Booster for WooCommerce – PDF Invoices, Abandoned Cart, Variation Swatches & 100+ Tools < 7.11.3 - Missing Authorization
Description
The Booster for WooCommerce – PDF Invoices, Abandoned Cart, Variation Swatches & 100+ Tools plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in all versions up to 7.11.3 (exclusive). This makes it possible for unauthenticated attackers to perform an unauthorized action.
CVSS Vector Breakdown
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:NTechnical Details
<7.11.3What Changed in the Fix
Changes introduced in v7.11.3
Source Code
WordPress.org SVN# Exploitation Research Plan - CVE-2026-32586 ## 1. Vulnerability Summary The **Booster for WooCommerce** plugin (versions < 7.11.3) is vulnerable to **Missing Authorization** in its onboarding functionality. The plugin registers several AJAX handlers in `includes/admin/class-booster-onboarding.php…
Show full research plan
Exploitation Research Plan - CVE-2026-32586
1. Vulnerability Summary
The Booster for WooCommerce plugin (versions < 7.11.3) is vulnerable to Missing Authorization in its onboarding functionality. The plugin registers several AJAX handlers in includes/admin/class-booster-onboarding.php to manage "goals" and "blueprints" (pre-defined configuration sets). These handlers, specifically booster_apply_goal and booster_apply_blueprint, lack sufficient capability checks (e.g., current_user_can( 'manage_options' )). In affected versions, these were likely registered with wp_ajax_nopriv_ or the nonce/authorization logic was flawed, allowing unauthenticated attackers to modify plugin settings by "applying" onboarding goals that enable modules and change configuration options.
2. Attack Vector Analysis
- Endpoint:
/wp-admin/admin-ajax.php - Action:
booster_apply_goal(orbooster_apply_blueprint) - HTTP Method: POST
- Parameters:
action:booster_apply_goalgoal_id: The ID of the goal to apply (e.g.,grow_sales,work_smarter).nonce: A security nonce for the actionbooster_onboarding_nonce.
- Authentication: Unauthenticated (per CVE description, implying
wp_ajax_nopriv_availability or total lack of check). - Preconditions: The plugin must be active. The target
goal_idmust exist inincludes/admin/onboarding-map.php.
3. Code Flow
- Entry Point: A POST request is sent to
admin-ajax.phpwithaction=booster_apply_goal. - Hook: The request triggers the handler registered in
Booster_Onboarding::__construct():add_action( 'wp_ajax_booster_apply_goal', array( $this, 'ajax_apply_goal' ) ); // In vulnerable versions, the following was likely also present: // add_action( 'wp_ajax_nopriv_booster_apply_goal', array( $this, 'ajax_apply_goal' ) ); - Processing:
ajax_apply_goalis called. It retrieves thegoal_idfrom$_POST['goal_id']. - Lookup: The function looks up the goal in
$this->onboarding_map(loaded fromincludes/admin/onboarding-map.php). - Sink: The function iterates through the
modulesarray for the selected goal and callsupdate_option()for each setting defined in the map.- Example (
grow_sales):update_option( 'wcj_sales_notifications_enabled', 'yes' ).
- Example (
- Missing Check: The function fails to verify if the user has
manage_optionsormanage_woocommercecapabilities before executing the option updates.
4. Nonce Acquisition Strategy
The nonce is generated in includes/admin/class-booster-onboarding.php within the enqueue_scripts function:'nonce' => wp_create_nonce( 'booster_onboarding_nonce' )
To obtain this nonce unauthenticated:
- Identify Exposure: Booster often enqueues assets on the frontend if certain modules are active. The
Booster_Onboardingscript is enqueued if$this->should_show_modal()returns true (which is true if the onboarding has never been completed). - Shortcode Method: If not enqueued on the homepage, create a page with a Booster shortcode that might trigger general script enqueuing.
wp post create --post_type=page --post_status=publish --post_content='[wcj_currency_select]' --post_title='Booster Test'
- Extraction:
- Use
browser_navigateto visit the site or the created page. - Use
browser_evalto extract the nonce from theboosterOnboardingglobal object:browser_eval("window.boosterOnboarding?.nonce")
- Use
- Bypass Check: If no nonce is found, test the endpoint with a dummy nonce; the
Missing Authorizationmay extend to a missingcheck_ajax_referercall entirely.
5. Exploitation Strategy
We will attempt to enable the Sales Notifications module by applying the grow_sales goal.
Step 1: Extract Nonce (if required)
Navigate to the homepage and check for the boosterOnboarding object.
// Browser Eval
return window.boosterOnboarding ? window.boosterOnboarding.nonce : "not_found";
Step 2: Send Exploit Request
Submit a POST request to admin-ajax.php.
- URL:
http://<target>/wp-admin/admin-ajax.php - Headers:
Content-Type: application/x-www-form-urlencoded - Body:
action=booster_apply_goal&goal_id=grow_sales&nonce=<NONCE_FROM_STEP_1>
Step 3: Verify Success
Applying grow_sales sets wcj_sales_notifications_enabled to yes.
6. Test Data Setup
- Install Plugin: Booster for WooCommerce < 7.11.3.
- Fresh Install: Ensure the
booster_free_onboardingoption is empty soshould_show_modal()returns true. - Target Setting: Verify the initial state of the target option is not
yes:wp option get wcj_sales_notifications_enabled(Should return false/error).
7. Expected Results
- The AJAX request should return a JSON success response (e.g.,
{"success": true}). - The WordPress database will be updated.
- The module
Sales Notificationswill be enabled.
8. Verification Steps
After the HTTP request, use WP-CLI to check the option state:
wp option get wcj_sales_notifications_enabled
# Expected output: yes
9. Alternative Approaches
If booster_apply_goal fails, try booster_apply_blueprint:
- Payload:
action=booster_apply_blueprint&blueprint_id=ecommerce_starter&nonce=<NONCE> - Expected Result: Multiple options defined in
onboarding-blueprints.phpwill be updated, such aswcj_order_numbers_enabledorwcj_pdf_invoicing_enabled.
If the booster_onboarding_nonce is strictly enforced and not leaked to unauthenticated users, check for other AJAX actions registered in the constructor that might have been overlooked:
booster_log_onboarding_event: While lower impact, if this also lacks authorization, it confirms the vulnerability pattern.
Summary
The Booster for WooCommerce plugin is vulnerable to unauthorized plugin configuration changes due to missing authorization checks in its onboarding AJAX handlers. Unauthenticated attackers can exploit this to enable or disable specific modules and modify plugin settings by applying pre-defined 'goals' or 'blueprints'.
Vulnerable Code
// includes/admin/class-booster-onboarding.php public function ajax_apply_goal() { check_ajax_referer( 'booster_onboarding_nonce', 'nonce' ); $goal_id = isset( $_POST['goal_id'] ) ? sanitize_text_field( wp_unslash( $_POST['goal_id'] ) ) : ''; if ( ! isset( $this->onboarding_map[ $goal_id ] ) ) { wp_send_json_error( array( 'message' => __( 'Invalid goal ID.', 'woocommerce-jetpack' ) ) ); } $goal = $this->onboarding_map[ $goal_id ]; // ... logic to update options based on goal ID } --- // includes/admin/class-booster-onboarding.php public function ajax_apply_blueprint() { check_ajax_referer( 'booster_onboarding_nonce', 'nonce' ); $blueprint_id = isset( $_POST['blueprint_id'] ) ? sanitize_text_field( wp_unslash( $_POST['blueprint_id'] ) ) : ''; // ... logic to update options based on blueprint ID }
Security Fix
@@ -322,6 +323,11 @@ public function ajax_apply_goal() { check_ajax_referer( 'booster_onboarding_nonce', 'nonce' ); + // phpcs:ignore WordPress.WP.Capabilities.Unknown + if ( ! current_user_can( 'manage_woocommerce' ) ) { + wp_die( esc_html__( 'Insufficient permissions.', 'woocommerce-jetpack' ) ); + } + $goal_id = isset( $_POST['goal_id'] ) ? sanitize_text_field( wp_unslash( $_POST['goal_id'] ) ) : ''; if ( ! isset( $this->onboarding_map[ $goal_id ] ) ) { @@ -351,6 +357,11 @@ public function ajax_undo_goal() { check_ajax_referer( 'booster_onboarding_nonce', 'nonce' ); + // phpcs:ignore WordPress.WP.Capabilities.Unknown + if ( ! current_user_can( 'manage_woocommerce' ) ) { + wp_die( esc_html__( 'Insufficient permissions.', 'woocommerce-jetpack' ) ); + } + $goal_id = isset( $_POST['goal_id'] ) ? sanitize_text_field( wp_unslash( $_POST['goal_id'] ) ) : ''; $onboarding_state = get_option( $this->option_key, array() ); @@ -836,6 +972,11 @@ public function ajax_apply_blueprint() { check_ajax_referer( 'booster_onboarding_nonce', 'nonce' ); + // phpcs:ignore WordPress.WP.Capabilities.Unknown + if ( ! current_user_can( 'manage_woocommerce' ) ) { + wp_send_json_error( array( 'message' => __( 'Permission denied.', 'woocommerce-jetpack' ) ) ); + } + $blueprint_id = isset( $_POST['blueprint_id'] ) ? sanitize_text_field( wp_unslash( $_POST['blueprint_id'] ) ) : ''; $blueprints = file_exists( WCJ_FREE_PLUGIN_PATH . '/includes/admin/onboarding-blueprints.php' )
Exploit Outline
The exploit targets the AJAX endpoint `/wp-admin/admin-ajax.php` using the `booster_apply_goal` or `booster_apply_blueprint` actions. 1. **Nonce Acquisition**: An attacker first retrieves the `booster_onboarding_nonce`. This nonce is often exposed to unauthenticated users in the frontend source code within the `boosterOnboarding` JavaScript global object, as the plugin enqueues its onboarding scripts whenever the onboarding modal is set to show (which is the default state on fresh or unconfigured installs). 2. **Payload Delivery**: The attacker sends an unauthenticated POST request to the AJAX endpoint with the following parameters: `action=booster_apply_goal`, `goal_id` (e.g., `grow_sales` or `work_smarter`), and the `nonce` retrieved in step 1. 3. **Unauthorized Configuration**: Because the plugin lacks `current_user_can()` checks in the vulnerable functions, the server processes the request and calls `update_option()` for multiple WordPress settings associated with the chosen goal. This allows the attacker to enable specific plugin modules, modify currency settings, or change order numbering formats without administrative credentials.
Check if your site is affected.
Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.