AI Product Search for WooCommerce – Motive Commerce Search <= 1.38.2 - Missing Authorization
Description
The AI Product Search for WooCommerce – Motive Commerce Search plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in versions up to, and including, 1.38.2. This makes it possible for unauthenticated attackers to perform an unauthorized action.
CVSS Vector Breakdown
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:NTechnical Details
<=1.38.2What Changed in the Fix
Changes introduced in v1.38.3
Source Code
WordPress.org SVNThis plan outlines the research and exploitation strategy for CVE-2026-42664, a Missing Authorization vulnerability in the "AI Product Search for WooCommerce – Motive Commerce Search" plugin. ### 1. Vulnerability Summary The vulnerability exists in the plugin's REST API implementation. Specifically…
Show full research plan
This plan outlines the research and exploitation strategy for CVE-2026-42664, a Missing Authorization vulnerability in the "AI Product Search for WooCommerce – Motive Commerce Search" plugin.
1. Vulnerability Summary
The vulnerability exists in the plugin's REST API implementation. Specifically, the endpoint responsible for regenerating the Motive search token lacks a proper capability check or a restrictive permission_callback. This allows unauthenticated users to trigger the regenerate-token action, which updates the plugin's internal authentication token, potentially disrupting the service or disconnecting the WooCommerce store from the Motive Commerce Search engine.
The vulnerability is anchored in the registration of the REST route within admin/class-motive-admin.php (inferred) and its invocation via the /motive/admin/regenerate-token route.
2. Attack Vector Analysis
- Endpoint:
?rest_route=/motive/admin/regenerate-token(or/wp-json/motive/admin/regenerate-token) - HTTP Method:
GET(as seen inadmin/partials/motive-admin-display.php) - Authentication: Unauthenticated (vulnerability is "Missing Authorization")
- Parameter: None required for the
GETrequest. - Preconditions: The plugin must be installed and active.
3. Code Flow
- Registration: The plugin initializes via
includes/class-motive.php. - Hooking: In
Motive::define_admin_hooks(), the plugin registers admin-specific functionality:$this->loader->add_action( 'rest_api_init', $plugin_admin, 'add_endpoints' ); - Route Definition: Inside
Motive_Admin::add_endpoints()(inadmin/class-motive-admin.php), a REST route is registered:- Namespace:
motive/admin - Route:
/regenerate-token permission_callback: Likely missing or set to__return_true.
- Namespace:
- Handler Execution: When the endpoint is hit, a callback function (e.g.,
regenerate_token) is executed. - Action: The handler generates a new token and updates the WordPress option defined by the constant
Motive\Woocommerce\Config::TOKEN.
4. Nonce Acquisition Strategy
The frontend JavaScript in admin/partials/motive-admin-display.php indicates that the request sends an X-WP-Nonce header:
headers: { 'X-WP-Nonce': nonce }
Where nonce is created for the action 'wp_rest'.
However, for "Missing Authorization" vulnerabilities in REST API GET endpoints, the WordPress REST API often does not strictly enforce the nonce check if the permission_callback is missing or returns true.
Plan:
- Attempt the exploit without a nonce first.
- If the request fails with a
rest_cookie_invalid_nonceor similar error, attempt to find awp_restnonce on the frontend. - Many plugins or themes (or even WooCommerce itself) localize the REST nonce for frontend scripts.
- Navigate to the homepage using
browser_navigate. - Use
browser_evalto search for common REST nonce locations:wpApiSettings.noncewc_cart_fragments_params.nonce(if WooCommerce is active)motive_public_params.nonce(checkMotive_Publiclocalization)
- Navigate to the homepage using
5. Exploitation Strategy
Step 1: Discover the Token Option Name
The token is stored in an option. We need to find the string value of the constant Motive\Woocommerce\Config::TOKEN.
- Action: Use
grep -r "const TOKEN" .inside the plugin directory.
Step 2: Baseline State
- Action: Check the current value of the token option using
wp_cli.
Step 3: Trigger Token Regeneration
- Action: Send an unauthenticated
GETrequest to the REST endpoint. - Tool:
http_request - URL:
http://localhost:8080/?rest_route=/motive/admin/regenerate-token - Headers: None (initially).
Step 4: Verification
- Action: Check the value of the token option again using
wp_cli. - Successful exploit: The token value has changed.
6. Test Data Setup
- Plugin Activation: Ensure
motive-commerce-searchis active. - Initial Configuration: The plugin might require a token to be present for the "regenerate" logic to fire. Set a dummy token if necessary:
wp option update [TOKEN_OPTION_NAME] "initial-dummy-token"
7. Expected Results
- The HTTP request to
?rest_route=/motive/admin/regenerate-tokenshould return a200 OKstatus and a JSON response. - The JSON response likely contains the new token or a success message (e.g.,
{"token": "new-random-string"}). - The database value for the Motive token option will be updated to a new value, confirming unauthenticated modification.
8. Verification Steps
- Pre-Exploit Check:
wp option get [TOKEN_OPTION_NAME] - Run Exploit: (See Step 3 in Exploitation Strategy)
- Post-Exploit Check:
Confirm the values differ.wp option get [TOKEN_OPTION_NAME]
9. Alternative Approaches
- Nonce Inclusion: If the request returns
403 Forbiddenwith a message about nonces, usebrowser_navigateto the homepage and search the page source/JS context for awp_restnonce. - Alternative Route Format: If
?rest_route=is blocked or not working, try the pretty permalink version:/wp-json/motive/admin/regenerate-token. - Header Variation: Some environments require the
X-HTTP-Method-Override: GETheader ifGETrequests are filtered, though unlikely here.
Check if your site is affected.
Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.