Book Previewer for Woocommerce <= 1.0.6 - Missing Authorization

This research plan targets CVE-2026-39668, a missing authorization vulnerability in the Book Previewer for Woocommerce plugin. Since the plugin allows unauthenticated attackers to perform unauthorized actions, our goal is to identify the specific AJAX or REST endpoint that lacks a current_user_can() check and exploit it to modify plugin settings or site data.

---

1. Vulnerability Summary

• Vulnerability: Missing Authorization (Insecure Direct Object Reference or unprotected AJAX handler).
• Location: Likely within an AJAX handler registered via wp_ajax_nopriv_ or an admin_init hook that processes $_POST without checking capabilities.
• Affected Functionality: Modification of plugin settings, product metadata related to book previews, or administrative configurations.
• Why it exists: The developer registered a function to handle sensitive data updates but omitted if (!current_user_can('manage_options')) (or a similar capability check), allowing any user (including unauthenticated ones) to trigger the function.

2. Attack Vector Analysis

• Endpoint: /wp-admin/admin-ajax.php
• Action (Inferred): Likely prefixed with bpw_ or book_previewer_, such as bpw_save_settings, bpw_update_options, or save_book_preview_data.
• Authentication: None required (AV:N / PR:N).
• Preconditions: The plugin must be active. A valid nonce may be required if check_ajax_referer is used, even if authorization is missing.

3. Code Flow (Inferred)

1. Entry Point: admin-ajax.php receives a POST request with an action parameter.
2. Hook Trigger: WordPress triggers the wp_ajax_nopriv_{action} hook.
3. Vulnerable Handler: The plugin's callback function (e.g., BPW_Ajax::save_settings or a similar name) is executed.
4. Authorization Failure: The handler function processes input (e.g., update_option or update_post_meta) without calling current_user_can().
5. Data Modification: The attacker's payload is written to the database.

---

4. Nonce Acquisition Strategy

If the vulnerable handler uses check_ajax_referer('some_action', 'nonce_key'), we must find where that nonce is generated and exposed.

1. Identify Shortcode: Search for shortcodes that might load plugin assets:
   grep -rn "add_shortcode" .
2. Create Test Page:
   wp post create --post_type=page --post_status=publish --post_title="Preview Test" --post_content='[book_previewer_shortcode_found]' (Replace with the actual shortcode).
3. Find the Nonce in JS:
   Plugins usually localize nonces. Search for wp_localize_script in the codebase:
   grep -rn "wp_localize_script" .
   Note the JS object and key (e.g., bpw_ajax_obj.nonce).
4. Extract via Browser:
   Use browser_navigate to the created page, then:
   browser_eval("window.bpw_ajax_obj?.nonce || window.book_previewer_params?.nonce")

---

5. Exploitation Strategy

The target is likely a setting that can cause visible changes or compromise site integrity (e.g., changing the preview URL or disabling purchase buttons).

Step 1: Discovery (To be performed by the agent)

• Run: grep -r "wp_ajax_nopriv_" . to find all unauthenticated AJAX entry points.
• Identify the callback function for those actions.
• Inspect the callback for the absence of current_user_can.

Step 2: Crafting the Payload
Assuming a hypothetical action bpw_save_settings that updates a plugin option:

• URL: http://<target>/wp-admin/admin-ajax.php
• Method: POST
• Headers: Content-Type: application/x-www-form-urlencoded
• Body Parameters:
  • action: bpw_save_settings (as found in Discovery)
  • security or _wpnonce: (Extracted from Step 4)
  • payload_key: malicious_value (e.g., setting a PDF preview URL to an external phishing site or changing a price-related setting).

Step 3: Execution
Use the http_request tool to send the POST request.

---

6. Test Data Setup

1. Install Plugin: Ensure book-previewer-for-woocommerce version 1.0.6 is installed.
2. Create Product: Create a WooCommerce product to test preview settings.
   wp eval "$p = ['post_title' => 'Test Book', 'post_type' => 'product', 'post_status' => 'publish']; wp_insert_post($p);"
3. Identify Settings: Look at the plugin's admin page to see which options it manages (e.g., bpw_preview_settings).

---

7. Expected Results

• Success Response: The server returns a 200 OK or {"success":true} response.
• Impact: A site option or product meta field is updated with the attacker's value, proving unauthorized modification.

---

8. Verification Steps

After the HTTP request, verify the change via WP-CLI:

1. Check Options: wp option get bpw_settings (Replace with the actual option name found).
2. Check Meta: wp post meta list <product_id> if the exploit targeted product-specific preview data.

---

9. Alternative Approaches

• REST API: If no AJAX handlers are found, search for register_rest_route. Check if any routes have 'permission_callback' => '__return_true' or missing the callback entirely.
• Admin Init Hook: Check for add_action('admin_init', ...) functions that don't check is_admin() properly. Note: admin-ajax.php triggers admin_init, so unauthenticated users can often hit these hooks by calling admin-ajax.php with any valid action.
• Settings Save: If the plugin uses the standard Settings API, check if register_setting was used without proper sanitization or if the options page can be submitted by non-admins.