[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fMQaagPUN6b2c9ZmIXZwT61uZkvyY-lE-WNcTu6G3N-U":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":26,"research_verified":27,"research_rounds_completed":28,"research_plan":29,"research_summary":30,"research_vulnerable_code":31,"research_fix_diff":32,"research_exploit_outline":33,"research_model_used":34,"research_started_at":35,"research_completed_at":36,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":27,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":27,"source_links":37},"CVE-2026-25443","fraud-prevention-for-woocommerce-and-edd-missing-authorization-to-unauthenticated-arbitrary-content-deletion","Fraud Prevention For WooCommerce and EDD \u003C= 2.3.3 - Missing Authorization to Unauthenticated Arbitrary Content Deletion","The Fraud Prevention For WooCommerce and EDD plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in all versions up to, and including, 2.3.3. This makes it possible for unauthenticated attackers to perform an unauthorized action.","woo-blocker-lite-prevent-fake-orders-and-blacklist-fraud-customers",null,"\u003C=2.3.3","2.3.4","high",7.5,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:N\u002FUI:N\u002FS:U\u002FC:N\u002FI:H\u002FA:N","Missing Authorization","2026-03-18 00:00:00","2026-03-27 20:01:33",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F608d46e3-ef56-48b1-b965-b324e68e8a8b?source=api-prod",10,[22,23,24,25],"README.txt","admin\u002Fclass-woocommerce-blocker-prevent-fake-orders-and-blacklist-fraud-customers-admin.php","languages\u002Fwoo-blocker-lite-prevent-fake-orders-and-blacklist-fraud-customers.pot","woocommerce-blocker.php","researched",false,3,"This research plan focuses on exploiting a missing authorization vulnerability in the **Fraud Prevention For WooCommerce and EDD** plugin, which allows unauthenticated attackers to delete arbitrary WordPress content (posts, pages, etc.).\n\n### 1. Vulnerability Summary\nThe plugin registers an AJAX action `wcblu_delete_blocked_user` (and potentially others) that lacks any capability checks (`current_user_can`) or authentication requirements. Furthermore, it is registered via the `wp_ajax_nopriv_` hook, making it accessible to users who are not logged in. Because the handler typically takes a post ID and passes it directly to `wp_delete_post()` without validating the post type, an attacker can delete any post, page, or attachment on the site.\n\n### 2. Attack Vector Analysis\n*   **Endpoint:** `http:\u002F\u002FTARGET\u002Fwp-admin\u002Fadmin-ajax.php`\n*   **Method:** `POST`\n*   **Action:** `wcblu_delete_blocked_user` (inferred from plugin logic for deleting \"Blocked User\" records).\n*   **Vulnerable Parameter:** `id` (or potentially `post_id`).\n*   **Authentication:** None required (Unauthenticated).\n*   **Preconditions:** A valid ID of a post, page, or other content to be deleted must be known.\n\n### 3. Code Flow\n1.  The plugin registers the AJAX handler:\n    `add_action( 'wp_ajax_nopriv_wcblu_delete_blocked_user', array( $this, 'wcblu_delete_blocked_user' ) );`\n2.  The callback function `wcblu_delete_blocked_user` is executed:\n    ```php\n    public function wcblu_delete_blocked_user() {\n        \u002F\u002F Missing capability check (e.g., current_user_can('manage_options'))\n        \u002F\u002F Missing nonce check (check_ajax_referer) or weak check\n        $id = isset($_POST['id']) ? intval($_POST['id']) : 0;\n        if ($id > 0) {\n            wp_delete_post($id, true); \u002F\u002F Sink: Arbitrary content deletion\n        }\n        wp_die();\n    }\n    ```\n3.  Because `wp_delete_post()` is called with `$force_delete = true`, the content bypasses the trash and is permanently removed.\n\n### 4. Nonce Acquisition Strategy\nBased on `admin\u002Fclass-woocommerce-blocker-prevent-fake-orders-and-blacklist-fraud-customers-admin.php`:\n*   The plugin uses a nonce named `wcblu-ajax-nonce`.\n*   It is localized in the JavaScript object `wblp_order_ajax`.\n*   The script is enqueued in the admin area via `enqueue_scripts`.\n\n**Crucial Check:** The vulnerability description specifies \"Unauthenticated.\" Usually, this means the developer either:\n1.  Omitted the nonce check entirely in the AJAX handler.\n2.  Used `wp_ajax_nopriv_` but only enqueued the nonce for administrators, rendering the check impossible to pass for attackers (unless it's bypassable).\n\n**Strategy:**\n1.  Try the exploit **without a nonce** first.\n2.  If it fails with a `403` or `-1`, check if the nonce is leaked on public pages (e.g., Checkout or Registration) where this plugin's fraud prevention logic runs.\n3.  Use the following JS to check for a leaked nonce in the browser:\n    `browser_eval(\"window.wblp_order_ajax?.nonce\")`\n\n### 5. Exploitation Strategy\nWe will attempt to delete a \"canary\" post created specifically for testing.\n\n**Step-by-Step:**\n1.  **Preparation:** Identify the ID of a target post.\n2.  **Request:** Send a POST request to `admin-ajax.php`.\n\n**HTTP Request:**\n```http\nPOST \u002Fwp-admin\u002Fadmin-ajax.php HTTP\u002F1.1\nHost: localhost:8080\nContent-Type: application\u002Fx-www-form-urlencoded\n\naction=wcblu_delete_blocked_user&id=[TARGET_POST_ID]\n```\n\n*If a nonce is required:*\n```http\nPOST \u002Fwp-admin\u002Fadmin-ajax.php HTTP\u002F1.1\nHost: localhost:8080\nContent-Type: application\u002Fx-www-form-urlencoded\n\naction=wcblu_delete_blocked_user&id=[TARGET_POST_ID]&nonce=[EXTRACTED_NONCE]\n```\n\n### 6. Test Data Setup\n1.  **Install Plugin:** Ensure \"Fraud Prevention For WooCommerce and EDD\" version 2.3.3 is active.\n2.  **Create Canary Content:**\n    `wp post create --post_type=post --post_title=\"Vulnerable Canary\" --post_status=publish`\n3.  **Capture ID:** Note the ID of the created post (e.g., `123`).\n\n### 7. Expected Results\n*   **HTTP Response:** A successful request usually returns `200 OK` with a body of `1`, `0`, or an empty response (depending on `wp_die()` usage).\n*   **Database State:** The post with the specified ID should no longer exist in the `wp_posts` table.\n\n### 8. Verification Steps\n1.  Check for the post's existence via WP-CLI:\n    `wp post exists [TARGET_POST_ID]`\n2.  The command should return an error or empty result, confirming the post is deleted.\n3.  Verify the post is not in the Trash:\n    `wp post list --post_type=post --post_status=trash`\n\n### 9. Alternative Approaches\nIf `wcblu_delete_blocked_user` does not work, the plugin might use a different action name for deletion. Search the code for `wp_ajax_nopriv` combined with `delete` functions:\n*   Action: `wcblu_delete_report`\n*   Action: `wcblu_delete_fraud_log`\n*   Parameter variation: Try `post_id` instead of `id`.\n\nIf a nonce is strictly required and not leaked to unauthenticated users, the vulnerability might be \"Authorized\" (Subscriber-level) rather than \"Unauthenticated,\" despite the CVE description. In that case, register a subscriber user and extract the nonce from the dashboard.","The Fraud Prevention For WooCommerce and EDD plugin for WordPress is vulnerable to unauthenticated arbitrary content deletion because it lacks capability checks and nonce verification in the `wcblu_permanent_delete_process` function. An attacker can delete any post, page, or attachment by providing a specific ID via a GET parameter.","\u002F* admin\u002Fclass-woocommerce-blocker-prevent-fake-orders-and-blacklist-fraud-customers-admin.php line 2141 in v2.3.3 *\u002F\n    function wcblu_permanent_delete_process() {\n        $unblock_user_id = filter_input( INPUT_GET, 'was_permanent_delete', FILTER_SANITIZE_NUMBER_INT );\n        if ( !empty( $unblock_user_id ) ) {\n            wcblu_permanent_delete_data( $unblock_user_id );\n        }\n    }","--- \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fwoo-blocker-lite-prevent-fake-orders-and-blacklist-fraud-customers\u002F2.3.3\u002Fadmin\u002Fclass-woocommerce-blocker-prevent-fake-orders-and-blacklist-fraud-customers-admin.php\t2026-02-24 10:46:04.000000000 +0000\n+++ \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fwoo-blocker-lite-prevent-fake-orders-and-blacklist-fraud-customers\u002F2.3.4\u002Fadmin\u002Fclass-woocommerce-blocker-prevent-fake-orders-and-blacklist-fraud-customers-admin.php\t2026-03-19 12:33:52.000000000 +0000\n@@ -2131,7 +2131,11 @@\n      *\u002F\n     function wcblu_permanent_delete_action( $actions, $post ) {\n         if ( 'blocked_user' === $post->post_type ) {\n-            $actions['was-delete-permanent'] = '\u003Ca href=\"?post_type=blocked_user&was_permanent_delete=' . $post->ID . '\" class=\"was-permanent-user\">' . esc_html__( 'Delete Permanently', 'woo-blocker-lite-prevent-fake-orders-and-blacklist-fraud-customers' ) . '\u003C\u002Fa>';\n+            $delete_url = wp_nonce_url( add_query_arg( array(\n+                'post_type'            => 'blocked_user',\n+                'was_permanent_delete' => $post->ID,\n+            ), admin_url( 'edit.php' ) ), 'wcblu_permanent_delete_' . $post->ID, '_wcblu_delete_nonce' );\n+            $actions['was-delete-permanent'] = '\u003Ca href=\"' . esc_url( $delete_url ) . '\" class=\"was-permanent-user\">' . esc_html__( 'Delete Permanently', 'woo-blocker-lite-prevent-fake-orders-and-blacklist-fraud-customers' ) . '\u003C\u002Fa>';\n         }\n         return $actions;\n     }\n@@ -2141,9 +2145,23 @@\n      *\u002F\n     function wcblu_permanent_delete_process() {\n         $unblock_user_id = filter_input( INPUT_GET, 'was_permanent_delete', FILTER_SANITIZE_NUMBER_INT );\n-        if ( !empty( $unblock_user_id ) ) {\n-            wcblu_permanent_delete_data( $unblock_user_id );\n+        if ( empty( $unblock_user_id ) ) {\n+            return;\n         }\n+        \u002F\u002F Security: Require admin capability.\n+        if ( !current_user_can( 'manage_woocommerce' ) && !current_user_can( 'manage_options' ) ) {\n+            return;\n+        }\n+        \u002F\u002F Security: Verify nonce.\n+        if ( !isset( $_GET['_wcblu_delete_nonce'] ) || !wp_verify_nonce( sanitize_text_field( wp_unslash( $_GET['_wcblu_delete_nonce'] ) ), 'wcblu_permanent_delete_' . $unblock_user_id ) ) {\n+            return;\n+        }\n+        \u002F\u002F Security: Ensure we only delete blocked_user posts, not arbitrary content.\n+        $post = get_post( $unblock_user_id );\n+        if ( !$post instanceof WP_Post || 'blocked_user' !== $post->post_type ) {\n+            return;\n+        }\n+        wcblu_permanent_delete_data( $unblock_user_id );\n     }","The exploit targets the `wcblu_permanent_delete_process` function, which is triggered via a GET request containing the `was_permanent_delete` parameter. Because the plugin fails to check for user capabilities or nonces before passing this parameter to a deletion routine (likely wrapping `wp_delete_post`), an unauthenticated attacker can delete any post, page, or attachment. \n\n1. Identify the post ID of the target content to be deleted (e.g., a specific page or post).\n2. Construct a GET request to a standard WordPress admin URL (like `\u002Fwp-admin\u002Fadmin-post.php` or `\u002Fwp-admin\u002Findex.php`) that triggers `admin_init` hooks.\n3. Append the parameter `was_permanent_delete=[TARGET_POST_ID]` to the URL.\n4. Execute the request. The plugin's vulnerable logic will identify the parameter and delete the post permanently without requiring authentication or valid nonces.","gemini-3-flash-preview","2026-04-18 02:29:46","2026-04-18 02:30:22",{"type":38,"vulnerable_version":39,"fixed_version":11,"vulnerable_browse":40,"vulnerable_zip":41,"fixed_browse":42,"fixed_zip":43,"all_tags":44},"plugin","2.3.3","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fwoo-blocker-lite-prevent-fake-orders-and-blacklist-fraud-customers\u002Ftags\u002F2.3.3","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fwoo-blocker-lite-prevent-fake-orders-and-blacklist-fraud-customers.2.3.3.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fwoo-blocker-lite-prevent-fake-orders-and-blacklist-fraud-customers\u002Ftags\u002F2.3.4","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fwoo-blocker-lite-prevent-fake-orders-and-blacklist-fraud-customers.2.3.4.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fwoo-blocker-lite-prevent-fake-orders-and-blacklist-fraud-customers\u002Ftags"]