CVE-2026-39477

CartFlows <= 2.2.3 - Missing Authorization

mediumMissing Authorization

4.3

CVSS Score

4.3

CVSS Score

medium

Severity

2.2.4

Patched in

20d

Time to patch

Description

The CartFlows plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in versions up to, and including, 2.2.3. This makes it possible for authenticated attackers, with contributor-level access and above, to perform an unauthorized action.

CVSS Vector Breakdown

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

None

Confidentiality

Low

Integrity

None

Availability

Technical Details

Affected versions<=2.2.3

PublishedMarch 27, 2026

Last updatedApril 15, 2026

Affected plugincartflows

What Changed in the Fix

Changes introduced in v2.2.4

Loading patch diff...

Source Code

WordPress.org SVN

Vulnerable v2.2.3

Browse source Download .zip

Patched v2.2.4

Browse source Download .zip

Research Plan

Unverified

# Exploitation Research Plan - CVE-2026-39477 (CartFlows <= 2.2.3) ## Vulnerability Summary The CartFlows plugin for WordPress is vulnerable to **Missing Authorization** in multiple AJAX handlers. While some classes like `CommonSettings` gate the registration of AJAX events behind a capability chec…

Show full research plan

Exploitation Research Plan - CVE-2026-39477 (CartFlows <= 2.2.3)

Vulnerability Summary

The CartFlows plugin for WordPress is vulnerable to Missing Authorization in multiple AJAX handlers. While some classes like CommonSettings gate the registration of AJAX events behind a capability check, other classes such as Flows, Importer, and Debugger register their AJAX events for all authenticated users without an initial check in register_ajax_events().

The vulnerability exists because specific functions registered in these classes (specifically get_published_flows in Flows.php and get_flows_list in Importer.php) fail to perform an internal capability check (current_user_can) before executing logic. This allows authenticated users with Contributor-level access (who normally cannot access CartFlows settings) to perform unauthorized actions or retrieve sensitive configuration data.

Attack Vector Analysis

Vulnerable AJAX Actions:
- cartflows_get_published_flows (handled by CartflowsAdmin\AdminCore\Ajax\Flows::get_published_flows)
- cartflows_get_flows_list (handled by CartflowsAdmin\AdminCore\Ajax\Importer::get_flows_list)
Endpoint: /wp-admin/admin-ajax.php
Authentication: Authenticated (Contributor level or above).
Required Parameters:
- action: `cartflows_get

Research Findings

Static analysis — not yet PoC-verified

Summary

The CartFlows plugin for WordPress fails to perform proper authorization checks in several of its AJAX and REST API handlers. This oversight allows authenticated users with low-level privileges, such as Contributors, to execute administrative actions, retrieve flow data, or access sensitive plugin configurations that should be restricted to administrators.

Vulnerable Code

/* admin-core/ajax/flows.php:77 */
	public function register_ajax_events() {

		$ajax_events = array(
			'update_flow_title',
			'clone_flow',
			'delete_flow',
			'trash_flow',
			'restore_flow',
			'reorder_flow_steps',
			'trash_flows_in_bulk',
			'update_flow_post_status',
			'delete_flows_permanently',
			'save_flow_meta_settings',
			'export_flows_in_bulk',
			'update_status',
			'update_store_checkout_status',
			'hide_instant_checkout_notice',
			'get_published_flows',
		);

		$this->init_ajax_events( $ajax_events );
	}

---

/* admin-core/ajax/importer.php:57 */
	public function register_ajax_events() {

		$ajax_events = array(
			'create_flow',
			'import_flow',
			'create_step',
			'import_step',
			'activate_plugin',
			'activate_theme',
			'sync_library',
			'request_count',
			'import_sites',
			'update_library_complete',
			'export_flow',
			'get_flows_list',
			'import_json_flow',
			'export_all_flows',
			'update_step',
		);

		$this->init_ajax_events( $ajax_events );

---

/* admin-core/api/common-settings.php:123 */
	public function get_items_permissions_check( $request ) {

		if ( ! current_user_can( 'cartflows_manage_flows_steps' ) ) {
			return new \WP_Error( 'cartflows_rest_cannot_view', __( 'Sorry, you cannot list resources.', 'cartflows' ), array( 'status' => rest_authorization_required_code() ) );
		}

		return true;
	}

Security Fix

diff -ru /home/deploy/wp-safety.org/data/plugin-versions/cartflows/2.2.3/admin-core/ajax/common-settings.php /home/deploy/wp-safety.org/data/plugin-versions/cartflows/2.2.4/admin-core/ajax/common-settings.php
--- /home/deploy/wp-safety.org/data/plugin-versions/cartflows/2.2.3/admin-core/ajax/common-settings.php	2026-03-10 12:06:18.000000000 +0000
+++ /home/deploy/wp-safety.org/data/plugin-versions/cartflows/2.2.4/admin-core/ajax/common-settings.php	2026-03-25 12:40:46.000000000 +0000
@@ -522,6 +536,10 @@
 	 * @return void
 	 */
 	public function track_kb_search() {
+		if ( ! current_user_can( 'cartflows_manage_settings' ) ) {
+			wp_send_json_error( array( 'message' => $this->get_error_msg( 'permission' ) ) );
+		}
+
 		/**
 		 * Nonce verification
 		 */
diff -ru /home/deploy/wp-safety.org/data/plugin-versions/cartflows/2.2.3/admin-core/api/common-settings.php /home/deploy/wp-safety.org/data/plugin-versions/cartflows/2.2.4/admin-core/api/common-settings.php
--- /home/deploy/wp-safety.org/data/plugin-versions/cartflows/2.2.3/admin-core/api/common-settings.php	2026-02-24 08:54:44.000000000 +0000
+++ /home/deploy/wp-safety.org/data/plugin-versions/cartflows/2.2.4/admin-core/api/common-settings.php	2026-03-25 12:40:46.000000000 +0000
@@ -125,7 +125,8 @@
 	 */
 	public function get_items_permissions_check( $request ) {
 
-		if ( ! current_user_can( 'cartflows_manage_flows_steps' ) ) {
+		// Security: Settings endpoint requires cartflows_manage_settings to prevent sensitive data exposure.
+		if ( ! current_user_can( 'cartflows_manage_settings' ) ) {
 			return new \WP_Error( 'cartflows_rest_cannot_view', __( 'Sorry, you cannot list resources.', 'cartflows' ), array( 'status' => rest_authorization_required_code() ) );
 		}

Exploit Outline

To exploit this vulnerability, an attacker must first obtain a session for an authenticated user with at least Contributor-level privileges. The attacker then targets either the WordPress AJAX endpoint or the plugin's REST API. For AJAX attacks, the attacker sends a POST request to `/wp-admin/admin-ajax.php` with the `action` parameter set to vulnerable handlers like `cartflows_get_published_flows` or `cartflows_get_flows_list`. Because version 2.2.3 fails to restrict registration or execution of these actions to users with administrative capabilities, the server processes the request and returns sensitive funnel lists or executes logic. For REST API attacks, the attacker requests the endpoint `/wp-json/cartflows/v1/admin/commonsettings/`. Since the permission callback incorrectly checked for the lower-tier `cartflows_manage_flows_steps` capability (often granted to editors or custom roles) rather than `cartflows_manage_settings`, the plugin exposes global configuration options, including integration keys and internal settings, to unauthorized authenticated users.

References

https://www.wordfence.com/threat-intel/vulnerabilities/id/b6d84682-6966-47fd-a04c-7f4c5b914fc6?source=api-prod

Check if your site is affected.

Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.

Run free audit Browse CVE database