[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fqywdyjQQwhjNMgxu8vyY5UOqiELj38Yiff_0Ednv8ww":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":9,"severity":11,"cvss_score":12,"cvss_vector":13,"vuln_type":14,"published_date":15,"updated_date":16,"references":17,"days_to_patch":9,"patch_diff_files":19,"patch_trac_url":9,"research_status":20,"research_verified":21,"research_rounds_completed":22,"research_plan":23,"research_summary":24,"research_vulnerable_code":9,"research_fix_diff":9,"research_exploit_outline":25,"research_model_used":26,"research_started_at":27,"research_completed_at":28,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":21,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":21,"source_links":29},"CVE-2026-39668","book-previewer-for-woocommerce-missing-authorization","Book Previewer for Woocommerce \u003C= 1.0.6 - Missing Authorization","The Book Previewer for Woocommerce plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in versions up to, and including, 1.0.6. This makes it possible for unauthenticated attackers to perform an unauthorized action.","book-previewer-for-woocommerce",null,"\u003C=1.0.6","medium",5.3,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:N\u002FUI:N\u002FS:U\u002FC:N\u002FI:L\u002FA:N","Missing Authorization","2026-02-18 00:00:00","2026-04-15 21:26:36",[18],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F02af9eab-fe69-4adb-b6e8-bf710b00af3f?source=api-prod",[],"researched",false,3,"This research plan targets **CVE-2026-39668**, a missing authorization vulnerability in the **Book Previewer for Woocommerce** plugin. Since the plugin allows unauthenticated attackers to perform unauthorized actions, our goal is to identify the specific AJAX or REST endpoint that lacks a `current_user_can()` check and exploit it to modify plugin settings or site data.\n\n---\n\n### 1. Vulnerability Summary\n*   **Vulnerability:** Missing Authorization (Insecure Direct Object Reference or unprotected AJAX handler).\n*   **Location:** Likely within an AJAX handler registered via `wp_ajax_nopriv_` or an `admin_init` hook that processes `$_POST` without checking capabilities.\n*   **Affected Functionality:** Modification of plugin settings, product metadata related to book previews, or administrative configurations.\n*   **Why it exists:** The developer registered a function to handle sensitive data updates but omitted `if (!current_user_can('manage_options'))` (or a similar capability check), allowing any user (including unauthenticated ones) to trigger the function.\n\n### 2. Attack Vector Analysis\n*   **Endpoint:** `\u002Fwp-admin\u002Fadmin-ajax.php`\n*   **Action (Inferred):** Likely prefixed with `bpw_` or `book_previewer_`, such as `bpw_save_settings`, `bpw_update_options`, or `save_book_preview_data`.\n*   **Authentication:** None required (AV:N \u002F PR:N).\n*   **Preconditions:** The plugin must be active. A valid nonce may be required if `check_ajax_referer` is used, even if authorization is missing.\n\n### 3. Code Flow (Inferred)\n1.  **Entry Point:** `admin-ajax.php` receives a POST request with an `action` parameter.\n2.  **Hook Trigger:** WordPress triggers the `wp_ajax_nopriv_{action}` hook.\n3.  **Vulnerable Handler:** The plugin's callback function (e.g., `BPW_Ajax::save_settings` or a similar name) is executed.\n4.  **Authorization Failure:** The handler function processes input (e.g., `update_option` or `update_post_meta`) without calling `current_user_can()`.\n5.  **Data Modification:** The attacker's payload is written to the database.\n\n---\n\n### 4. Nonce Acquisition Strategy\nIf the vulnerable handler uses `check_ajax_referer('some_action', 'nonce_key')`, we must find where that nonce is generated and exposed.\n\n1.  **Identify Shortcode:** Search for shortcodes that might load plugin assets:\n    `grep -rn \"add_shortcode\" .`\n2.  **Create Test Page:**\n    `wp post create --post_type=page --post_status=publish --post_title=\"Preview Test\" --post_content='[book_previewer_shortcode_found]'` (Replace with the actual shortcode).\n3.  **Find the Nonce in JS:**\n    Plugins usually localize nonces. Search for `wp_localize_script` in the codebase:\n    `grep -rn \"wp_localize_script\" .`\n    *Note the JS object and key (e.g., `bpw_ajax_obj.nonce`).*\n4.  **Extract via Browser:**\n    Use `browser_navigate` to the created page, then:\n    `browser_eval(\"window.bpw_ajax_obj?.nonce || window.book_previewer_params?.nonce\")`\n\n---\n\n### 5. Exploitation Strategy\nThe target is likely a setting that can cause visible changes or compromise site integrity (e.g., changing the preview URL or disabling purchase buttons).\n\n**Step 1: Discovery (To be performed by the agent)**\n*   Run: `grep -r \"wp_ajax_nopriv_\" .` to find all unauthenticated AJAX entry points.\n*   Identify the callback function for those actions.\n*   Inspect the callback for the absence of `current_user_can`.\n\n**Step 2: Crafting the Payload**\nAssuming a hypothetical action `bpw_save_settings` that updates a plugin option:\n\n*   **URL:** `http:\u002F\u002F\u003Ctarget>\u002Fwp-admin\u002Fadmin-ajax.php`\n*   **Method:** POST\n*   **Headers:** `Content-Type: application\u002Fx-www-form-urlencoded`\n*   **Body Parameters:**\n    *   `action`: `bpw_save_settings` (as found in Discovery)\n    *   `security` or `_wpnonce`: (Extracted from Step 4)\n    *   `payload_key`: `malicious_value` (e.g., setting a PDF preview URL to an external phishing site or changing a price-related setting).\n\n**Step 3: Execution**\nUse the `http_request` tool to send the POST request.\n\n---\n\n### 6. Test Data Setup\n1.  **Install Plugin:** Ensure `book-previewer-for-woocommerce` version 1.0.6 is installed.\n2.  **Create Product:** Create a WooCommerce product to test preview settings.\n    `wp eval \"$p = ['post_title' => 'Test Book', 'post_type' => 'product', 'post_status' => 'publish']; wp_insert_post($p);\"`\n3.  **Identify Settings:** Look at the plugin's admin page to see which options it manages (e.g., `bpw_preview_settings`).\n\n---\n\n### 7. Expected Results\n*   **Success Response:** The server returns a `200 OK` or `{\"success\":true}` response.\n*   **Impact:** A site option or product meta field is updated with the attacker's value, proving unauthorized modification.\n\n---\n\n### 8. Verification Steps\nAfter the HTTP request, verify the change via WP-CLI:\n1.  **Check Options:** `wp option get bpw_settings` (Replace with the actual option name found).\n2.  **Check Meta:** `wp post meta list \u003Cproduct_id>` if the exploit targeted product-specific preview data.\n\n---\n\n### 9. Alternative Approaches\n*   **REST API:** If no AJAX handlers are found, search for `register_rest_route`. Check if any routes have `'permission_callback' => '__return_true'` or missing the callback entirely.\n*   **Admin Init Hook:** Check for `add_action('admin_init', ...)` functions that don't check `is_admin()` properly. Note: `admin-ajax.php` triggers `admin_init`, so unauthenticated users can often hit these hooks by calling `admin-ajax.php` with *any* valid action.\n*   **Settings Save:** If the plugin uses the standard Settings API, check if `register_setting` was used without proper sanitization or if the options page can be submitted by non-admins.","The Book Previewer for Woocommerce plugin for WordPress (versions up to 1.0.6) is vulnerable to unauthorized data modification due to missing capability checks on functions handling sensitive data. This allows unauthenticated attackers to perform unauthorized actions, such as modifying plugin settings or product-related preview metadata, by interacting with the plugin's AJAX handlers.","An attacker targets the WordPress AJAX endpoint at \u002Fwp-admin\u002Fadmin-ajax.php. By identifying an AJAX action registered via wp_ajax_nopriv_ (intended for unauthenticated users) that maps to a function lacking a current_user_can() check, the attacker can send a POST request with a crafted payload to modify site options or post metadata. If the function requires a nonce, the attacker first extracts it from the localized JavaScript variables (e.g., bpw_ajax_obj.nonce) often found on the product or preview pages where the plugin is active.","gemini-3-flash-preview","2026-04-19 04:49:56","2026-04-19 04:50:12",{"type":30,"vulnerable_version":9,"fixed_version":9,"vulnerable_browse":9,"vulnerable_zip":9,"fixed_browse":9,"fixed_zip":9,"all_tags":31},"plugin","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fbook-previewer-for-woocommerce\u002Ftags"]