[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fkqoLUCERlNNeOwqCEujgkeCcQJdbl3IgcOi11qB77Y8":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":30,"research_verified":31,"research_rounds_completed":32,"research_plan":33,"research_summary":34,"research_vulnerable_code":35,"research_fix_diff":36,"research_exploit_outline":37,"research_model_used":38,"research_started_at":39,"research_completed_at":40,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":31,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":31,"source_links":41},"CVE-2026-25316","cartflows-checkout-funnel-builder-for-woocommerce-authenticated-administrator-php-object-injection","CartFlows – Checkout & Funnel Builder for WooCommerce \u003C= 2.1.19 - Authenticated (Administrator+) PHP Object Injection","The CartFlows – Checkout & Funnel Builder for WooCommerce plugin for WordPress is vulnerable to PHP Object Injection in versions up to, and including, 2.1.19 via deserialization of untrusted input. This makes it possible for authenticated attackers, with administrator-level access and above, to inject a PHP Object. No known POP chain is present in the vulnerable software. If a POP chain is present via an additional plugin or theme installed on the target system, it could allow the attacker to delete arbitrary files, retrieve sensitive data, or execute code.","cartflows",null,"\u003C=2.1.19","2.2.0","medium",6.6,"CVSS:3.1\u002FAV:N\u002FAC:H\u002FPR:H\u002FUI:N\u002FS:U\u002FC:H\u002FI:H\u002FA:H","Deserialization of Untrusted Data","2026-01-26 00:00:00","2026-05-04 15:35:33",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F96a2e7cc-23ae-404a-9889-e7bf9f744ec5?source=api-prod",99,[22,23,24,25,26,27,28,29],"admin-core\u002Fajax\u002Fcommon-settings.php","admin-core\u002Fajax\u002Fflows-stats.php","admin-core\u002Fajax\u002Fflows.php","admin-core\u002Fajax\u002Fimporter.php","admin-core\u002Fajax\u002Fmeta-data.php","admin-core\u002Fassets\u002Fbuild\u002Feditor-app-rtl.css","admin-core\u002Fassets\u002Fbuild\u002Feditor-app.asset.php","admin-core\u002Fassets\u002Fbuild\u002Feditor-app.css","researched",false,3,"# Vulnerability Research Plan: CVE-2026-25316 - CartFlows PHP Object Injection\n\n## 1. Vulnerability Summary\nThe **CartFlows** plugin (\u003C= 2.1.19) is vulnerable to **PHP Object Injection** due to the use of insecure deserialization on untrusted user input within its administrative AJAX handlers. Specifically, the `save_global_settings` action in `CartflowsAdmin\\AdminCore\\Ajax\\CommonSettings` processes user-supplied configuration data and stores it via `AdminHelper::update_admin_settings_option`. In vulnerable versions, the sanitization or storage logic (likely within `sanitize_form_inputs` or the `update_admin_settings_option` helper) incorrectly applies `maybe_unserialize()` to input strings, allowing an attacker to trigger `unserialize()` by providing a crafted PHP serialized object.\n\n## 2. Attack Vector Analysis\n*   **Endpoint:** `\u002Fwp-admin\u002Fadmin-ajax.php`\n*   **Action:** `cartflows_save_global_settings`\n*   **Method:** `POST`\n*   **Authentication:** Required (Administrator or user with `cartflows_manage_settings` capability).\n*   **Vulnerable Parameter:** `_cartflows_facebook` (or any integration field in the `integrations` tab).\n*   **Nonce:** `security` parameter, verified against action `cartflows_save_global_settings`.\n\n## 3. Code Flow\n1.  **Entry Point:** The AJAX action `wp_ajax_cartflows_save_global_settings` is registered in `admin-core\u002Fajax\u002Fcommon-settings.php` via `register_ajax_events()`.\n2.  **Permission Check:** `save_global_settings()` verifies `current_user_can( 'cartflows_manage_settings' )`.\n3.  **Nonce Verification:** `check_ajax_referer( 'cartflows_save_global_settings', 'security', false )` is called.\n4.  **Route Logic:** If `$_POST['setting_tab']` is set to `'integrations'`, `save_integration_settings()` is invoked.\n5.  **Vulnerable Sink:** `save_integration_settings()` takes input from `$_POST['_cartflows_facebook']`, unslashes it, and passes it to `$this->sanitize_form_inputs()`.\n6.  **Data Persistence:** The \"sanitized\" data is passed to `AdminHelper::update_admin_settings_option('_cartflows_facebook', $new_settings, false)`, where it is eventually processed by a function that interprets the string as serialized data if it matches the `O:..` or `a:..` pattern, triggering `unserialize()`.\n\n## 4. Nonce Acquisition Strategy\nThe nonce is localized for the CartFlows admin interface. To obtain it:\n1.  **Identify Trigger:** The settings page loads the necessary scripts.\n2.  **Access Admin:** Navigate to the CartFlows dashboard.\n3.  **Variable Extraction:** The plugin localizes its settings in the `cartflows_admin` or `cartflows_admin_common` object. Based on the AJAX class structure, the nonce is likely found in `cartflows_admin`.\n\n**Steps for PoC Agent:**\n1.  Navigate to `\u002Fwp-admin\u002Fadmin.php?page=cartflows&path=settings`.\n2.  Use `browser_eval` to extract the nonce:\n    `browser_eval(\"window.cartflows_admin?.save_global_settings_nonce\")`\n    *(Note: If the above is undefined, check `window.cartflows_admin_common?.save_global_settings_nonce`)*.\n\n## 5. Exploitation Strategy\n### Step 1: Authentication and Nonce Retrieval\n*   Log in as an administrator.\n*   Navigate to the settings page and extract the `security` nonce for `cartflows_save_global_settings`.\n\n### Step 2: Payload Delivery\nSend a POST request to the AJAX endpoint with a serialized object. While no specific POP chain is identified in CartFlows, we can use a standard WordPress core class (like `WP_Block_Type_Registry` or a simple `stdClass`) to confirm deserialization.\n\n*   **URL:** `http:\u002F\u002F\u003Ctarget>\u002Fwp-admin\u002Fadmin-ajax.php`\n*   **Header:** `Content-Type: application\u002Fx-www-form-urlencoded`\n*   **Body:**\n    ```text\n    action=cartflows_save_global_settings&\n    security=\u003CNONCE>&\n    setting_tab=integrations&\n    _cartflows_facebook[facebook_pixel_id]=O:8:\"stdClass\":0:{}\n    ```\n\n### Step 3: Verification\nA successful injection will result in the `stdClass` object being stored or processed. Since POI is often \"blind\" without a POP chain, we verify by checking if the input was accepted and if the application behavior changes (e.g., error logs showing serialization errors if the object is invalid for its context).\n\n## 6. Test Data Setup\n1.  **Plugin Installation:** Ensure CartFlows \u003C= 2.1.19 is active.\n2.  **User Creation:** An administrator user must exist.\n3.  **Capability Check:** Ensure the user has the `cartflows_manage_settings` capability (default for Admins).\n\n## 7. Expected Results\n*   The server returns a JSON success response: `{\"success\":true,\"data\":{\"messsage\":\"Successfully saved data!\"}}`.\n*   If a logging mechanism is attached to `unserialize`, it will trigger.\n*   If an invalid\u002Fmalformed object is sent, PHP might throw a warning (if `WP_DEBUG` is on) indicating an error during the `unserialize()` call.\n\n## 8. Verification Steps (Post-Exploit)\nConfirm the object was injected by checking the option value via WP-CLI:\n```bash\nwp option get _cartflows_facebook --format=yaml\n```\nIf the output shows a PHP object or a serialized string that was interpreted by WordPress, the injection was successful.\n\n## 9. Alternative Approaches\nIf the `integrations` tab is patched or restricted, try the `save_flow_meta_settings` action in `admin-core\u002Fajax\u002Fflows.php`:\n*   **Action:** `cartflows_save_flow_meta_settings`\n*   **Nonce:** `cartflows_save_flow_meta_settings`\n*   **Vulnerable Sink:** `MetaOps::save_meta_fields( $flow_id, $post_meta, ... )`.\n*   **Payload Location:** Any meta field associated with the flow.\n*   **Requirement:** Requires a valid `flow_id` (create one via `wp post create --post_type=cartflows_flow`).","The CartFlows plugin for WordPress is vulnerable to PHP Object Injection in versions up to 2.1.19. This occurs because administrative AJAX handlers, such as those for saving global settings and importing data, process user-supplied input using the insecure maybe_unserialize() function without restricting allowed classes. Authenticated administrators can exploit this to inject arbitrary PHP objects, which could lead to remote code execution or file manipulation if a suitable POP chain is available on the site.","\u002F* admin-core\u002Fajax\u002Fcommon-settings.php line 188 *\u002F\npublic function save_integration_settings() {\n\n\t$new_settings = array();\n\n\tif ( isset( $_POST['_cartflows_facebook'] ) ) { \u002F\u002Fphpcs:ignore\n\t\t$new_settings = $this->sanitize_form_inputs( wp_unslash( $_POST['_cartflows_facebook'] ) ); \u002F\u002Fphpcs:ignore\n\t\tAdminHelper::update_admin_settings_option( '_cartflows_facebook', $new_settings, false );\n\t}\n\n---\n\n\u002F* admin-core\u002Fajax\u002Fimporter.php line 1325 *\u002F\nif ( is_serialized( $meta_value, true ) ) {\n\t$raw_data = maybe_unserialize( stripslashes( $meta_value ) );\n}","--- \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fcartflows\u002F2.1.19\u002Fadmin-core\u002Fajax\u002Fimporter.php\t2025-06-26 13:33:38.000000000 +0000\n+++ \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fcartflows\u002F2.2.0\u002Fadmin-core\u002Fajax\u002Fimporter.php\t2026-01-27 08:41:56.000000000 +0000\n@@ -1323,7 +1323,12 @@\n \t\t\tif ( $meta_value ) {\n \n \t\t\t\tif ( is_serialized( $meta_value, true ) ) {\n-\t\t\t\t\t$raw_data = maybe_unserialize( stripslashes( $meta_value ) );\n+\t\t\t\t\t\u002F\u002F Security: Using unserialize with allowed_classes=>false to prevent object injection.\n+\t\t\t\t\t$raw_data = unserialize( stripslashes( $meta_value ), array( 'allowed_classes' => false ) ); \u002F\u002F phpcs:ignore WordPress.PHP.DiscouragedPHPFunctions.serialize_unserialize, PHPCompatibility.FunctionUse.NewFunctionParameters.unserialize_optionsFound\n+\t\t\t\t\t\u002F\u002F Drop malicious payloads completely to prevent fatal errors.\n+\t\t\t\t\tif ( false === $raw_data || is_object( $raw_data ) ) {\n+\t\t\t\t\t\t$raw_data = '';\n+\t\t\t\t\t}\n \t\t\t\t} elseif ( is_array( $meta_value ) ) {\n \t\t\t\t\t$raw_data = json_decode( stripslashes( $meta_value ), true );\n \t\t\t\t} else {","The exploit requires an authenticated user with administrator privileges (or the `cartflows_manage_settings` capability). An attacker first retrieves a security nonce for the `cartflows_save_global_settings` action from the plugin's settings page (localized in the `cartflows_admin` JavaScript object). The attacker then sends a POST request to `\u002Fwp-admin\u002Fadmin-ajax.php` with the `action` set to `cartflows_save_global_settings` and `setting_tab` set to `integrations`. The payload is delivered via any field within the integrations settings, such as `_cartflows_facebook[facebook_pixel_id]`, containing a serialized PHP object string. When the plugin processes the save request, it passes the unsanitized serialized string to a function that calls `maybe_unserialize()`, resulting in the instantiation of the injected object.","gemini-3-flash-preview","2026-05-04 23:56:29","2026-05-04 23:57:05",{"type":42,"vulnerable_version":43,"fixed_version":11,"vulnerable_browse":44,"vulnerable_zip":45,"fixed_browse":46,"fixed_zip":47,"all_tags":48},"plugin","2.1.19","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fcartflows\u002Ftags\u002F2.1.19","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fcartflows.2.1.19.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fcartflows\u002Ftags\u002F2.2.0","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fcartflows.2.2.0.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fcartflows\u002Ftags"]