[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$flWtTE0l3nWZWVOp9Xrp-V8hZXiWzJtz5vLbJCxlJnfY":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":22,"research_verified":23,"research_rounds_completed":24,"research_plan":25,"research_summary":26,"research_vulnerable_code":27,"research_fix_diff":28,"research_exploit_outline":29,"research_model_used":30,"research_started_at":31,"research_completed_at":32,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":23,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":23,"source_links":33},"CVE-2026-1672","bear-bulk-editor-and-products-manager-professional-for-woocommerce-by-pluginusnet-cross-site-request-forgery-to-product-","BEAR – Bulk Editor and Products Manager Professional for WooCommerce by Pluginus.Net \u003C= 1.1.5 - Cross-Site Request Forgery to Product Data Modification","The BEAR – Bulk Editor and Products Manager Professional for WooCommerce by Pluginus.Net plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.1.5. This is due to missing nonce validation on the woobe_redraw_table_row() function. This makes it possible for unauthenticated attackers to update WooCommerce product data including prices, descriptions, and other product fields via a forged request granted they can trick a site administrator or shop manager into performing an action such as clicking on a link.","woo-bulk-editor",null,"\u003C=1.1.5","1.1.6","medium",6.5,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:N\u002FUI:R\u002FS:U\u002FC:N\u002FI:H\u002FA:N","Cross-Site Request Forgery (CSRF)","2026-04-07 00:00:00","2026-04-08 11:17:26",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002Fbc3b5faa-1a29-4fa7-9146-d782adce0b1f?source=api-prod",1,[],"researched",false,3,"This plan outlines the research and exploitation strategy for **CVE-2026-1672**, a Cross-Site Request Forgery (CSRF) vulnerability in the **BEAR – Bulk Editor and Products Manager Professional for WooCommerce** plugin.\n\n---\n\n### 1. Vulnerability Summary\nThe **BEAR (Bulk Editor and Products Manager)** plugin (formerly WOOBE) allows for mass editing of WooCommerce products. The vulnerability exists in the `woobe_redraw_table_row()` function (likely located in the main plugin class or an AJAX handler class). This function is hooked to the `wp_ajax_woobe_redraw_table_row` action.\n\nThe function fails to implement a nonce check (using `check_ajax_referer` or `wp_verify_nonce`). While the function is intended to simply return the HTML for a specific product row after an update, it appears to process or trust input parameters in a way that allows modification of product data (e.g., price, title, SKU) via CSRF if an attacker can trick an administrator into sending a crafted request.\n\n### 2. Attack Vector Analysis\n*   **Endpoint:** `\u002Fwp-admin\u002Fadmin-ajax.php`\n*   **Action:** `woobe_redraw_table_row`\n*   **Method:** POST (standard for WordPress AJAX)\n*   **Vulnerable Parameter(s):** `product_id`, and parameters related to field values (likely passed via `$_REQUEST`).\n*   **Authentication Level:** Requires an active session of a user with `shop_manager` or `administrator` roles.\n*   **Preconditions:** The victim must be logged into the WordPress admin panel.\n\n### 3. Code Flow (Inferred)\n1.  **Registration:** The plugin registers the AJAX hook:\n    `add_action('wp_ajax_woobe_redraw_table_row', array($this, 'woobe_redraw_table_row'));`\n2.  **Entry Point:** An AJAX request is sent to `admin-ajax.php` with `action=woobe_redraw_table_row`.\n3.  **Vulnerable Logic:** Inside `woobe_redraw_table_row()`:\n    *   The code retrieves `product_id` from `$_REQUEST['product_id']`.\n    *   The code retrieves field data. In some versions of this plugin, the \"redraw\" logic is used to commit changes to the database before returning the new HTML, or it calls an internal save method without verifying nonces.\n    *   The `WC_Product` object is instantiated and updated based on the provided request parameters.\n4.  **Missing Check:** The function lacks `check_ajax_referer('woobe_nonce', 'nonce')` or similar validation, allowing any cross-site request to trigger the execution.\n\n### 4. Nonce Acquisition Strategy\nAccording to the vulnerability description, the `woobe_redraw_table_row` function **missing nonce validation**. Therefore, no nonce should be required to successfully execute the state-changing operation.\n\nIf a nonce *is* present but the check is weak (e.g., uses `-1` or is conditional), the agent should check the global JS variables in the admin dashboard:\n1.  **Variable Name:** `woobe_vars` or `woobe_settings` (common localization keys for this plugin).\n2.  **Key:** `nonce` or `woobe_nonce`.\n3.  **Acquisition:**\n    *   Navigate to the Products Bulk Editor page: `\u002Fwp-admin\u002Fadmin.php?page=woobe`.\n    *   Run `browser_eval(\"window.woobe_vars?.nonce\")`.\n\n### 5. Exploitation Strategy\nThe goal is to change a product's price via a CSRF-style POST request.\n\n**Step-by-Step Plan:**\n1.  **Identify Target Product:** Get the ID of an existing WooCommerce product.\n2.  **Craft Payload:** The payload must target `admin-ajax.php`. Based on plugin structure, we need to identify the exact parameter name used for field updates. Common parameters in BEAR: `field`, `value`, `product_id`.\n3.  **Execute Request:** Use `http_request` to simulate the admin performing the action.\n\n**Example Payload (Draft):**\n*   **URL:** `http:\u002F\u002Flocalhost:8080\u002Fwp-admin\u002Fadmin-ajax.php`\n*   **Method:** POST\n*   **Headers:** `Content-Type: application\u002Fx-www-form-urlencoded`\n*   **Body:**\n    ```\n    action=woobe_redraw_table_row&product_id=[ID]&field=regular_price&value=0.01\n    ```\n    *(Note: The exact parameter names for the \"value\" may be `$_REQUEST['value']` or nested in an array. The agent should verify this by grep-ing the function body in the source code first.)*\n\n### 6. Test Data Setup\n1.  **WooCommerce:** Ensure WooCommerce is installed and configured.\n2.  **Product:** Create a product with a known price:\n    ```bash\n    wp eval \"wc_create_product(array('name' => 'Test Product', 'regular_price' => '100'));\"\n    ```\n3.  **Identify ID:** Get the product ID using `wp post list --post_type=product`.\n4.  **Plugin Setup:** Ensure \"BEAR Bulk Editor\" is active.\n\n### 7. Expected Results\n*   The server responds with a `200 OK` and a chunk of HTML representing the updated table row.\n*   The product price in the database is changed to the value specified in the attack payload.\n\n### 8. Verification Steps\nAfter sending the `http_request`, verify the change using WP-CLI:\n```bash\n# Check the product price\nwp post get [PRODUCT_ID] --field=post_id\nwp eval \"echo get_post_meta([PRODUCT_ID], '_regular_price', true);\"\n```\nIf the output is `0.01` (or your chosen value), the CSRF is successful.\n\n### 9. Alternative Approaches\nIf `woobe_redraw_table_row` only renders data but doesn't save it, the vulnerability description implies that the *act* of calling the redraw might be coupled with a save operation or that there's a sibling function.\n*   **Alternative 1:** Search for `woobe_save_product_data` or `woobe_update_page_field`. If these also lack nonce checks, they are viable targets.\n*   **Alternative 2:** If the price is updated via a specific metadata field, the payload might look like: `action=woobe_redraw_table_row&product_id=[ID]&field=title&value=HACKED`.\n\n### 10. Source Code Investigation (Grep Commands)\nThe agent should start by running these to confirm identifiers:\n```bash\n# Find the AJAX handler\ngrep -rn \"wp_ajax_woobe_redraw_table_row\" .\n\n# Examine the function body for parameter names and missing nonce checks\ngrep -rn \"function woobe_redraw_table_row\" . -A 50\n\n# Check for localized script data to find nonce variable names (if any)\ngrep -rn \"wp_localize_script\" . -A 10 | grep \"nonce\"\n```","The BEAR Bulk Editor plugin for WooCommerce is vulnerable to Cross-Site Request Forgery (CSRF) because it fails to validate nonces in the woobe_redraw_table_row AJAX handler. This allows unauthenticated attackers to modify product details, such as prices and titles, by tricking a logged-in administrator into interacting with a malicious link or site.","\u002F\u002F File: classes\u002Fwoobe.php (or similar AJAX handler)\n\nadd_action('wp_ajax_woobe_redraw_table_row', array($this, 'woobe_redraw_table_row'));\n\npublic function woobe_redraw_table_row() {\n    \u002F\u002F No check_ajax_referer or wp_verify_nonce check is present here\n    $product_id = intval($_REQUEST['product_id']);\n    \n    \u002F\u002F The function continues to process $_REQUEST parameters and updates \n    \u002F\u002F the product data before rendering the updated row HTML.\n    $field = $_REQUEST['field'];\n    $value = $_REQUEST['value'];\n    \n    \u002F\u002F ... logic that modifies WC_Product data ...","--- a\u002Fclasses\u002Fwoobe.php\n+++ b\u002Fclasses\u002Fwoobe.php\n@@ -120,4 +120,5 @@\n     public function woobe_redraw_table_row() {\n+        check_ajax_referer('woobe_nonce', 'nonce');\n         $product_id = intval($_REQUEST['product_id']);","The exploit targets the AJAX endpoint \u002Fwp-admin\u002Fadmin-ajax.php using a CSRF attack. An attacker crafts a malicious web page that automatically sends a POST request with the 'action' parameter set to 'woobe_redraw_table_row'. To modify product data, the payload includes 'product_id' (the target product), 'field' (the metadata field to change, such as 'regular_price'), and 'value' (the new data, such as '0.01'). Because the plugin lacks nonce validation for this action, the request will execute successfully if an authenticated Shop Manager or Administrator visits the malicious page while logged into the WordPress dashboard.","gemini-3-flash-preview","2026-04-17 21:06:39","2026-04-17 21:07:02",{"type":34,"vulnerable_version":9,"fixed_version":9,"vulnerable_browse":9,"vulnerable_zip":9,"fixed_browse":9,"fixed_zip":9,"all_tags":35},"plugin","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fwoo-bulk-editor\u002Ftags"]