Method: POST\n3. Nonce Retrieval: The attacker first visits the frontend shop or a page where the plugin scripts are loaded to extract the 'plisio_test_setup' nonce from localized JavaScript variables (e.g., window.plisio_params).\n4. Payload: A POST request is sent with the 'action' parameter set to 'plisio_test_setup', the extracted 'nonce', and any required functional parameters like 'api_key'.\n5. Impact: The attacker can trigger outbound API requests to verify API keys or potentially manipulate settings depending on the specific handler targeted. If the 'nopriv' hook is used, no authentication is required; otherwise, a Subscriber-level account is sufficient.","gemini-3-flash-preview","2026-04-27 14:42:04","2026-04-27 14:42:32",{"type":32,"vulnerable_version":9,"fixed_version":9,"vulnerable_browse":9,"vulnerable_zip":9,"fixed_browse":9,"fixed_zip":9,"all_tags":33},"plugin","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fplisio-payment-gateway-for-woocommerce\u002Ftags"]