BOX NOW Delivery <= 3.0.2 - Missing Authorization
Description
The BOX NOW Delivery plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in versions up to, and including, 3.0.2. This makes it possible for authenticated attackers, with subscriber-level access and above, to perform an unauthorized action.
CVSS Vector Breakdown
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:NTechnical Details
<=3.0.2What Changed in the Fix
Changes introduced in v3.2.0
Source Code
WordPress.org SVN# Vulnerability Research Plan: CVE-2026-24571 (BOX NOW Delivery) ## 1. Vulnerability Summary The **BOX NOW Delivery** plugin for WordPress (up to 3.0.2) contains a **Missing Authorization** vulnerability. The plugin implements settings management logic that is accessible via `admin-post.php` but fa…
Show full research plan
Vulnerability Research Plan: CVE-2026-24571 (BOX NOW Delivery)
1. Vulnerability Summary
The BOX NOW Delivery plugin for WordPress (up to 3.0.2) contains a Missing Authorization vulnerability. The plugin implements settings management logic that is accessible via admin-post.php but fails to perform an adequate capability check (e.g., current_user_can('manage_options')) within the processing logic. Consequently, any authenticated user with at least Subscriber privileges can modify critical plugin settings, including API credentials, warehouse IDs, and contact information.
2. Attack Vector Analysis
- Endpoint:
/wp-admin/admin-post.php - Action:
boxnow-settings-save - Method:
POST(URL-encoded) - Authentication: Required (Subscriber or higher)
- Vulnerable Parameter:
action, and various settings parameters (e.g.,boxnow_partner_id,boxnow_client_id). - Preconditions: The plugin must be active and WooCommerce must be installed/active (as seen in
box-now-delivery.phpline 20).
3. Code Flow
- Entry Point: The main plugin file
box-now-delivery.phpincludesincludes/box-now-delivery-admin-page.php. - Registration:
includes/box-now-delivery-admin-page.phpincludesincludes/box-now-delivery-validation.php(line 19). - Trigger: The validation file likely hooks into
admin_post_boxnow-settings-save(inferred from the form inbox_now_delivery_optionsinbox-now-delivery-admin-page.php, line 49). - Processing: The handler for this action fails to verify if the user has the
manage_optionscapability. - Sink: The handler calls
update_option()for variousboxnow_*parameters provided in the$_POSTrequest.
4. Nonce Acquisition Strategy
The form in box-now-delivery-admin-page.php uses
Check if your site is affected.
Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.