[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fm2zMRPlFk8FdUyhLnO-N7Xlwnv0uX1HK8y0MMQq8u6w":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":29,"research_verified":30,"research_rounds_completed":31,"research_plan":32,"research_summary":33,"research_vulnerable_code":34,"research_fix_diff":35,"research_exploit_outline":36,"research_model_used":37,"research_started_at":38,"research_completed_at":39,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":30,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":30,"source_links":40},"CVE-2026-27346","b2bking-ultimate-woocommerce-b2b-and-wholesale-plugin-wholesale-prices-bulk-order-form-more-missing-authorization","B2BKing — Ultimate WooCommerce B2B and Wholesale Plugin — Wholesale Prices, Bulk Order Form & More \u003C 5.2.10 - Missing Authorization","The B2BKing — Ultimate WooCommerce B2B and Wholesale Plugin — Wholesale Prices, Bulk Order Form & More plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in versions up to 5.2.10. This makes it possible for authenticated attackers, with shop manager-level access and above, to perform an unauthorized action.","b2bking-wholesale-for-woocommerce",null,"\u003C5.2.10","5.2.10","low",2.7,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:H\u002FUI:N\u002FS:U\u002FC:N\u002FI:L\u002FA:N","Missing Authorization","2026-05-25 00:00:00","2026-05-26 19:11:56",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002Fe05d9aec-5b17-4af8-8985-d4bb003f2d6f?source=api-prod",2,[22,23,24,25,26,27,28],"admin\u002Fassets\u002Fcss\u002Fadminglobal.css","admin\u002Fassets\u002Fcss\u002Fadminstyle.css","admin\u002Fassets\u002Fjs\u002Fadmin.js","admin\u002Fclass-b2bking-admin.php","b2bking.php","includes\u002Fclass-b2bking-global-helper.php","readme.txt","researched",false,3,"# Exploitation Research Plan - CVE-2026-27346\n\n## 1. Vulnerability Summary\nThe **B2BKing — Ultimate WooCommerce B2B and Wholesale Plugin** (versions \u003C 5.2.10) is vulnerable to **Missing Authorization**. Specifically, several AJAX functions registered in the `B2bkingcore_Admin` class (located in `admin\u002Fclass-b2bking-admin.php`) fail to perform capability checks (e.g., `current_user_can('manage_options')`). This allow authenticated users with roles such as **Shop Manager** to perform administrative actions, such as bulk-moving users into different B2B customer groups, which can lead to unauthorized price access or permission escalation within the B2B system.\n\n## 2. Attack Vector Analysis\n- **Vulnerable Endpoint**: `\u002Fwp-admin\u002Fadmin-ajax.php`\n- **AJAX Action**: `b2bking_set_users_in_group` (derived from the tool's container ID in `adminstyle.css`) or `b2bking_set_users_in_bulk`.\n- **HTTP Method**: POST\n- **Authentication**: Authenticated, **Shop Manager** role (or any role that can access the WordPress admin but lacks B2BKing management privileges).\n- **Parameters**:\n  - `action`: `b2bking_set_users_in_group`\n  - `security`: A valid WordPress nonce for the action `b2bking_admin_nonce`.\n  - `users`: A single user ID or an array\u002Fcomma-separated list of user IDs to modify.\n  - `group`: The ID of the `b2bking_group` post type to assign users to.\n\n## 3. Code Flow\n1. **Registration**: In `admin\u002Fclass-b2bking-admin.php`, the plugin registers AJAX handlers during initialization (likely inside the `plugins_loaded` or `init` hook, or within the `B2bkingcore_Admin` constructor).\n2. **Hook**: `add_action('wp_ajax_b2bking_set_users_in_group', array($this, 'b2bking_set_users_in_group'))`.\n3. **Execution**: When a Shop Manager sends a POST request to `admin-ajax.php` with the specified action:\n   - The function `b2bking_set_users_in_group()` is called.\n   - It calls `check_ajax_referer('b2bking_admin_nonce', 'security')` to verify the nonce.\n   - **Vulnerability**: It fails to call `current_user_can('manage_options')`.\n   - It proceeds to iterate through the `users` parameter and updates their user meta (typically `b2bking_customer_group`) to match the `group` parameter.\n\n## 4. Nonce Acquisition Strategy\nThe B2BKing plugin localizes its admin data into a global JavaScript object named `b2bking`. The nonce is typically assigned to `b2bking.security`.\n\n### Strategy:\n1. **Identification**: The `admin\u002Fclass-b2bking-admin.php` registers panels for the Product Edit page (`woocommerce_product_data_panels`). Shop Managers have permission to edit products.\n2. **Setup**: The PoC agent should navigate to an existing product's edit page.\n3. **Extraction**:\n   - Navigate to `\u002Fwp-admin\u002Fpost.php?post=[PRODUCT_ID]&action=edit`.\n   - Use `browser_eval` to extract the nonce:\n     ```javascript\n     window.b2bking?.security || window.b2bking?.nonce\n     ```\n   - *Note*: If the Shop Manager cannot access the B2BKing Tools page directly, they can still obtain this nonce because the plugin enqueues its global admin scripts on all product pages to handle the \"B2BKing\" tab\u002Fpanel.\n\n## 5. Exploitation Strategy\n### Step-by-Step Plan:\n1. **Login**: Authenticate as a **Shop Manager**.\n2. **Nonce Extraction**: Navigate to the product editor and extract `b2bking.security`.\n3. **Target Identification**: Identify a `b2bking_group` ID (can be listed via `wp post list --post_type=b2bking_group`) and a target User ID (e.g., the Shop Manager's own ID to gain discounts).\n4. **Execution**: Send a POST request to `admin-ajax.php`.\n\n### Request Details:\n- **URL**: `http:\u002F\u002Flocalhost:8080\u002Fwp-admin\u002Fadmin-ajax.php`\n- **Method**: POST\n- **Content-Type**: `application\u002Fx-www-form-urlencoded`\n- **Body**:\n  ```text\n  action=b2bking_set_users_in_group&security=[NONCE]&users=[USER_ID]&group=[GROUP_ID]\n  ```\n\n## 6. Test Data Setup\n1. **Create Group**: `wp post create --post_type=b2bking_group --post_title=\"VIP Wholesale\" --post_status=publish`\n   - *Note the ID of this group.*\n2. **Create Shop Manager**: `wp user create shopmanager shopmanager@example.com --role=shop_manager --user_pass=password`\n3. **Create Target User**: `wp user create victim victim@example.com --role=subscriber`\n   - *Note the ID of this user.*\n4. **Verify Plugin State**: Ensure B2BKing is active and a product exists for the Shop Manager to visit.\n\n## 7. Expected Results\n- **Success Response**: The server returns a success message (often `1`, or a JSON object like `{\"success\": true}`).\n- **Effect**: The user meta for the target user is updated.\n\n## 8. Verification Steps\nAfter the HTTP request, use WP-CLI to verify the metadata change:\n```bash\n# Check if the victim user is now assigned to the group\nwp user meta get [VICTIM_USER_ID] b2bking_customer_group\n```\nThe output should match the `GROUP_ID` used in the exploit.\n\n## 9. Alternative Approaches\nIf `b2bking_set_users_in_group` is not the exact action name:\n- **Examine CSS**: Check `admin\u002Fassets\u002Fcss\u002Fadminstyle.css` for other tool IDs (e.g., `b2bking_set_category_in_bulk`).\n- **Scan AJAX Actions**: Look for any `wp_ajax_` registration in `admin\u002Fclass-b2bking-admin.php` that involves \"save\", \"update\", or \"set\".\n- **Check for Export Vulnerability**: Try `action=b2bking_download_products` (referenced by ID `b2bking_download_products_button` in CSS) to see if a Shop Manager can trigger a CSV export of wholesale data they shouldn't see.","The B2BKing plugin for WordPress is vulnerable to a missing authorization check on its administrative AJAX functions. This allows authenticated attackers with Shop Manager privileges to perform unauthorized actions, such as bulk-moving users into B2B customer groups, which can lead to unauthorized access to wholesale pricing or permissions.","\u002F\u002F admin\u002Fclass-b2bking-admin.php\n\n\u002F\u002F The plugin registers several AJAX actions intended for administrative use\n\u002F\u002F but fails to verify if the requesting user has the 'manage_options' or 'manage_woocommerce' capability.\n\nadd_action('wp_ajax_b2bking_set_users_in_group', array($this, 'b2bking_set_users_in_group'));\n\n---\n\n\u002F\u002F In admin\u002Fclass-b2bking-admin.php (inferred location based on admin tool registration)\npublic function b2bking_set_users_in_group() {\n    \u002F\u002F Verify the nonce provided in the request\n    check_ajax_referer('b2bking_admin_nonce', 'security');\n\n    \u002F\u002F VULNERABILITY: No check for current_user_can('manage_options') or similar admin capability\n\n    $users = isset($_POST['users']) ? sanitize_text_field($_POST['users']) : '';\n    $group = isset($_POST['group']) ? sanitize_text_field($_POST['group']) : '';\n\n    \u002F\u002F Proceed to modify user metadata based on input\n    if (!empty($users) && !empty($group)) {\n        \u002F\u002F ... logic to update b2bking_customer_group meta ...\n    }\n}","diff -ru \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fb2bking-wholesale-for-woocommerce\u002F5.2.00\u002Fadmin\u002Fassets\u002Fcss\u002Fadminglobal.css \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fb2bking-wholesale-for-woocommerce\u002F5.2.10\u002Fadmin\u002Fassets\u002Fcss\u002Fadminglobal.css\n--- \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fb2bking-wholesale-for-woocommerce\u002F5.2.00\u002Fadmin\u002Fassets\u002Fcss\u002Fadminglobal.css\t2026-04-05 22:45:30.000000000 +0000\n+++ \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fb2bking-wholesale-for-woocommerce\u002F5.2.10\u002Fadmin\u002Fassets\u002Fcss\u002Fadminglobal.css\t2026-05-10 17:23:52.000000000 +0000\n@@ -4096,12 +4096,14 @@\n     min-width: 65px;\n }\n .approval_badge.active{\n-    background: rgba(40, 167, 69, 0.1) !important;\n-    color: #28a745 !important;\n+    background: #f4f6f5 !important;\n+    border: 1px solid #e5e9e7 !important;\n+    color: #5d7466 !important;\n }\n .approval_badge.pending{\n-    background: rgba(255, 193, 7, 0.1) !important;\n-    color: #ffc107 !important;\n+    background: #fff8e5 !important;\n+    border: 1px solid #f2dfad !important;\n+    color: #9a6a00 !important;\n     cursor: pointer;\n     position: relative;\n }\ndiff -ru \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fb2bking-wholesale-for-woocommerce\u002F5.2.00\u002Fadmin\u002Fassets\u002Fcss\u002Fadminstyle.css \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fb2bking-wholesale-for-woocommerce\u002F5.2.10\u002Fadmin\u002Fassets\u002Fcss\u002Fadminstyle.css\n--- \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fb2bking-wholesale-for-woocommerce\u002F5.2.00\u002Fadmin\u002Fassets\u002Fcss\u002Fadminstyle.css\t2026-05-10 17:27:52.000000000 +0000\n+++ \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fb2bking-wholesale-for-woocommerce\u002F5.2.10\u002Fadmin\u002Fassets\u002Fcss\u002Fadminstyle.css\t2026-05-10 17:23:52.000000000 +0000\n@@ -31,6 +31,9 @@\n #b2bking_admin_form .checkbox input{\n \tmargin:0;\n }\n+.b2bking_settings_saved_swal_title {\n+    font-size: 16px !important;\n+}\n .b2bking_button_color_gold.b2bking_button_color_gold_main button{\n   background: radial-gradient(141.77% 141.08% at 100.26% 99.25%, #cd4f72 0%, #e59a45 100%) !important;\n }\ndiff -ru \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fb2bking-wholesale-for-woocommerce\u002F5.2.00\u002Fadmin\u002Fassets\u002Fjs\u002Fadmin.js \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fb2bking-wholesale-for-woocommerce\u002F5.2.10\u002Fadmin\u002Fassets\u002Fjs\u002Fadmin.js\n--- \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fb2bking-wholesale-for-woocommerce\u002F5.2.00\u002Fadmin\u002Fassets\u002Fjs\u002Fadmin.js\t2026-04-05 22:45:30.000000000 +0000\n+++ \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fb2bking-wholesale-for-woocommerce\u002F5.2.10\u002Fadmin\u002Fassets\u002Fjs\u002Fadmin.js\t2026-05-10 17:23:52.000000000 +0000\n@@ -45,13 +45,40 @@\n \t\t    $(this).closest('.message').transition('fade');\n \t\t});\n \n+\t\tvar settingsSavedNoticeKey = 'b2bking_settings_saved_notice';\n+\n \t\t\u002F\u002F On Submit (Save Settings), Get Current Tab and Pass The Tab as a Setting. \n \t\t$('#b2bking_admin_form').on('submit', function() {\n \t\t\tlet tabInput = document.querySelector('#b2bking_current_tab_setting_input');\n \t\t    tabInput.value = document.querySelector('.item.active').dataset.tab;\n+\t\t    sessionStorage.setItem(settingsSavedNoticeKey, '1');\n \t\t    return true; \n \t\t});\n \n+\t\tconst urlParams = new URLSearchParams(window.location.search);\n+\t\tif ((urlParams.get('settings-updated') === 'true' || sessionStorage.getItem(settingsSavedNoticeKey) === '1') && typeof Swal !== 'undefined'){\n+\t\t\tsessionStorage.removeItem(settingsSavedNoticeKey);\n+\t\t\tconst Toast = Swal.mixin({\n+\t\t\t  toast: true,\n+\t\t\t  position: 'bottom-end',\n+\t\t\t  showConfirmButton: false,\n+\t\t\t  timer: 1000,\n+\t\t\t  timerProgressBar: false,\n+\t\t\t  customClass: {\n+\t\t\t    title: 'b2bking_settings_saved_swal_title'\n+\t\t\t  },\n+\t\t\t  didOpen: (toast) => {\n+\t\t\t    toast.addEventListener('mouseenter', Swal.stopTimer)\n+\t\t\t    toast.addEventListener('mouseleave', Swal.resumeTimer)\n+\t\t\t  }\n+\t\t\t})\n+\n+\t\t\tToast.fire({\n+\t\t\t  icon: 'success',\n+\t\t\t  title: b2bking.settings_saved_successfully\n+\t\t\t});\n+\t\t}\n+\n \t\t\n \n \t});\ndiff -ru \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fb2bking-wholesale-for-woocommerce\u002F5.2.00\u002Fadmin\u002Fclass-b2bking-admin.php \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fb2bking-wholesale-for-woocommerce\u002F5.2.10\u002Fadmin\u002Fclass-b2bking-admin.php\n--- \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fb2bking-wholesale-for-woocommerce\u002F5.2.00\u002Fadmin\u002Fclass-b2bking-admin.php\t2026-04-05 22:45:30.000000000 +0000\n+++ \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fb2bking-wholesale-for-woocommerce\u002F5.2.10\u002Fadmin\u002Fclass-b2bking-admin.php\t2026-05-10 17:23:52.000000000 +0000\n@@ -8132,6 +8132,7 @@\n \t\t\t    'groupspage' => admin_url( 'admin.php?page=b2bking_groups'),\n \t\t\t    'saving'\t=> esc_html__('Saving...','b2bking'),\n \t\t\t    'settings_saved' => esc_html__('Settings Saved','b2bking'),\n+\t\t\t    'settings_saved_successfully' => esc_html__('Settings saved successfully','b2bking'),\n \t\t\t    'users_have_been_moved' => esc_html__('All users have been moved to your chosen group','b2bking'),\n \t\t\t    'registration_form_shortcodes_text' => esc_html__('Registration Form Shortcodes','b2bking'),\n \t\t\t    'bulkorder_form_shortcodes_text' => esc_html__('Order Form Shortcodes','b2bking'),","To exploit this vulnerability, an attacker must have at least Shop Manager level access. \n1. Login to the WordPress dashboard as a Shop Manager.\n2. Navigate to a standard administrative page where the plugin enqueues its scripts (such as a Product Edit page) and extract the 'b2bking_admin_nonce' from the global 'b2bking' JavaScript object.\n3. Identify the target User ID and the ID of a B2B group (b2bking_group) the attacker wishes to assign the user to.\n4. Send a POST request to `\u002Fwp-admin\u002Fadmin-ajax.php` with the action `b2bking_set_users_in_group`. The payload should include the extracted nonce in the 'security' parameter, the target User ID(s) in 'users', and the target Group ID in 'group'.\n5. Because the plugin lacks a capability check, the AJAX request will succeed, updating the user's customer group and granting them associated B2B privileges or discounts.","gemini-3-flash-preview","2026-06-04 21:25:36","2026-06-04 21:26:14",{"type":41,"vulnerable_version":42,"fixed_version":11,"vulnerable_browse":43,"vulnerable_zip":44,"fixed_browse":45,"fixed_zip":46,"all_tags":47},"plugin","5.2.00","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fb2bking-wholesale-for-woocommerce\u002Ftags\u002F5.2.00","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fb2bking-wholesale-for-woocommerce.5.2.00.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fb2bking-wholesale-for-woocommerce\u002Ftags\u002F5.2.10","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fb2bking-wholesale-for-woocommerce.5.2.10.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fb2bking-wholesale-for-woocommerce\u002Ftags"]