[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fWwDRl7UB2mXpQ09eVceaUx7XhvnRzTh776zGZTEMeiY":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":9,"severity":11,"cvss_score":12,"cvss_vector":13,"vuln_type":14,"published_date":15,"updated_date":16,"references":17,"days_to_patch":9,"patch_diff_files":19,"patch_trac_url":9,"research_status":20,"research_verified":21,"research_rounds_completed":22,"research_plan":23,"research_summary":24,"research_vulnerable_code":9,"research_fix_diff":9,"research_exploit_outline":25,"research_model_used":26,"research_started_at":27,"research_completed_at":28,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":21,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":21,"source_links":29},"CVE-2026-25456","automated-fedex-livemanual-rates-with-shipping-labels-hpos-supported-missing-authorization","Automated FedEx live\u002Fmanual rates with shipping labels – HPOS supported \u003C= 5.1.8 - Missing Authorization","The Automated FedEx live\u002Fmanual rates with shipping labels – HPOS supported plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in versions up to, and including, 5.1.8. This makes it possible for unauthenticated attackers to perform an unauthorized action.","a2z-fedex-shipping",null,"\u003C=5.1.8","medium",5.3,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:N\u002FUI:N\u002FS:U\u002FC:N\u002FI:L\u002FA:N","Missing Authorization","2026-03-17 00:00:00","2026-03-19 14:51:50",[18],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002Fe9fac267-043b-47c3-b17e-9287fe4b8987?source=api-prod",[],"researched",false,3,"# Research Plan: CVE-2026-25456 - Missing Authorization in Automated FedEx Shipping\n\n## 1. Vulnerability Summary\nThe **Automated FedEx live\u002Fmanual rates with shipping labels – HPOS supported** plugin (\u003C= 5.1.8) contains a missing authorization vulnerability. Specifically, an AJAX handler or a initialization hook fails to verify the user's capabilities (e.g., `current_user_can('manage_options')`) and nonces before executing sensitive actions. Given the CVSS vector (I:L - Integrity: Low), the vulnerability likely allows unauthenticated attackers to modify plugin settings, potentially altering shipping rates, API credentials, or FedEx account configurations.\n\n## 2. Attack Vector Analysis\n- **Endpoint:** `wp-admin\u002Fadmin-ajax.php`\n- **Vulnerable Action:** `wp_ajax_nopriv_` registration for a function intended for admin use (inferred). Likely related to settings persistence or rate management.\n- **Parameters:** A POST request containing an `action` parameter and various configuration keys.\n- **Preconditions:** The plugin must be active. No authentication is required for `wp_ajax_nopriv_` actions.\n\n## 3. Code Flow\n1. **Entry Point:** The attacker sends a POST request to `admin-ajax.php`.\n2. **Hook Registration:** The plugin registers a handler via `add_action( 'wp_ajax_nopriv_[ACTION_NAME]', ... )` in a class constructor or an `init` hook.\n3. **Execution:** `admin-ajax.php` triggers the callback function associated with the action.\n4. **Vulnerable Sink:** The callback function performs an operation—such as `update_option()` or `update_post_meta()`—without calling `current_user_can()` or verifying a nonce.\n\n## 4. Nonce Acquisition Strategy\nWhile many \"Missing Authorization\" vulnerabilities also lack nonce checks, some may still use `wp_verify_nonce()` but lack capability checks. If a nonce is required:\n\n1. **Identify Script Localization:** Search for `wp_localize_script` in the codebase to find the JavaScript object name (e.g., `a2z_fedex_vars` or `fedex_shipping_params`).\n2. **Find Script Enqueueing:** Identify where the scripts are enqueued (e.g., the FedEx settings page or the WooCommerce checkout\u002Fproduct pages).\n3. **Create Landing Page:** If the scripts only load on product pages, create a dummy product:\n   `wp post create --post_type=product --post_title=\"Test Product\" --post_status=publish`\n4. **Extract Nonce:**\n   - Navigate to the product page or checkout page.\n   - Use `browser_eval` to extract the nonce:\n     `browser_eval(\"window.a2z_fedex_vars?.nonce\")` (Replace `a2z_fedex_vars` with the actual identifier found in step 1).\n\n## 5. Exploitation Strategy\nThe goal is to modify a plugin setting (e.g., the FedEx Account ID) to demonstrate unauthorized integrity modification.\n\n1. **Discovery:**\n   - Search for `wp_ajax_nopriv` in the plugin directory:\n     `grep -rn \"wp_ajax_nopriv\" .`\n   - Focus on actions that involve saving, updating, or deleting (e.g., `a2z_fedex_save_settings`, `a2z_fedex_update_rates`).\n2. **Payload Construction:**\n   - Identify the option name used to store settings (e.g., `a2z_fedex_settings`).\n   - Construct a POST request to `admin-ajax.php`.\n3. **HTTP Request (via `http_request`):**\n   - **Method:** POST\n   - **URL:** `http:\u002F\u002F[TARGET]\u002Fwp-admin\u002Fadmin-ajax.php`\n   - **Headers:** `Content-Type: application\u002Fx-www-form-urlencoded`\n   - **Body:** `action=[ACTION_NAME]&[SETTING_KEY]=[MALICIOUS_VALUE]&_ajax_nonce=[NONCE_IF_FOUND]`\n\n## 6. Test Data Setup\n1. **Install Plugin:** Ensure `a2z-fedex-shipping` version \u003C= 5.1.8 is installed.\n2. **Check Default Settings:** Verify existing FedEx settings via CLI:\n   `wp option get a2z_fedex_settings` (or similar inferred option name).\n3. **WooCommerce Setup:** Since this is a shipping plugin, WooCommerce must be active:\n   `wp plugin activate woocommerce`\n\n## 7. Expected Results\n- The server returns a `200 OK` or a JSON success response (e.g., `{\"success\":true}`).\n- The target WordPress option (the plugin settings) is updated with the attacker-controlled value.\n\n## 8. Verification Steps\n1. **Verify Option Change:**\n   `wp option get a2z_fedex_settings`\n   Check if the value for the modified key matches the payload sent in the exploit.\n2. **Admin UI Check:** Navigate to the plugin settings page in the WordPress dashboard and verify the settings reflect the change.\n\n## 9. Alternative Approaches\n- **Rate Manipulation:** If the vulnerability is in a function that calculates rates, attempt to send a request that forces a $0 shipping rate or a fixed high rate to interfere with the checkout process.\n- **REST API Check:** If no AJAX actions are found, search for `register_rest_route` with a `permission_callback` set to `__return_true` or missing entirely.\n- **Init Hook Hijack:** Search for `isset($_POST['...'])` checks inside `admin_init` or `init` hooks that don't check for user privileges.","The Automated FedEx live\u002Fmanual rates with shipping labels plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on AJAX handlers or initialization hooks in versions up to and including 5.1.8. This allows unauthenticated attackers to perform administrative actions such as modifying plugin settings, shipping rates, or FedEx API configurations.","1. Identify AJAX actions registered by the plugin using wp_ajax_nopriv_ or wp_ajax_ handlers that perform sensitive operations (e.g., saving settings) without calling current_user_can(). \n2. If a nonce is required, locate where the plugin enqueues scripts using wp_localize_script to find the nonce identifier and extract it from the source of public pages like the checkout or product pages.\n3. Construct a POST request to \u002Fwp-admin\u002Fadmin-ajax.php including the vulnerable 'action' parameter and malicious configuration data (e.g., modifying the FedEx Account ID or API keys).\n4. Execute the request to modify the site's shipping configuration without authentication.","gemini-3-flash-preview","2026-04-18 03:09:23","2026-04-18 03:09:44",{"type":30,"vulnerable_version":9,"fixed_version":9,"vulnerable_browse":9,"vulnerable_zip":9,"fixed_browse":9,"fixed_zip":9,"all_tags":31},"plugin","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fa2z-fedex-shipping\u002Ftags"]