[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fPHcYF500pKx2K-DvvyS8DuoycPGwpguO6CrF_A7kRBc":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":9,"severity":11,"cvss_score":12,"cvss_vector":13,"vuln_type":14,"published_date":15,"updated_date":16,"references":17,"days_to_patch":9,"patch_diff_files":19,"patch_trac_url":9,"research_status":20,"research_verified":21,"research_rounds_completed":22,"research_plan":23,"research_summary":24,"research_vulnerable_code":9,"research_fix_diff":9,"research_exploit_outline":25,"research_model_used":26,"research_started_at":27,"research_completed_at":28,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":21,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":21,"source_links":29},"CVE-2026-25396","coinbase-commerce-crypto-gateway-for-woocommerce-missing-authorization","Coinbase Commerce – Crypto Gateway for WooCommerce \u003C= 1.6.6 - Missing Authorization","The Coinbase Commerce – Crypto Gateway for WooCommerce plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in versions up to, and including, 1.6.6. This makes it possible for unauthenticated attackers to perform an unauthorized action.","commerce-coinbase-for-woocommerce",null,"\u003C=1.6.6","medium",5.3,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:N\u002FUI:N\u002FS:U\u002FC:N\u002FI:L\u002FA:N","Missing Authorization","2026-03-23 00:00:00","2026-03-26 20:27:28",[18],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F6dadad7d-0ea9-4ac0-8d22-0acaa3fb5881?source=api-prod",[],"researched",false,3,"This research plan targets **CVE-2026-25396**, a missing authorization vulnerability in the Coinbase Commerce plugin for WooCommerce. Since source code is not provided, this plan focuses on identifying the specific vulnerable AJAX or `init` handler and exploiting it to perform unauthorized configuration changes.\n\n---\n\n### 1. Vulnerability Summary\nThe **Coinbase Commerce – Crypto Gateway for WooCommerce** plugin (\u003C= 1.6.6) fails to implement proper capability checks (e.g., `current_user_can('manage_options')`) on at least one function exposed via WordPress hooks. This allows unauthenticated attackers (AV:N\u002FAC:L\u002FPR:N) to trigger internal plugin logic. Given the CVSS of 5.3 (Medium), the \"unauthorized action\" likely involves modifying plugin settings, resetting connection states, or manipulating non-critical metadata.\n\n### 2. Attack Vector Analysis\n*   **Endpoint:** `\u002Fwp-admin\u002Fadmin-ajax.php` (most likely) or `\u002Fwp-admin\u002Fadmin-post.php`.\n*   **Vulnerable Action:** Likely a `wp_ajax_nopriv_*` handler or a function hooked to `admin_init` that lacks a `current_user_can` check.\n*   **Action Names (Inferred):**\n    *   `coinbase_commerce_save_settings`\n    *   `commerce_coinbase_update_api_key`\n    *   `coinbase_commerce_disconnect`\n    *   `coinbase_commerce_verify_api_key`\n*   **Payload:** A POST request containing a malicious `action` parameter and configuration values (e.g., `api_key`, `shared_secret`).\n\n### 3. Code Flow (Inferred)\n1.  **Registration:** The plugin registers an action:\n    `add_action('wp_ajax_nopriv_ACTION_NAME', 'handler_function');`\n2.  **Execution:** When `admin-ajax.php` is called with `action=ACTION_NAME`, WordPress executes `handler_function`.\n3.  **Vulnerability:** `handler_function` performs a sensitive operation (like `update_option`) without:\n    *   Verifying the user has `manage_woocommerce` or `manage_options` capabilities.\n    *   Verifying a valid CSRF nonce.\n4.  **Sink:** The input reaches `update_option('woocommerce_commerce-coinbase_settings', ...)` or similar.\n\n### 4. Nonce Acquisition Strategy\nIf the vulnerable handler requires a nonce (even if it misses the capability check), follow this protocol:\n\n1.  **Identify Script Localization:** The plugin likely localizes a nonce via `wp_localize_script`.\n2.  **Locate Triggering Page:** Coinbase settings usually appear in **WooCommerce > Settings > Payments > Coinbase Commerce**. However, if the nonce is intended for unauthenticated use (a `nopriv` action), it may appear on the checkout page or a specific product page.\n3.  **Shortcode Discovery:** Use `wp-cli` to find shortcodes:\n    `wp eval \"grep -r 'add_shortcode' wp-content\u002Fplugins\u002Fcommerce-coinbase-for-woocommerce\u002F\"`\n4.  **Create Test Page:**\n    `wp post create --post_type=page --post_status=publish --post_title=\"Coinbase Test\" --post_content=\"[coinbase_shortcode_found]\"`\n5.  **Extract via Browser:**\n    *   `browser_navigate(\"http:\u002F\u002Flocalhost:8080\u002Fcoinbase-test\")`\n    *   `browser_eval(\"window.coinbase_commerce_params?.nonce || window.coinbase_ajax?.nonce\")` (Inferred JS keys).\n\n### 5. Exploitation Strategy\nThe goal is to update the plugin's API key to point to an attacker-controlled Coinbase Commerce account, redirecting payments.\n\n**Step 1: Discover Vulnerable Action**\nThe agent must first identify the vulnerable action name by inspecting the plugin source:\n`grep -r \"wp_ajax_nopriv\" wp-content\u002Fplugins\u002Fcommerce-coinbase-for-woocommerce\u002F`\n\n**Step 2: Construct the Request**\nOnce the action and parameters are identified (e.g., `action=coinbase_save_api` and parameter `api_key`):\n\n*   **Method:** POST\n*   **URL:** `http:\u002F\u002Flocalhost:8080\u002Fwp-admin\u002Fadmin-ajax.php`\n*   **Headers:** `Content-Type: application\u002Fx-www-form-urlencoded`\n*   **Payload:**\n    ```\n    action=IDENTIFIED_ACTION&api_key=ATTACKER_KEY&nonce=EXTRACTED_NONCE\n    ```\n\n### 6. Test Data Setup\n1.  **Install WooCommerce:** The plugin requires WooCommerce to be active.\n2.  **Configure Gateway:** Enable \"Coinbase Commerce\" in WooCommerce payment settings.\n3.  **API Key Initial State:** Set a dummy API key (e.g., `ORIGINAL_KEY_12345`) via the UI or WP-CLI:\n    `wp option update woocommerce_commerce-coinbase_settings '{\"api_key\":\"ORIGINAL_KEY_12345\"}' --format=json`\n\n### 7. Expected Results\n*   **HTTP Response:** A `200 OK` response, potentially returning `{\"success\": true}` or `1`.\n*   **State Change:** The database option containing the API key is overwritten with the attacker's value.\n\n### 8. Verification Steps\nAfter sending the exploit request, verify via `wp-cli`:\n```bash\n# Check if the API key in the options table has changed\nwp option get woocommerce_commerce-coinbase_settings --format=json\n```\nIf the `api_key` value matches `ATTACKER_KEY`, the exploitation is successful.\n\n### 9. Alternative Approaches\nIf no `wp_ajax_nopriv` actions are found, check for:\n1.  **`admin_init` hooks:**\n    `grep -r \"add_action.*admin_init\" wp-content\u002Fplugins\u002Fcommerce-coinbase-for-woocommerce\u002F`\n    Verify if these handlers check `current_user_can`. `admin_init` runs for any request to `\u002Fwp-admin\u002Fadmin-ajax.php`, even for unauthenticated users.\n2.  **Direct Setting Updates:**\n    Check if the plugin uses `register_setting` without a proper `sanitize_callback` or `permission_callback` in a REST context.\n3.  **Webhook Handler:**\n    Check if the webhook handler (`\u002Fwc-api\u002Fcoinbase_commerce\u002F`) can be used to manipulate order statuses without a valid Coinbase signature.","The Coinbase Commerce – Crypto Gateway for WooCommerce plugin for WordPress is vulnerable to unauthorized access in versions up to 1.6.6 due to missing capability checks on functions hooked to administrative initialization or AJAX handlers. This allows unauthenticated attackers to modify plugin settings, such as the API key, potentially redirecting customer payments to an attacker-controlled account.","The exploit targets administrative handlers (likely hooked to admin_init or wp_ajax_nopriv) that perform sensitive operations without checking user permissions or verifying nonces. An attacker sends an unauthenticated POST request to \u002Fwp-admin\u002Fadmin-ajax.php or a similar admin endpoint containing parameters to update the 'woocommerce_commerce-coinbase_settings' option. By providing a malicious 'api_key', the attacker can intercept future cryptocurrency payments made through the store.","gemini-3-flash-preview","2026-04-17 23:56:27","2026-04-17 23:56:47",{"type":30,"vulnerable_version":9,"fixed_version":9,"vulnerable_browse":9,"vulnerable_zip":9,"fixed_browse":9,"fixed_zip":9,"all_tags":31},"plugin","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fcommerce-coinbase-for-woocommerce\u002Ftags"]