Exploitation Research Plan: CVE-2026-34898

1. Vulnerability Summary

The Event Tickets Manager for WooCommerce plugin (<= 1.5.3) suffers from a Missing Authorization vulnerability. The AJAX handler for wps_etmfw_edit_user_info fails to perform capability checks or verify order ownership. This allows an unauthenticated attacker to modify attendee/ticket information for any WooCommerce order by providing the target order_id.

2. Attack Vector Analysis

• Endpoint: /wp-admin/admin-ajax.php
• Action: wps_etmfw_edit_user_info
• Method: POST
• Authentication: None required (registered via wp_ajax_nopriv_).
• Vulnerable Parameters:
  • order_id: The ID of the WooCommerce order to modify.
  • form_value: An object/array containing the ticket fields to overwrite (e.g., Name, Email).
• Preconditions:
  • The attacker needs a valid order_id (can be enumerated).
  • A valid public nonce is required.

3. Code Flow

1. Registration: The plugin (likely in Event_Tickets_Manager_For_Woocommerce_Public) registers wp_ajax_nopriv_wps_etmfw_edit_user_info.
2. Trigger: The frontend script public/src/js/event-tickets-manager-for-woocommerce-public.js listens for a click on #wps_etmfw_save_edit_ticket_info_btn.
3. Data Collection: It scrapes values from elements with the class .wps-edit-form-group and stores them in modifiedValues.
4. AJAX Call: It sends a POST request to admin-ajax.php with action: 'wps_etmfw_edit_user_info', form_value: modifiedValues, and order_id.
5. Vulnerable Sink: The PHP handler (inferred) verifies the nonce wps_nonce using wp_verify_nonce( $_POST['wps_nonce'], 'wps-etmfw-verify-public-nonce' ). However, it fails to check if the current user has permission to edit the specified order_id before updating the order's metadata/attendee details.

4. Nonce Acquisition Strategy

The nonce is localized for the public script and is available on any WooCommerce product page.

1. Identify Trigger: The script event-tickets-manager-for-woocommerce-public.js is enqueued on single product pages via etmfw_public_enqueue_scripts().
2. Action: Navigate to a product page.
3. Extraction: Use browser_eval to extract the nonce from the etmfw_public_param object.
   • JS Variable: window.etmfw_public_param
   • Nonce Key: wps_etmfw_public_nonce
   • Nonce Action: wps-etmfw-verify-public-nonce

5. Exploitation Strategy

1. Setup: Create a dummy event product and a target order.
2. Nonce Extraction: Navigate to the product page and extract the nonce using browser_eval.
3. Malicious Request: Use http_request to send a POST payload to admin-ajax.php.

Payload Example:

POST /wp-admin/admin-ajax.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded

action=wps_etmfw_edit_user_info&order_id=TARGET_ORDER_ID&wps_nonce=EXTRACTED_NONCE&form_value[Name]=Hacked_User&form_value[Email]=attacker@example.com

6. Test Data Setup

1. Activate Plugin: Ensure event-tickets-manager-for-woocommerce is active.
2. Create Product:

   wp post create --post_type=product --post_title="Event Ticket" --post_status=publish
   # Product ID will be needed for the nonce extraction page
   

3. Configure Product: Set the product as an event.

   wp post meta set <PRODUCT_ID> _virtual yes
   wp post meta set <PRODUCT_ID> _ticket yes # (inferred meta key)
   

4. Create Target Order: Create a WooCommerce order as a standard "Customer" user.

   wp wc order create --user=customer_user --status=processing --item_id=<PRODUCT_ID>
   # Note the resulting ORDER_ID
   

7. Expected Results

• The AJAX response should be a JSON object (likely {"success": true} or similar).
• The order metadata associated with the ticket (attendee name/email) should be updated to the values provided in form_value.

8. Verification Steps

1. Check Order Meta: After the exploit, verify the order metadata via WP-CLI:

   wp post meta list <TARGET_ORDER_ID>
   

2. Inspect Attendee Data: Look for keys like wps_etmfw_attendee_fields or similar (grounded in the plugin's meta naming convention) to see if "Hacked_User" is present.

9. Alternative Approaches

If order_id ownership is partially checked, try:

• Parameter Pollution: If the code uses $_REQUEST['order_id'] vs $_POST['order_id'].
• Empty Nonce: Check if the nonce verification is conditional (e.g., if (isset($_POST['wps_nonce'])) { wp_verify_nonce(...) }).
• Default Nonce: If the localized nonce fails, try the default action nonce -1.