CVE-2026-52694

Digital Signature Add-on for WooCommerce <= 2.0 - Unauthenticated Information Exposure

mediumExposure of Sensitive Information to an Unauthorized Actor
5.3
CVSS Score
5.3
CVSS Score
medium
Severity
2.0.1
Patched in
9d
Time to patch

Description

The Digital Signature Add-on for WooCommerce plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.0. This makes it possible for unauthenticated attackers to extract sensitive user or configuration data.

CVSS Vector Breakdown

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Low
Confidentiality
None
Integrity
None
Availability

Technical Details

Affected versions<=2.0
PublishedJune 10, 2026
Last updatedJune 18, 2026

What Changed in the Fix

Changes introduced in v2.0.1

Loading patch diff...

Source Code

WordPress.org SVN
Research Plan
Unverified

# Exploitation Research Plan: CVE-2026-52694 ## 1. Vulnerability Summary The **Signature Add-On for WooCommerce** plugin (versions <= 2.0) is vulnerable to **Sensitive Information Exposure**. The vulnerability exists because the plugin registers AJAX handlers (likely `wp_ajax_nopriv_`) to fetch dat…

Show full research plan

Exploitation Research Plan: CVE-2026-52694

1. Vulnerability Summary

The Signature Add-On for WooCommerce plugin (versions <= 2.0) is vulnerable to Sensitive Information Exposure. The vulnerability exists because the plugin registers AJAX handlers (likely wp_ajax_nopriv_) to fetch data for the plugin's "About" page and configuration dashboard, but fails to implement proper capability checks or sufficiently restrict the data returned to unauthenticated users.

Attackers can extract sensitive configuration data (such as the ApproveMe license key) and potentially sensitive user/order information by leveraging a valid unauthenticated nonce.

2. Attack Vector Analysis

  • Endpoint: /wp-admin/admin-ajax.php
  • HTTP Method: POST (or GET if the handler allows)
  • Vulnerable Action: esig_woo_get_license_data (inferred based on admin/views/woocommerce-esign-about.php content) or esig_woo_about_info.
  • Payload Parameter: action=esig_woo_get_license_data&_wpnonce=[NONCE]
  • Authentication: None (Unauthenticated).
  • Preconditions: The plugin must be active. A valid nonce for the action must be obtained from the frontend.

3. Code Flow

  1. Entry Point: An unauthenticated user sends a request to admin-ajax.php with a
Research Findings
Static analysis — not yet PoC-verified

Summary

The Digital Signature Add-on for WooCommerce plugin is vulnerable to unauthenticated information exposure due to insufficient access controls on order data. Attackers can view sensitive order details and PII by manipulating client-side cookies or exploiting the 'esigpreview' parameter in shortcodes, which lacks ownership verification.

Vulnerable Code

/* admin/woocommerce-esig-shortcode.php lines 58-75 */
final function esignature_content($docContent, $docId) {

    $order_id = esig_woo_logic::get_after_checkout_order_id();

    if (!$order_id) {
        $invitation = WP_E_Sig()->invite->getInviteBy('document_id', $docId);
        if (!$invitation) {
            return $docContent;
        }
        $order_id = $this->get_esig_order_id($invitation->document_id, $invitation->invitation_id);
    }

    if (!$order_id) {
        return $docContent;
    }
    $data = esig_woo_logic::orderDetails($order_id);
    $latestContent = WP_E_View::instance()->replace_variable($docContent, $data);
    return $latestContent;
}

---

/* includes/class-esig-woo-signature.php lines 274-277 */
public static function save_after_checkout_order_id($order_id) {
    $orderId = self::orderIdValid($order_id);
    esig_setcookie('esig-aftercheckout-order-id', $orderId, 60 * 60 * 1);
}

---

/* includes/class-hold-payment.php lines 257-268 */
public function pre_process_checkout() {

    $response = array(
        'result' => 'failure',
        'messages' => '<font color="color">'. __('here we go','esign').'</font>',
    );

    update_option('rupom', WC()->session);
    wp_send_json($response);
    wp_die();
}

Security Fix

diff -ru /home/deploy/wp-safety.org/data/plugin-versions/woocommerce-digital-signature/2.0/admin/woocommerce-esig-shortcode.php /home/deploy/wp-safety.org/data/plugin-versions/woocommerce-digital-signature/2.0.1/admin/woocommerce-esig-shortcode.php
--- /home/deploy/wp-safety.org/data/plugin-versions/woocommerce-digital-signature/2.0/admin/woocommerce-esig-shortcode.php	2026-05-19 18:23:10.000000000 +0000
+++ /home/deploy/wp-safety.org/data/plugin-versions/woocommerce-digital-signature/2.0.1/admin/woocommerce-esig-shortcode.php	2026-05-28 17:01:14.000000000 +0000
@@ -71,6 +70,17 @@
             if (!$order_id) {
                 return $docContent;
             }
+
+            // Security fix: when the order ID came from the cookie (no invitation),
+            // verify the current user owns it before substituting PII into the document.
+            if ( ! current_user_can( 'manage_woocommerce' ) ) {
+                $order_obj = wc_get_order( $order_id );
+                $current_user_id = get_current_user_id();
+                if ( ! $order_obj || ( $current_user_id > 0 && (int) $order_obj->get_customer_id() !== $current_user_id ) ) {
+                    return $docContent;
+                }
+            }
+
             $data = esig_woo_logic::orderDetails($order_id);
             $latestContent = WP_E_View::instance()->replace_variable($docContent, $data);
             return $latestContent;
@@ -209,7 +219,10 @@
                 $invitation = $api->invite->getInviteBy('document_id', $document_id);
             }
 
-            if (ESIG_GET('esigpreview')) {
+            // esigpreview is an admin-only feature: restrict it to shop managers so
+            // that arbitrary visitors cannot pass ?esigpreview=1&document_id=X to
+            // pull order PII for any document in the system.
+            if (ESIG_GET('esigpreview') && current_user_can('manage_woocommerce')) {
                 $document_id = ESIG_GET('document_id');
                 $invitation = $api->invite->getInviteBy('document_id', $document_id);
             }

Exploit Outline

The vulnerability can be exploited by unauthenticated attackers to view sensitive WooCommerce order data and PII. 1. Target the signature shortcode functionality on the frontend. 2. Forged Cookie Method: Set the 'esig-aftercheckout-order-id' cookie to a target order ID. When the signature shortcode renders, it retrieves this order ID from the cookie and replaces document variables with that order's PII (e.g., name, address) without verifying if the visitor is the order owner. 3. Preview Parameter Method: Append '?esigpreview=1&document_id=[TARGET_ID]' to a URL containing the shortcode. In affected versions, the plugin fails to check if the user has 'manage_woocommerce' capabilities, allowing unauthorized access to order data associated with the specified document ID. 4. Additionally, debug code in the plugin dumps sensitive session objects directly into the 'wp_options' table, which may be accessible via other configuration exposure vectors.

Check if your site is affected.

Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.