CVE-2026-42725

Checkout Files Upload for WooCommerce <= 2.2.5 - Unauthenticated Insecure Direct Object Reference

mediumAuthorization Bypass Through User-Controlled Key
5.3
CVSS Score
5.3
CVSS Score
medium
Severity
2.2.6
Patched in
8d
Time to patch

Description

The Checkout Files Upload for WooCommerce plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 2.2.5 due to missing validation on a user controlled key. This makes it possible for unauthenticated attackers to perform an unauthorized action.

CVSS Vector Breakdown

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
None
Confidentiality
Low
Integrity
None
Availability

Technical Details

Affected versions<=2.2.5
PublishedMay 12, 2026
Last updatedMay 19, 2026

What Changed in the Fix

Changes introduced in v2.2.6

Loading patch diff...

Source Code

WordPress.org SVN
Research Plan
Unverified

# Research Plan: CVE-2026-42725 - Checkout Files Upload for WooCommerce IDOR ## 1. Vulnerability Summary The **Checkout Files Upload for WooCommerce** plugin (up to 2.2.5) is vulnerable to an **Unauthenticated Insecure Direct Object Reference (IDOR)**. The vulnerability exists because the AJAX hand…

Show full research plan

Research Plan: CVE-2026-42725 - Checkout Files Upload for WooCommerce IDOR

1. Vulnerability Summary

The Checkout Files Upload for WooCommerce plugin (up to 2.2.5) is vulnerable to an Unauthenticated Insecure Direct Object Reference (IDOR). The vulnerability exists because the AJAX handler responsible for deleting uploaded files (alg_ajax_file_delete) fails to verify if the requester has permission to modify the specified order or if the order belongs to their session. While a nonce check was added in version 2.1.4, it only ensures the request is "valid" in a generic sense; it does not perform a capability check or ownership validation. This allows an unauthenticated attacker to delete files attached to any WooCommerce order by simply providing the target order_id.

2. Attack Vector Analysis

  • Endpoint: /wp-admin/admin-ajax.php
  • Action: alg_ajax_file_delete (registered via wp_ajax_nopriv_alg_ajax_file_delete)
  • Vulnerable Parameter: order_id
  • Authentication: Unauthenticated (leveraging the nopriv hook)
  • Preconditions:
    1. The plugin must be enabled (alg_wc_checkout_files_upload_enabled option).
    2. An order exists with an attached file uploaded via the plugin.
    3. The attacker must obtain a valid AJAX nonce (available on any page where the uploader is rendered).

3. Code Flow

  1. Entry Point: The plugin registers AJAX handlers in includes/class-alg-wc-checkout-files-upload.php:
    add_action( 'wp_ajax_'        . 'alg_ajax_file_delete',    array( $this, 'alg_ajax_file_delete' ) );
    add_action( 'wp_ajax_nopriv_' . 'alg_ajax_file_delete',    array( $this, 'alg_ajax_file_delete' ) );
    
  2. Execution: When admin-ajax.php is called with action=alg_ajax_file_delete, the method Alg_WC_Checkout_Files_Upload_Main::alg_ajax_file_delete() is executed.
  3. Missing Validation: In versions <= 2.2.5, the function typically:
    • Retrieves order_id and file_num from $_POST.
    • Verifies a nonce using check_ajax_referer.
    • Sink: It proceeds to delete the file or the metadata associated with the file for the given order_id without checking if the current user is the owner of the order or has manage_woocommerce capabilities.
  4. Patch Difference: The version 2.2.6 patch introduces a capability check (e.g., current_user_can) or a session-based validation before processing the deletion.

4. Nonce Acquisition Strategy

The AJAX nonce is required for the request to pass check_ajax_referer. This nonce is localized for the frontend scripts.

  1. Identify the Script: The plugin enqueues frontend scripts in Alg_WC_Checkout_Files_Upload_Main::enqueue_scripts.
  2. Create a Trigger Page: The uploader must be visible to trigger the script localization. Use a shortcode on a public page:
    • wp post create --post_type=page --post_title="Upload" --post_status=publish --post_content='[wpwham_checkout_files_uploader]'
  3. Extract Nonce:
    • Navigate to the newly created page.
    • Use browser_eval to extract the nonce from the localized JS object.
    • Localization Key (inferred): alg_wc_checkout_files_upload or wpwham_checkout_files_upload.
    • Nonce Key (inferred): ajax_nonce or nonce.
    • Command: browser_eval("window.alg_wc_checkout_files_upload?.ajax_nonce")

5. Exploitation Strategy

Step 1: Target Identification

Determine the order_id of the victim order and the file_num (usually starting at 1) of the attachment to be deleted.

Step 2: Request Construction

Perform an unauthenticated POST request to the AJAX endpoint.

HTTP Request:

  • URL: http://<target>/wp-admin/admin-ajax.php
  • Method: POST
  • Headers: Content-Type: application/x-www-form-urlencoded
  • Body:
    action=alg_ajax_file_delete&order_id=[VICTIM_ORDER_ID]&file_num=1&nonce=[EXTRACTED_NONCE]
    

Step 3: Execution

Use the http_request tool to send the payload.

6. Test Data Setup

  1. Enable Plugin:
    • wp option update alg_wc_checkout_files_upload_enabled yes
  2. Create Victim Order:
    • Create a WooCommerce order: wp wc shop_order create --customer_id=0 --status=processing --user=admin (Note the returned ID).
  3. Simulate File Upload:
    • The plugin stores file info in post meta. Simulate an upload for the victim order:
    • wp post meta update [ORDER_ID] _alg_checkout_files_upload_1 '{"file_name":"secret_blueprint.pdf","file_path":"/path/to/upload"}'
  4. Setup Nonce Page:
    • wp post create --post_type=page --post_status=publish --post_content='[wpwham_checkout_files_uploader]'

7. Expected Results

  • Success: The server returns a success response (likely JSON {"success": true} or a specific success string).
  • Impact: The metadata _alg_checkout_files_upload_1 is removed from the victim order, or the associated file is deleted from the server, effectively removing the customer's uploaded content from the order.

8. Verification Steps

  1. Database Check: Verify the post meta no longer exists for the victim order:
    • wp post meta get [ORDER_ID] _alg_checkout_files_upload_1
    • Expected output: Error/Empty (meta does not exist).
  2. UI Check: Navigate to the WooCommerce Order Edit page in the admin dashboard and confirm the "Checkout Files Upload" metabox no longer lists the file.

9. Alternative Approaches

If the order_id is protected by an order_key (WooCommerce's guest access mechanism), attempt to find endpoints where the order_key is not checked. If alg_ajax_file_delete requires an order_key, the vulnerability may shift to a lack of order_key validation, allowing the same IDOR if the key can be omitted or bypassed. However, the CVSS and description suggest a direct missing authorization check on the ID.

Check if your site is affected.

Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.