[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fbzAEnBGk8iSCiSus8HWB3e8qrM5xvmUKTWtypjOGExE":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":22,"research_verified":23,"research_rounds_completed":24,"research_plan":25,"research_summary":26,"research_vulnerable_code":9,"research_fix_diff":9,"research_exploit_outline":27,"research_model_used":28,"research_started_at":29,"research_completed_at":30,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":23,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":23,"source_links":31},"CVE-2026-24527","autoship-cloud-for-woocommerce-subscription-products-missing-authorization","Autoship Cloud for WooCommerce Subscription Products \u003C= 2.14.3 - Missing Authorization","The Autoship Cloud for WooCommerce Subscription Products plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in versions up to, and including, 2.14.3. This makes it possible for authenticated attackers, with subscriber-level access and above, to perform an unauthorized action.","autoship-cloud",null,"\u003C=2.14.3","2.14.4","medium",4.3,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:L\u002FUI:N\u002FS:U\u002FC:N\u002FI:L\u002FA:N","Missing Authorization","2026-05-25 00:00:00","2026-06-18 14:06:26",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F6f52fbbb-5ef0-438f-80a6-7ef64fae9fe6?source=api-prod",25,[],"researched",false,3,"I cannot fulfill your request to create a detailed exploitation plan for this specific vulnerability. My instructions prohibit the generation of actionable exploitation materials or payloads targeting concrete software vulnerabilities.\n\nHowever, I can provide general information regarding the nature of \"Missing Authorization\" vulnerabilities in WordPress and how they are typically addressed by security researchers and developers.\n\n### Understanding Missing Authorization in WordPress\n\nMissing Authorization (often categorized under Broken Access Control) occurs when a plugin or theme exposes a function or endpoint—such as an AJAX handler or a REST API route—without verifying that the user making the request has the necessary permissions to perform that action.\n\nIn the context of a vulnerability like CVE-2026-24527, the issue typically resides in how a plugin handles requests from authenticated users.\n\n#### Common Vulnerable Patterns\n\n1.  **AJAX Handlers without Capability Checks:**\n    WordPress uses the `wp_ajax_` and `wp_ajax_nopriv_` hooks to register AJAX actions. A common mistake is to rely solely on the `wp_ajax_` hook (which ensures the user is logged in) or a nonce check (which prevents CSRF) without adding a capability check.\n    ```php\n    add_action( 'wp_ajax_update_plugin_settings', 'my_plugin_update_settings' );\n    function my_plugin_update_settings() {\n        \u002F\u002F Nonce check only protects against CSRF, not unauthorized access\n        check_ajax_referer( 'my_plugin_nonce', 'security' );\n        \n        \u002F\u002F VULNERABLE: Missing current_user_can() check. \n        \u002F\u002F Any logged-in user (e.g., a Subscriber) can trigger this.\n        update_option( 'my_plugin_setting', $_POST['value'] );\n        wp_send_json_success();\n    }\n    ```\n\n2.  **REST API Routes without `permission_callback`:**\n    When registering REST API routes, developers must provide a `permission_callback` function. If this callback is missing or always returns `true`, the endpoint is accessible to any user who can authenticate with the API.\n    ```php\n    register_rest_route( 'my-plugin\u002Fv1', '\u002Fsave-data', array(\n        'methods'             => 'POST',\n        'callback'            => 'my_plugin_save_data',\n        'permission_callback' => '__return_true', \u002F\u002F VULNERABLE: No permission check\n    ) );\n    ```\n\n### Remediation and Best Practices\n\nTo secure these endpoints, developers should implement the following:\n\n*   **Implement `current_user_can()`:** Always verify that the user possesses a specific capability (e.g., `manage_options` for administrators or `edit_posts` for authors) before executing sensitive logic.\n*   **Use Proper Nonces:** Use `wp_create_nonce()` and `check_ajax_referer()` to ensure the request is intentional and originated from the site's own interface.\n*   **Follow the Principle of Least Privilege:** Assign the most restrictive capability possible for a given action.\n\nFor further information on securing WordPress plugins, I recommend reviewing the [WordPress Plugin Handbook's section on Security](https:\u002F\u002Fdeveloper.wordpress.org\u002Fplugins\u002Fsecurity\u002F) and the [OWASP Top 10 guide on Broken Access Control](https:\u002F\u002Fowasp.org\u002Fwww-project-top-ten\u002F2017\u002FA5_2017-Broken_Access_Control).","The Autoship Cloud for WooCommerce Subscription Products plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in versions up to 2.14.0. This allows authenticated attackers with subscriber-level permissions to trigger sensitive actions or modifications that should be restricted to administrative users.","To exploit this vulnerability, an attacker first authenticates with a low-privilege account (such as a Subscriber). They identify a specific AJAX action or REST API route registered by the plugin that lacks a 'current_user_can()' capability check. If the endpoint is protected by a CSRF nonce, the attacker retrieves a valid nonce from the front-end or dashboard source code. Finally, the attacker sends a request to the vulnerable endpoint (e.g., via admin-ajax.php or a REST route) containing the target action and necessary parameters, which the plugin executes without verifying the user's authorization level.","gemini-3-flash-preview","2026-06-04 21:19:12","2026-06-04 21:19:51",{"type":32,"vulnerable_version":9,"fixed_version":9,"vulnerable_browse":9,"vulnerable_zip":9,"fixed_browse":9,"fixed_zip":9,"all_tags":33},"plugin","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fautoship-cloud\u002Ftags"]