CVE-2026-27073

Addi – Cuotas que se adaptan a ti <= 2.0.4 - Missing Authorization

mediumMissing Authorization
5.3
CVSS Score
5.3
CVSS Score
medium
Severity
Unpatched
Patched in
N/A
Time to patch

Description

The Addi – Cuotas que se adaptan a ti plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in all versions up to, and including, 2.0.4. This makes it possible for unauthenticated attackers to perform an unauthorized action.

CVSS Vector Breakdown

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
None
Confidentiality
Low
Integrity
None
Availability

Technical Details

Affected versions<=2.0.4
PublishedMarch 10, 2026
Last updatedMarch 19, 2026
Affected pluginbuy-now-pay-later-addi
Research Plan
Unverified

This exploitation research plan targets CVE-2026-27073, a Missing Authorization vulnerability in the "Addi – Cuotas que se adaptan a ti" plugin (version <= 2.0.4). ### 1. Vulnerability Summary The Addi plugin for WordPress fails to implement proper authorization checks (capability checks) on one or…

Show full research plan

This exploitation research plan targets CVE-2026-27073, a Missing Authorization vulnerability in the "Addi – Cuotas que se adaptan a ti" plugin (version <= 2.0.4).

1. Vulnerability Summary

The Addi plugin for WordPress fails to implement proper authorization checks (capability checks) on one or more AJAX handlers. Specifically, the plugin registers a function via wp_ajax_nopriv_ (or fails to check permissions in a wp_ajax_ handler) that allows unauthenticated users to modify plugin configurations or perform sensitive administrative actions. The vulnerability resides in the lack of current_user_can('manage_options') and potentially missing or incorrectly implemented nonce verification.

2. Attack Vector Analysis

  • Endpoint: /wp-admin/admin-ajax.php
  • Action: addi_save_settings or addi_update_configuration (inferred)
  • Method: POST
  • Authentication: Unauthenticated (leveraging wp_ajax_nopriv_ registration)
  • Payload Parameters:
    • action: The vulnerable AJAX action name.
    • security or _wpnonce: The nonce (if required).
    • Configuration parameters (e.g., addi_client_id, addi_secret_key, addi_ally_slug).
  • Preconditions: The plugin must be active. If a nonce is required, it must be retrievable from the public frontend (e.g., product or checkout pages).

3. Code Flow (Inferred)

  1. Entry Point: An HTTP POST request is sent to admin-ajax.php.
  2. Hook Registration: The plugin registers the action:
    add_action('wp_ajax_nopriv_addi_save_settings', 'addi_save_settings_callback'); (inferred)
  3. Callback Execution: The addi_save_settings_callback function is invoked.
  4. Vulnerable Sink: Inside the callback, the code likely uses update_option() or update_woocommerce_option() to save settings directly from $_POST without calling current_user_can().
  5. Persistence: The malicious settings are saved to the database, affecting all subsequent BNPL transactions.

4. Nonce Acquisition Strategy

If the plugin requires a nonce for the vulnerable action, it is likely exposed to facilitate frontend installment calculations on product or checkout pages.

  1. Identify Trigger: The Addi plugin typically displays installment information on WooCommerce product pages. This functionality often relies on AJAX and requires a nonce.
  2. Locate Script: Look for wp_localize_script in the source code or browser console. The localization object is often named addi_vars, addi_params, or addi_data (inferred).
  3. Extraction:
    • Navigate to a product page using browser_navigate.
    • Execute browser_eval to find the nonce:
      // Check for common localization objects
      window.addi_params?.nonce || window.addi_vars?.security || window.addi_data?.ajax_nonce
      
  4. Bypass Check: If the nonce action in wp_create_nonce (used for frontend) matches the action string in check_ajax_referer (used for the vulnerable settings update), the frontend nonce can be used to authorize the attack.

5. Exploitation Strategy

The goal is to modify the Addi API credentials to redirect payment flows or disable the service.

Step 1: Discover the Exact Action and Nonce Key
Use the grep tool to find the registration:

grep -r "wp_ajax_nopriv" .

Verify the callback function for missing current_user_can calls.

Step 2: Setup Test Page
If a nonce is needed, ensure the Addi widget is active on a product page.

# Verify Addi settings in WooCommerce
wp option get woocommerce_addi_settings

Step 3: Perform the Exploit (Request via http_request)
Construct the POST request to admin-ajax.php.

  • URL: http://localhost:8080/wp-admin/admin-ajax.php
  • Method: POST
  • Headers: Content-Type: application/x-www-form-urlencoded
  • Body:
    action=addi_save_settings&addi_client_id=attacker_id&addi_client_secret=attacker_secret&security=[EXTRACTED_NONCE]
    
    (Note: Parameter names like addi_client_id are inferred and should be verified via grep in Step 1).

6. Test Data Setup

  1. Install/Activate: Ensure WooCommerce and the Addi plugin are active.
  2. Configure Addi: Set dummy valid-looking credentials via WP-CLI to provide a baseline:
    wp option update woocommerce_addi_settings '{"client_id":"original_id","client_secret":"original_secret","ally_slug":"original_slug"}' --format=json
    
  3. Public Page: Create a dummy product to ensure the Addi frontend scripts load:
    wp post create --post_type=product --post_title="Test Product" --post_status=publish
    

7. Expected Results

  • Response: The server should return a 200 OK or a JSON success message (e.g., {"success":true}).
  • Database Change: The woocommerce_addi_settings option (or similar) should now contain the attacker-supplied values.
  • Access: This modification was performed without any Cookie or Authorization headers.

8. Verification Steps

After the exploit, verify the integrity of the settings using WP-CLI:

# Check if the settings were overwritten
wp option get woocommerce_addi_settings --format=json

Verify that the client_id or client_secret matches the "attacker" values used in the payload.

9. Alternative Approaches

  • Init/Loaded Hook: If no wp_ajax_nopriv is found, check for functions hooked to init or wp_loaded that check for a specific $_GET['addi_action'] parameter.
  • Missing Nonce: Attempt the exploit without the security parameter. If the response is still successful, the plugin completely lacks CSRF/Nonce protection.
  • WooCommerce API: Check if the plugin registers a custom WooCommerce API endpoint (e.g., wc-api/addi_callback) that might handle configuration updates insecurely.
Research Findings
Static analysis — not yet PoC-verified

Summary

The Addi – Cuotas que se adaptan a ti plugin for WordPress (<= 2.0.4) is vulnerable to unauthorized modification of settings due to missing capability checks and nonce verification in its AJAX handlers. Unauthenticated attackers can exploit this to change sensitive plugin configurations, such as API credentials, by sending a crafted request to the admin-ajax.php endpoint.

Exploit Outline

The exploit targets the `/wp-admin/admin-ajax.php` endpoint to perform unauthorized configuration changes. 1. Identify the Vulnerable Action: The attacker looks for AJAX actions registered via `wp_ajax_nopriv_` (such as `addi_save_settings` or `addi_update_configuration`) that handle the plugin's settings updates. 2. Nonce Acquisition: If the handler requires a nonce, the attacker navigates to a public-facing product page where the plugin typically displays installment information. They extract the nonce from the localized JavaScript objects (e.g., `window.addi_params.nonce`). 3. Payload Construction: The attacker crafts a POST request to `admin-ajax.php` with the vulnerable `action` and parameters representing the settings to be changed (e.g., `addi_client_id`, `addi_secret_key`). 4. Execution: No authentication is required. The attacker sends the request, and the plugin updates the `woocommerce_addi_settings` option in the database without verifying the user's administrative capabilities. 5. Impact: This allows the attacker to redirect Buy Now Pay Later (BNPL) payment flows or disable the service.

Check if your site is affected.

Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.