CVE-2026-24606

Bayarcash WooCommerce <= 4.3.12 - Missing Authorization

mediumMissing Authorization
5.3
CVSS Score
5.3
CVSS Score
medium
Severity
4.3.14
Patched in
31d
Time to patch

Description

The Bayarcash WooCommerce plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in versions up to, and including, 4.3.12. This makes it possible for unauthenticated attackers to perform an unauthorized action.

CVSS Vector Breakdown

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
None
Confidentiality
Low
Integrity
None
Availability

Technical Details

Affected versions<=4.3.12
PublishedJanuary 13, 2026
Last updatedFebruary 13, 2026
Affected pluginbayarcash-wc

Source Code

WordPress.org SVN
Research Plan
Unverified

Since source files for **Bayarcash WooCommerce 4.3.12** were not provided, this research plan is based on the vulnerability description (Missing Authorization/Capability Check) and common architectural patterns in WooCommerce payment gateway plugins. ### 1. Vulnerability Summary The **Bayarcash Woo…

Show full research plan

Since source files for Bayarcash WooCommerce 4.3.12 were not provided, this research plan is based on the vulnerability description (Missing Authorization/Capability Check) and common architectural patterns in WooCommerce payment gateway plugins.

1. Vulnerability Summary

The Bayarcash WooCommerce plugin (up to 4.3.12) suffers from a missing authorization vulnerability. A specific function, likely intended for administrative tasks (such as updating plugin settings, processing payment callbacks, or managing logs), is exposed via a WordPress hook (e.g., admin_init, wp_ajax_nopriv_*, or template_redirect) without a corresponding current_user_can() check. This allows unauthenticated users to trigger the function and perform unauthorized modifications to the site configuration or order data.

2. Attack Vector Analysis

  • Endpoint: Likely wp-admin/admin-ajax.php (if AJAX-based) or wp-admin/admin-post.php / any front-end page (if admin_init or init is used).
  • Action Name (Inferred): Likely prefixed with bayarcash_, such as bayarcash_save_settings, bayarcash_update_config, or bayarcash_status_update.
  • Payload Location: $_POST or $_GET parameters.
  • Authentication: None required (Unauthenticated).
  • Preconditions: The plugin must be active.

3. Code Flow (Inferred)

  1. Entry Point: An unauthenticated request is sent to admin-ajax.php or a generic URL.
  2. Hook Trigger: WordPress fires init, admin_init, or an AJAX hook (e.g., add_action('wp_ajax_nopriv_bayarcash_...', 'handler_function')).
  3. Vulnerable Function: The handler_function (inferred) is executed.
  4. Authorization Failure: The function performs logic (like update_option) without calling current_user_can('manage_options').
  5. Sink: Plugin settings or WooCommerce order metadata are updated based on attacker-supplied input.

4. Nonce Acquisition Strategy

Missing Authorization vulnerabilities often coincide with Missing Cross-Site Request Forgery (CSRF) protection (missing nonces).

Step 1: Check for Nonce requirement

  • The agent should first attempt the exploit without a nonce.
  • If the response is 0 or -1, a nonce might be required.

Step 2: Locate Nonce in Frontend (if applicable)
If the plugin localized a nonce for frontend scripts:

  1. Search for Shortcodes: Run wp eval "print_r( $GLOBALS['shortcode_tags'] );" to find Bayarcash-related shortcodes (e.g., [bayarcash_form]).
  2. Create Page: wp post create --post_type=page --post_status=publish --post_content='[inferred_shortcode]'
  3. Navigate & Extract:
    • Navigate to the page.
    • Execute: browser_eval("window.bayarcash_params?.nonce") or similar (Inspect window object for keys containing "bayarcash").

5. Exploitation Strategy

The goal is to modify a critical plugin setting (e.g., the merchant API key or the success/fail URLs) to divert payments or manipulate order processing.

Step 1: Discovery (Crucial without Source)
The agent must identify the vulnerable action. Search the plugin directory for handlers that modify options:

grep -rnE "update_option|update_post_meta" /var/www/html/wp-content/plugins/bayarcash-wc/

Look for these calls inside functions registered to add_action.

Step 2: Construct the Request
Assuming the vulnerable action is bayarcash_save_settings (inferred):

  • Method: POST
  • URL: http://localhost:8080/wp-admin/admin-ajax.php
  • Headers: Content-Type: application/x-www-form-urlencoded
  • Body:
    action=bayarcash_save_settings&merchant_id=attacker_id&api_key=malicious_key
    

Step 3: Execution via http_request
Execute the identified action using the http_request tool.

6. Test Data Setup

  1. Install Plugin: Ensure bayarcash-wc version 4.3.12 is installed and active.
  2. Configure WC: Ensure WooCommerce is installed.
  3. Check Current State: Note the current values of plugin settings:
    • wp option get bayarcash_settings (inferred option name).

7. Expected Results

  • Success: The server returns a success code (e.g., {"success": true} or 200 OK).
  • Impact: The plugin's configuration in the wp_options table is overwritten with attacker-supplied values.

8. Verification Steps

After sending the exploit request, verify the change using WP-CLI:

# Verify if the merchant ID or API key was changed
wp option get bayarcash_settings
# OR if settings are individual options
wp option get bayarcash_api_key

9. Alternative Approaches

If no AJAX action is found, check for admin_init hooks that do not check for DOING_AJAX:

  1. Check admin_init logic: Some plugins process POST requests inside an admin_init callback regardless of whether the user is in the admin dashboard.
  2. Payload for admin_init:
    # Request to any URL with the specific POST parameters
    POST /?bayarcash_action=update_config
    Body: api_key=pwned
    
  3. Check for "Webhook" bypass: If the vulnerability is in a callback handler (e.g., wc-api endpoint), attempt to update an order status by sending a POST request to /?wc-api=bayarcash_callback with an arbitrary order_id and status=completed.
Research Findings
Static analysis — not yet PoC-verified

Summary

The Bayarcash WooCommerce plugin for WordPress is vulnerable to unauthorized access in versions up to 4.3.12 due to missing capability checks on functions registered to WordPress hooks like admin_init or AJAX actions. This allows unauthenticated attackers to perform sensitive actions such as modifying plugin configuration or updating order statuses.

Exploit Outline

1. Identify a vulnerable administrative or callback function registered without a current_user_can() check (e.g., an action such as bayarcash_save_settings or a status update handler). 2. Send an unauthenticated POST request to wp-admin/admin-ajax.php, wp-admin/admin-post.php, or a WooCommerce callback endpoint containing the vulnerable action parameter. 3. Include parameters in the payload to modify plugin settings, such as merchant_id, api_key, or payment success URLs, to redirect future payments to an attacker-controlled account. 4. Since there is no capability check (current_user_can) or nonce verification, the plugin will update the site's options or order data based on the malicious input.

Check if your site is affected.

Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.