Digital Signature Add-on for WooCommerce <= 2.0 - Unauthenticated Information Exposure
Description
The Digital Signature Add-on for WooCommerce plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.0. This makes it possible for unauthenticated attackers to extract sensitive user or configuration data.
CVSS Vector Breakdown
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:NTechnical Details
<=2.0What Changed in the Fix
Changes introduced in v2.0.1
Source Code
WordPress.org SVN# Exploitation Research Plan: CVE-2026-52694 ## 1. Vulnerability Summary The **Signature Add-On for WooCommerce** plugin (versions <= 2.0) is vulnerable to **Sensitive Information Exposure**. The vulnerability exists because the plugin registers AJAX handlers (likely `wp_ajax_nopriv_`) to fetch dat…
Show full research plan
Exploitation Research Plan: CVE-2026-52694
1. Vulnerability Summary
The Signature Add-On for WooCommerce plugin (versions <= 2.0) is vulnerable to Sensitive Information Exposure. The vulnerability exists because the plugin registers AJAX handlers (likely wp_ajax_nopriv_) to fetch data for the plugin's "About" page and configuration dashboard, but fails to implement proper capability checks or sufficiently restrict the data returned to unauthenticated users.
Attackers can extract sensitive configuration data (such as the ApproveMe license key) and potentially sensitive user/order information by leveraging a valid unauthenticated nonce.
2. Attack Vector Analysis
- Endpoint:
/wp-admin/admin-ajax.php - HTTP Method:
POST(orGETif the handler allows) - Vulnerable Action:
esig_woo_get_license_data(inferred based onadmin/views/woocommerce-esign-about.phpcontent) oresig_woo_about_info. - Payload Parameter:
action=esig_woo_get_license_data&_wpnonce=[NONCE] - Authentication: None (Unauthenticated).
- Preconditions: The plugin must be active. A valid nonce for the action must be obtained from the frontend.
3. Code Flow
- Entry Point: An unauthenticated user sends a request to
admin-ajax.phpwith a
Summary
The Digital Signature Add-on for WooCommerce plugin is vulnerable to unauthenticated information exposure due to insufficient access controls on order data. Attackers can view sensitive order details and PII by manipulating client-side cookies or exploiting the 'esigpreview' parameter in shortcodes, which lacks ownership verification.
Vulnerable Code
/* admin/woocommerce-esig-shortcode.php lines 58-75 */ final function esignature_content($docContent, $docId) { $order_id = esig_woo_logic::get_after_checkout_order_id(); if (!$order_id) { $invitation = WP_E_Sig()->invite->getInviteBy('document_id', $docId); if (!$invitation) { return $docContent; } $order_id = $this->get_esig_order_id($invitation->document_id, $invitation->invitation_id); } if (!$order_id) { return $docContent; } $data = esig_woo_logic::orderDetails($order_id); $latestContent = WP_E_View::instance()->replace_variable($docContent, $data); return $latestContent; } --- /* includes/class-esig-woo-signature.php lines 274-277 */ public static function save_after_checkout_order_id($order_id) { $orderId = self::orderIdValid($order_id); esig_setcookie('esig-aftercheckout-order-id', $orderId, 60 * 60 * 1); } --- /* includes/class-hold-payment.php lines 257-268 */ public function pre_process_checkout() { $response = array( 'result' => 'failure', 'messages' => '<font color="color">'. __('here we go','esign').'</font>', ); update_option('rupom', WC()->session); wp_send_json($response); wp_die(); }
Security Fix
@@ -71,6 +70,17 @@ if (!$order_id) { return $docContent; } + + // Security fix: when the order ID came from the cookie (no invitation), + // verify the current user owns it before substituting PII into the document. + if ( ! current_user_can( 'manage_woocommerce' ) ) { + $order_obj = wc_get_order( $order_id ); + $current_user_id = get_current_user_id(); + if ( ! $order_obj || ( $current_user_id > 0 && (int) $order_obj->get_customer_id() !== $current_user_id ) ) { + return $docContent; + } + } + $data = esig_woo_logic::orderDetails($order_id); $latestContent = WP_E_View::instance()->replace_variable($docContent, $data); return $latestContent; @@ -209,7 +219,10 @@ $invitation = $api->invite->getInviteBy('document_id', $document_id); } - if (ESIG_GET('esigpreview')) { + // esigpreview is an admin-only feature: restrict it to shop managers so + // that arbitrary visitors cannot pass ?esigpreview=1&document_id=X to + // pull order PII for any document in the system. + if (ESIG_GET('esigpreview') && current_user_can('manage_woocommerce')) { $document_id = ESIG_GET('document_id'); $invitation = $api->invite->getInviteBy('document_id', $document_id); }
Exploit Outline
The vulnerability can be exploited by unauthenticated attackers to view sensitive WooCommerce order data and PII. 1. Target the signature shortcode functionality on the frontend. 2. Forged Cookie Method: Set the 'esig-aftercheckout-order-id' cookie to a target order ID. When the signature shortcode renders, it retrieves this order ID from the cookie and replaces document variables with that order's PII (e.g., name, address) without verifying if the visitor is the order owner. 3. Preview Parameter Method: Append '?esigpreview=1&document_id=[TARGET_ID]' to a URL containing the shortcode. In affected versions, the plugin fails to check if the user has 'manage_woocommerce' capabilities, allowing unauthorized access to order data associated with the specified document ID. 4. Additionally, debug code in the plugin dumps sensitive session objects directly into the 'wp_options' table, which may be accessible via other configuration exposure vectors.
Check if your site is affected.
Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.