CVE-2026-42664

AI Product Search for WooCommerce – Motive Commerce Search <= 1.38.2 - Missing Authorization

mediumMissing Authorization
5.3
CVSS Score
5.3
CVSS Score
medium
Severity
1.38.3
Patched in
3d
Time to patch

Description

The AI Product Search for WooCommerce – Motive Commerce Search plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in versions up to, and including, 1.38.2. This makes it possible for unauthenticated attackers to perform an unauthorized action.

CVSS Vector Breakdown

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
None
Confidentiality
Low
Integrity
None
Availability

Technical Details

Affected versions<=1.38.2
PublishedMay 9, 2026
Last updatedMay 11, 2026
Affected pluginmotive-commerce-search

What Changed in the Fix

Changes introduced in v1.38.3

Loading patch diff...

Source Code

WordPress.org SVN
Research Plan
Unverified

This plan outlines the research and exploitation strategy for CVE-2026-42664, a Missing Authorization vulnerability in the "AI Product Search for WooCommerce – Motive Commerce Search" plugin. ### 1. Vulnerability Summary The vulnerability exists in the plugin's REST API implementation. Specifically…

Show full research plan

This plan outlines the research and exploitation strategy for CVE-2026-42664, a Missing Authorization vulnerability in the "AI Product Search for WooCommerce – Motive Commerce Search" plugin.

1. Vulnerability Summary

The vulnerability exists in the plugin's REST API implementation. Specifically, the endpoint responsible for regenerating the Motive search token lacks a proper capability check or a restrictive permission_callback. This allows unauthenticated users to trigger the regenerate-token action, which updates the plugin's internal authentication token, potentially disrupting the service or disconnecting the WooCommerce store from the Motive Commerce Search engine.

The vulnerability is anchored in the registration of the REST route within admin/class-motive-admin.php (inferred) and its invocation via the /motive/admin/regenerate-token route.

2. Attack Vector Analysis

  • Endpoint: ?rest_route=/motive/admin/regenerate-token (or /wp-json/motive/admin/regenerate-token)
  • HTTP Method: GET (as seen in admin/partials/motive-admin-display.php)
  • Authentication: Unauthenticated (vulnerability is "Missing Authorization")
  • Parameter: None required for the GET request.
  • Preconditions: The plugin must be installed and active.

3. Code Flow

  1. Registration: The plugin initializes via includes/class-motive.php.
  2. Hooking: In Motive::define_admin_hooks(), the plugin registers admin-specific functionality:
    $this->loader->add_action( 'rest_api_init', $plugin_admin, 'add_endpoints' );
    
  3. Route Definition: Inside Motive_Admin::add_endpoints() (in admin/class-motive-admin.php), a REST route is registered:
    • Namespace: motive/admin
    • Route: /regenerate-token
    • permission_callback: Likely missing or set to __return_true.
  4. Handler Execution: When the endpoint is hit, a callback function (e.g., regenerate_token) is executed.
  5. Action: The handler generates a new token and updates the WordPress option defined by the constant Motive\Woocommerce\Config::TOKEN.

4. Nonce Acquisition Strategy

The frontend JavaScript in admin/partials/motive-admin-display.php indicates that the request sends an X-WP-Nonce header:

headers: { 'X-WP-Nonce': nonce }

Where nonce is created for the action 'wp_rest'.

However, for "Missing Authorization" vulnerabilities in REST API GET endpoints, the WordPress REST API often does not strictly enforce the nonce check if the permission_callback is missing or returns true.

Plan:

  1. Attempt the exploit without a nonce first.
  2. If the request fails with a rest_cookie_invalid_nonce or similar error, attempt to find a wp_rest nonce on the frontend.
  3. Many plugins or themes (or even WooCommerce itself) localize the REST nonce for frontend scripts.
    • Navigate to the homepage using browser_navigate.
    • Use browser_eval to search for common REST nonce locations:
      • wpApiSettings.nonce
      • wc_cart_fragments_params.nonce (if WooCommerce is active)
      • motive_public_params.nonce (check Motive_Public localization)

5. Exploitation Strategy

Step 1: Discover the Token Option Name
The token is stored in an option. We need to find the string value of the constant Motive\Woocommerce\Config::TOKEN.

  • Action: Use grep -r "const TOKEN" . inside the plugin directory.

Step 2: Baseline State

  • Action: Check the current value of the token option using wp_cli.

Step 3: Trigger Token Regeneration

  • Action: Send an unauthenticated GET request to the REST endpoint.
  • Tool: http_request
  • URL: http://localhost:8080/?rest_route=/motive/admin/regenerate-token
  • Headers: None (initially).

Step 4: Verification

  • Action: Check the value of the token option again using wp_cli.
  • Successful exploit: The token value has changed.

6. Test Data Setup

  1. Plugin Activation: Ensure motive-commerce-search is active.
  2. Initial Configuration: The plugin might require a token to be present for the "regenerate" logic to fire. Set a dummy token if necessary:
    • wp option update [TOKEN_OPTION_NAME] "initial-dummy-token"

7. Expected Results

  • The HTTP request to ?rest_route=/motive/admin/regenerate-token should return a 200 OK status and a JSON response.
  • The JSON response likely contains the new token or a success message (e.g., {"token": "new-random-string"}).
  • The database value for the Motive token option will be updated to a new value, confirming unauthenticated modification.

8. Verification Steps

  1. Pre-Exploit Check:
    wp option get [TOKEN_OPTION_NAME]
    
  2. Run Exploit: (See Step 3 in Exploitation Strategy)
  3. Post-Exploit Check:
    wp option get [TOKEN_OPTION_NAME]
    
    Confirm the values differ.

9. Alternative Approaches

  • Nonce Inclusion: If the request returns 403 Forbidden with a message about nonces, use browser_navigate to the homepage and search the page source/JS context for a wp_rest nonce.
  • Alternative Route Format: If ?rest_route= is blocked or not working, try the pretty permalink version: /wp-json/motive/admin/regenerate-token.
  • Header Variation: Some environments require the X-HTTP-Method-Override: GET header if GET requests are filtered, though unlikely here.

Check if your site is affected.

Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.