[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fSk6nbL_9D_QA-HjgJN9luj-2ISGuORMG-Q5lxz9bVvw":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":30,"research_verified":31,"research_rounds_completed":32,"research_plan":33,"research_summary":34,"research_vulnerable_code":35,"research_fix_diff":36,"research_exploit_outline":37,"research_model_used":38,"research_started_at":39,"research_completed_at":40,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":31,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":31,"source_links":41},"CVE-2026-52694","digital-signature-add-on-for-woocommerce-unauthenticated-information-exposure","Digital Signature Add-on for WooCommerce \u003C= 2.0 - Unauthenticated Information Exposure","The Digital Signature Add-on for WooCommerce plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.0. This makes it possible for unauthenticated attackers to extract sensitive user or configuration data.","woocommerce-digital-signature",null,"\u003C=2.0","2.0.1","medium",5.3,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:N\u002FUI:N\u002FS:U\u002FC:L\u002FI:N\u002FA:N","Exposure of Sensitive Information to an Unauthorized Actor","2026-06-10 00:00:00","2026-06-18 13:23:11",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002Fa36eb269-c917-4763-86cf-6d533dd906ad?source=api-prod",9,[22,23,24,25,26,27,28,29],"admin\u002Fassets\u002Fimages\u002Fwoo-add-on-step-1.png","admin\u002Fassets\u002Fimages\u002Fwoo-add-on-step-2.jpg","admin\u002Fassets\u002Fimages\u002Fwoo-add-on-step-3.png","admin\u002Fassets\u002Fimages\u002Fwoo-add-on-step-4.png","admin\u002Fassets\u002Fimages\u002Fwoo-add-on-step-5a.jpg","admin\u002Fassets\u002Fimages\u002Fwoo-add-on-step-5b.jpg","admin\u002Fviews\u002Fwoocommerce-esign-about.php","admin\u002Fwoocommerce-esig-admin.php","researched",false,3,"# Exploitation Research Plan: CVE-2026-52694\n\n## 1. Vulnerability Summary\nThe **Signature Add-On for WooCommerce** plugin (versions \u003C= 2.0) is vulnerable to **Sensitive Information Exposure**. The vulnerability exists because the plugin registers AJAX handlers (likely `wp_ajax_nopriv_`) to fetch data for the plugin's \"About\" page and configuration dashboard, but fails to implement proper capability checks or sufficiently restrict the data returned to unauthenticated users. \n\nAttackers can extract sensitive configuration data (such as the **ApproveMe license key**) and potentially sensitive user\u002Forder information by leveraging a valid unauthenticated nonce.\n\n## 2. Attack Vector Analysis\n- **Endpoint:** `\u002Fwp-admin\u002Fadmin-ajax.php`\n- **HTTP Method:** `POST` (or `GET` if the handler allows)\n- **Vulnerable Action:** `esig_woo_get_license_data` (inferred based on `admin\u002Fviews\u002Fwoocommerce-esign-about.php` content) or `esig_woo_about_info`.\n- **Payload Parameter:** `action=esig_woo_get_license_data&_wpnonce=[NONCE]`\n- **Authentication:** None (Unauthenticated).\n- **Preconditions:** The plugin must be active. A valid nonce for the action must be obtained from the frontend.\n\n## 3. Code Flow\n1. **Entry Point:** An unauthenticated user sends a request to `admin-ajax.php` with a","The Digital Signature Add-on for WooCommerce plugin is vulnerable to unauthenticated information exposure due to insufficient access controls on order data. Attackers can view sensitive order details and PII by manipulating client-side cookies or exploiting the 'esigpreview' parameter in shortcodes, which lacks ownership verification.","\u002F* admin\u002Fwoocommerce-esig-shortcode.php lines 58-75 *\u002F\nfinal function esignature_content($docContent, $docId) {\n\n    $order_id = esig_woo_logic::get_after_checkout_order_id();\n\n    if (!$order_id) {\n        $invitation = WP_E_Sig()->invite->getInviteBy('document_id', $docId);\n        if (!$invitation) {\n            return $docContent;\n        }\n        $order_id = $this->get_esig_order_id($invitation->document_id, $invitation->invitation_id);\n    }\n\n    if (!$order_id) {\n        return $docContent;\n    }\n    $data = esig_woo_logic::orderDetails($order_id);\n    $latestContent = WP_E_View::instance()->replace_variable($docContent, $data);\n    return $latestContent;\n}\n\n---\n\n\u002F* includes\u002Fclass-esig-woo-signature.php lines 274-277 *\u002F\npublic static function save_after_checkout_order_id($order_id) {\n    $orderId = self::orderIdValid($order_id);\n    esig_setcookie('esig-aftercheckout-order-id', $orderId, 60 * 60 * 1);\n}\n\n---\n\n\u002F* includes\u002Fclass-hold-payment.php lines 257-268 *\u002F\npublic function pre_process_checkout() {\n\n    $response = array(\n        'result' => 'failure',\n        'messages' => '\u003Cfont color=\"color\">'. __('here we go','esign').'\u003C\u002Ffont>',\n    );\n\n    update_option('rupom', WC()->session);\n    wp_send_json($response);\n    wp_die();\n}","diff -ru \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fwoocommerce-digital-signature\u002F2.0\u002Fadmin\u002Fwoocommerce-esig-shortcode.php \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fwoocommerce-digital-signature\u002F2.0.1\u002Fadmin\u002Fwoocommerce-esig-shortcode.php\n--- \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fwoocommerce-digital-signature\u002F2.0\u002Fadmin\u002Fwoocommerce-esig-shortcode.php\t2026-05-19 18:23:10.000000000 +0000\n+++ \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fwoocommerce-digital-signature\u002F2.0.1\u002Fadmin\u002Fwoocommerce-esig-shortcode.php\t2026-05-28 17:01:14.000000000 +0000\n@@ -71,6 +70,17 @@\n             if (!$order_id) {\n                 return $docContent;\n             }\n+\n+            \u002F\u002F Security fix: when the order ID came from the cookie (no invitation),\n+            \u002F\u002F verify the current user owns it before substituting PII into the document.\n+            if ( ! current_user_can( 'manage_woocommerce' ) ) {\n+                $order_obj = wc_get_order( $order_id );\n+                $current_user_id = get_current_user_id();\n+                if ( ! $order_obj || ( $current_user_id > 0 && (int) $order_obj->get_customer_id() !== $current_user_id ) ) {\n+                    return $docContent;\n+                }\n+            }\n+\n             $data = esig_woo_logic::orderDetails($order_id);\n             $latestContent = WP_E_View::instance()->replace_variable($docContent, $data);\n             return $latestContent;\n@@ -209,7 +219,10 @@\n                 $invitation = $api->invite->getInviteBy('document_id', $document_id);\n             }\n \n-            if (ESIG_GET('esigpreview')) {\n+            \u002F\u002F esigpreview is an admin-only feature: restrict it to shop managers so\n+            \u002F\u002F that arbitrary visitors cannot pass ?esigpreview=1&document_id=X to\n+            \u002F\u002F pull order PII for any document in the system.\n+            if (ESIG_GET('esigpreview') && current_user_can('manage_woocommerce')) {\n                 $document_id = ESIG_GET('document_id');\n                 $invitation = $api->invite->getInviteBy('document_id', $document_id);\n             }","The vulnerability can be exploited by unauthenticated attackers to view sensitive WooCommerce order data and PII. \n\n1. Target the signature shortcode functionality on the frontend. \n2. Forged Cookie Method: Set the 'esig-aftercheckout-order-id' cookie to a target order ID. When the signature shortcode renders, it retrieves this order ID from the cookie and replaces document variables with that order's PII (e.g., name, address) without verifying if the visitor is the order owner.\n3. Preview Parameter Method: Append '?esigpreview=1&document_id=[TARGET_ID]' to a URL containing the shortcode. In affected versions, the plugin fails to check if the user has 'manage_woocommerce' capabilities, allowing unauthorized access to order data associated with the specified document ID.\n4. Additionally, debug code in the plugin dumps sensitive session objects directly into the 'wp_options' table, which may be accessible via other configuration exposure vectors.","gemini-3-flash-preview","2026-06-26 01:26:10","2026-06-26 01:27:53",{"type":42,"vulnerable_version":43,"fixed_version":11,"vulnerable_browse":44,"vulnerable_zip":45,"fixed_browse":46,"fixed_zip":47,"all_tags":48},"plugin","2.0","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fwoocommerce-digital-signature\u002Ftags\u002F2.0","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fwoocommerce-digital-signature.2.0.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fwoocommerce-digital-signature\u002Ftags\u002F2.0.1","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fwoocommerce-digital-signature.2.0.1.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fwoocommerce-digital-signature\u002Ftags"]