COMPE <= 1.1.4 - Unauthenticated Insecure Direct Object Reference
Description
The COMPE – WooCommerce Compare Products plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 1.1.4 due to missing validation on a user controlled key. This makes it possible for unauthenticated attackers to perform an unauthorized action.
CVSS Vector Breakdown
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:NTechnical Details
<=1.1.4This research plan outlines the process for investigating and demonstrating the Insecure Direct Object Reference (IDOR) vulnerability in the **COMPE – WooCommerce Compare Products** plugin (CVE-2026-40737). ## 1. Vulnerability Summary The **COMPE – WooCommerce Compare Products** plugin (versions <=…
Show full research plan
This research plan outlines the process for investigating and demonstrating the Insecure Direct Object Reference (IDOR) vulnerability in the COMPE – WooCommerce Compare Products plugin (CVE-2026-40737).
1. Vulnerability Summary
The COMPE – WooCommerce Compare Products plugin (versions <= 1.1.4) contains an Insecure Direct Object Reference (IDOR) vulnerability. The plugin registers AJAX handlers for managing product comparison lists. These handlers fail to validate that the product or comparison list being modified/deleted belongs to the requester. Consequently, an unauthenticated attacker can manipulate data (e.g., clearing lists or removing items) belonging to other users by providing a different identifier (e.g., a product_id or list_id) in the request.
2. Attack Vector Analysis
- Endpoint:
wp-admin/admin-ajax.php - AJAX Actions (Inferred):
compe_remove_productcompe_clear_all_products
- Vulnerable Parameters: The parameters used to identify the object to be removed or cleared (e.g.,
id,product_id,list_key). - Authentication: Unauthenticated (via
wp_ajax_nopriv_*hooks). - Preconditions: WooCommerce must be active. At least one comparison list or item must exist in the database (or session) for another user to act as a target.
3. Code Flow (Inferred)
- Entry Point: The plugin registers unauthenticated AJAX hooks in the main class or an AJAX handler class:
add_action( 'wp_ajax_nopriv_compe_remove_product', array( $this, 'remove_product' ) ); - Handler Function: The function (e.g.,
remove_product) retrieves the object identifier from$_POST['id']or$_POST['product_id']. - Missing Authorization: The code proceeds to delete the record from the database (likely using
$wpdb->deleteor removing from a meta-field/session) using only the provided ID without verifying if the ID is associated with the current requester's session or cookie. - Sink: The database is modified, resulting in unauthorized data deletion.
4. Nonce Acquisition Strategy
The plugin likely uses wp_localize_script to pass a security nonce to the frontend.
- Identify Shortcode: Look for the comparison list shortcode (inferred:
[compe_compare]) or check where the "Compare" button is rendered on product pages. - Setup Page: Create a public page containing the comparison functionality:
wp post create --post_type=page --post_status=publish --post_title="Compare" --post_content="[compe_compare]" - Extract Nonce:
- Use
browser_navigateto visit the newly created page. - Use
browser_evalto find the localized JavaScript object. Look forcompe_vars,compe_obj, or similar. - Execution:
browser_eval("window.compe_vars?.nonce")(Verify the exact variable name in the page source).
- Use
5. Exploitation Strategy
The goal is to perform an unauthorized "remove" or "clear" action on behalf of another (simulated) user.
- Step 1: Discover Target ID. Identify a product ID or list identifier currently in use by a "victim" user.
- Step 2: Obtain Nonce. Use the strategy in Section 4 to get a valid nonce for the
wp_ajax_nopriv_action. - Step 3: Craft Unauthorized Request. Send a POST request to
admin-ajax.php.- Action:
compe_remove_product(Verify in source). - Payload:
action=compe_remove_product&id=[TARGET_PRODUCT_ID]&security=[NONCE]
- Action:
- Tooling: Use
http_request.
{
"method": "POST",
"url": "http://localhost:8080/wp-admin/admin-ajax.php",
"headers": {
"Content-Type": "application/x-www-form-urlencoded"
},
"body": "action=compe_remove_product&id=123&security=abc123def"
}
6. Test Data Setup
- Install WooCommerce: Ensure the WooCommerce plugin is active.
- Create Products: Create at least two test products.
wp post create --post_type=product --post_title="Target Product" --post_status=publish - Simulate Victim Activity: Use a browser or WP-CLI to add a product to a comparison list. Note the database record or meta-value created.
- Confirm Target ID: Identify the
idof the comparison entry to be targeted.
7. Expected Results
- Successful Exploitation: The AJAX response returns a success indicator (e.g.,
{"success": true}). - Data Impact: The product entry associated with the
idprovided in the payload is removed from the database, even though the attacker did not "own" that comparison session.
8. Verification Steps
- Database Check: Use WP-CLI to check the state of the comparison table or user meta before and after the attack.
wp db query "SELECT * FROM wp_compe_lists WHERE id = [TARGET_ID];"(Verify table name). - UI Check: Navigate to the comparison page as the "victim" to confirm their list has been altered or cleared.
9. Alternative Approaches
- Clear All Action: If
compe_remove_productis not the primary vector, investigatecompe_clear_all. If it accepts auser_idorlist_idparameter without verification, it may allow clearing all items for any user. - Information Disclosure: Check if any AJAX actions (e.g.,
compe_get_list) allow retrieving comparison data for arbitrary IDs, which would elevate the IDOR from data modification to data exposure.
Check if your site is affected.
Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.