[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$f9w-7QGiIxZTyutc_DiIbaQILaEhsuOUOf4oh4wkFR5E":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":29,"research_verified":30,"research_rounds_completed":31,"research_plan":32,"research_summary":33,"research_vulnerable_code":34,"research_fix_diff":35,"research_exploit_outline":36,"research_model_used":37,"research_started_at":38,"research_completed_at":39,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":30,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":30,"source_links":40},"CVE-2026-39477","cartflows-missing-authorization","CartFlows \u003C= 2.2.3 - Missing Authorization","The CartFlows plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in versions up to, and including, 2.2.3. This makes it possible for authenticated attackers, with contributor-level access and above, to perform an unauthorized action.","cartflows",null,"\u003C=2.2.3","2.2.4","medium",4.3,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:L\u002FUI:N\u002FS:U\u002FC:N\u002FI:L\u002FA:N","Missing Authorization","2026-03-27 00:00:00","2026-04-15 21:23:38",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002Fb6d84682-6966-47fd-a04c-7f4c5b914fc6?source=api-prod",20,[22,23,24,25,26,27,28],"CLAUDE.md","admin-core\u002Fajax\u002Fcommon-settings.php","admin-core\u002Fajax\u002Fdebugger.php","admin-core\u002Fajax\u002Fflows.php","admin-core\u002Fajax\u002Fimporter.php","admin-core\u002Fapi\u002Fcommon-settings.php","admin-core\u002Fapi\u002Fflow-data.php","researched",false,3,"# Exploitation Research Plan - CVE-2026-39477 (CartFlows \u003C= 2.2.3)\n\n## Vulnerability Summary\nThe CartFlows plugin for WordPress is vulnerable to **Missing Authorization** in multiple AJAX handlers. While some classes like `CommonSettings` gate the registration of AJAX events behind a capability check, other classes such as `Flows`, `Importer`, and `Debugger` register their AJAX events for all authenticated users without an initial check in `register_ajax_events()`.\n\nThe vulnerability exists because specific functions registered in these classes (specifically `get_published_flows` in `Flows.php` and `get_flows_list` in `Importer.php`) fail to perform an internal capability check (`current_user_can`) before executing logic. This allows authenticated users with Contributor-level access (who normally cannot access CartFlows settings) to perform unauthorized actions or retrieve sensitive configuration data.\n\n## Attack Vector Analysis\n- **Vulnerable AJAX Actions:** \n    - `cartflows_get_published_flows` (handled by `CartflowsAdmin\\AdminCore\\Ajax\\Flows::get_published_flows`)\n    - `cartflows_get_flows_list` (handled by `CartflowsAdmin\\AdminCore\\Ajax\\Importer::get_flows_list`)\n- **Endpoint:** `\u002Fwp-admin\u002Fadmin-ajax.php`\n- **Authentication:** Authenticated (Contributor level or above).\n- **Required Parameters:**\n    - `action`: `cartflows_get","The CartFlows plugin for WordPress fails to perform proper authorization checks in several of its AJAX and REST API handlers. This oversight allows authenticated users with low-level privileges, such as Contributors, to execute administrative actions, retrieve flow data, or access sensitive plugin configurations that should be restricted to administrators.","\u002F* admin-core\u002Fajax\u002Fflows.php:77 *\u002F\n\tpublic function register_ajax_events() {\n\n\t\t$ajax_events = array(\n\t\t\t'update_flow_title',\n\t\t\t'clone_flow',\n\t\t\t'delete_flow',\n\t\t\t'trash_flow',\n\t\t\t'restore_flow',\n\t\t\t'reorder_flow_steps',\n\t\t\t'trash_flows_in_bulk',\n\t\t\t'update_flow_post_status',\n\t\t\t'delete_flows_permanently',\n\t\t\t'save_flow_meta_settings',\n\t\t\t'export_flows_in_bulk',\n\t\t\t'update_status',\n\t\t\t'update_store_checkout_status',\n\t\t\t'hide_instant_checkout_notice',\n\t\t\t'get_published_flows',\n\t\t);\n\n\t\t$this->init_ajax_events( $ajax_events );\n\t}\n\n---\n\n\u002F* admin-core\u002Fajax\u002Fimporter.php:57 *\u002F\n\tpublic function register_ajax_events() {\n\n\t\t$ajax_events = array(\n\t\t\t'create_flow',\n\t\t\t'import_flow',\n\t\t\t'create_step',\n\t\t\t'import_step',\n\t\t\t'activate_plugin',\n\t\t\t'activate_theme',\n\t\t\t'sync_library',\n\t\t\t'request_count',\n\t\t\t'import_sites',\n\t\t\t'update_library_complete',\n\t\t\t'export_flow',\n\t\t\t'get_flows_list',\n\t\t\t'import_json_flow',\n\t\t\t'export_all_flows',\n\t\t\t'update_step',\n\t\t);\n\n\t\t$this->init_ajax_events( $ajax_events );\n\n---\n\n\u002F* admin-core\u002Fapi\u002Fcommon-settings.php:123 *\u002F\n\tpublic function get_items_permissions_check( $request ) {\n\n\t\tif ( ! current_user_can( 'cartflows_manage_flows_steps' ) ) {\n\t\t\treturn new \\WP_Error( 'cartflows_rest_cannot_view', __( 'Sorry, you cannot list resources.', 'cartflows' ), array( 'status' => rest_authorization_required_code() ) );\n\t\t}\n\n\t\treturn true;\n\t}","diff -ru \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fcartflows\u002F2.2.3\u002Fadmin-core\u002Fajax\u002Fcommon-settings.php \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fcartflows\u002F2.2.4\u002Fadmin-core\u002Fajax\u002Fcommon-settings.php\n--- \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fcartflows\u002F2.2.3\u002Fadmin-core\u002Fajax\u002Fcommon-settings.php\t2026-03-10 12:06:18.000000000 +0000\n+++ \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fcartflows\u002F2.2.4\u002Fadmin-core\u002Fajax\u002Fcommon-settings.php\t2026-03-25 12:40:46.000000000 +0000\n@@ -522,6 +536,10 @@\n \t * @return void\n \t *\u002F\n \tpublic function track_kb_search() {\n+\t\tif ( ! current_user_can( 'cartflows_manage_settings' ) ) {\n+\t\t\twp_send_json_error( array( 'message' => $this->get_error_msg( 'permission' ) ) );\n+\t\t}\n+\n \t\t\u002F**\n \t\t * Nonce verification\n \t\t *\u002F\ndiff -ru \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fcartflows\u002F2.2.3\u002Fadmin-core\u002Fapi\u002Fcommon-settings.php \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fcartflows\u002F2.2.4\u002Fadmin-core\u002Fapi\u002Fcommon-settings.php\n--- \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fcartflows\u002F2.2.3\u002Fadmin-core\u002Fapi\u002Fcommon-settings.php\t2026-02-24 08:54:44.000000000 +0000\n+++ \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fcartflows\u002F2.2.4\u002Fadmin-core\u002Fapi\u002Fcommon-settings.php\t2026-03-25 12:40:46.000000000 +0000\n@@ -125,7 +125,8 @@\n \t *\u002F\n \tpublic function get_items_permissions_check( $request ) {\n \n-\t\tif ( ! current_user_can( 'cartflows_manage_flows_steps' ) ) {\n+\t\t\u002F\u002F Security: Settings endpoint requires cartflows_manage_settings to prevent sensitive data exposure.\n+\t\tif ( ! current_user_can( 'cartflows_manage_settings' ) ) {\n \t\t\treturn new \\WP_Error( 'cartflows_rest_cannot_view', __( 'Sorry, you cannot list resources.', 'cartflows' ), array( 'status' => rest_authorization_required_code() ) );\n \t\t}","To exploit this vulnerability, an attacker must first obtain a session for an authenticated user with at least Contributor-level privileges. The attacker then targets either the WordPress AJAX endpoint or the plugin's REST API. \n\nFor AJAX attacks, the attacker sends a POST request to `\u002Fwp-admin\u002Fadmin-ajax.php` with the `action` parameter set to vulnerable handlers like `cartflows_get_published_flows` or `cartflows_get_flows_list`. Because version 2.2.3 fails to restrict registration or execution of these actions to users with administrative capabilities, the server processes the request and returns sensitive funnel lists or executes logic.\n\nFor REST API attacks, the attacker requests the endpoint `\u002Fwp-json\u002Fcartflows\u002Fv1\u002Fadmin\u002Fcommonsettings\u002F`. Since the permission callback incorrectly checked for the lower-tier `cartflows_manage_flows_steps` capability (often granted to editors or custom roles) rather than `cartflows_manage_settings`, the plugin exposes global configuration options, including integration keys and internal settings, to unauthorized authenticated users.","gemini-3-flash-preview","2026-04-17 22:38:44","2026-04-17 22:39:49",{"type":41,"vulnerable_version":42,"fixed_version":11,"vulnerable_browse":43,"vulnerable_zip":44,"fixed_browse":45,"fixed_zip":46,"all_tags":47},"plugin","2.2.3","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fcartflows\u002Ftags\u002F2.2.3","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fcartflows.2.2.3.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fcartflows\u002Ftags\u002F2.2.4","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fcartflows.2.2.4.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fcartflows\u002Ftags"]