Research Plan: CVE-2026-24553 - Information Exposure in Fraud Prevention For WooCommerce

1. Vulnerability Summary

The "Fraud Prevention For WooCommerce and EDD" plugin (<= 2.3.2) suffers from a sensitive information exposure vulnerability. The plugin registers several AJAX actions intended for administrative use (like exporting settings and viewing dashboard reports) but fails to implement proper capability checks. This allows authenticated users with Subscriber-level permissions to trigger these actions. By exploiting this, an attacker can extract the plugin's configuration, which includes blacklisted IP addresses, email patterns, and potentially other sensitive store security configurations.

2. Attack Vector Analysis

• Endpoint: /wp-admin/admin-ajax.php
• Action: wcblu_export_lite_settings (for exporting configuration/blacklist) or wcblu_get_dashboard_data (for viewing report metrics).
• Method: POST (standard for WordPress AJAX).
• Parameters:
  • action: wcblu_export_lite_settings
  • nonce: A valid nonce for the wcblu-ajax-nonce action.
• Authentication: Required (Subscriber or higher).
• Preconditions: The attacker must be logged in and able to retrieve a valid nonce.

3. Code Flow

1. Entry Point: The admin_enqueue_scripts hook (implemented as enqueue_scripts in class-woocommerce-blocker-prevent-fake-orders-and-blacklist-fraud-customers-admin.php) registers and localizes scripts.
2. Nonce Generation: Inside enqueue_scripts, the plugin calls wp_create_nonce( 'wcblu-ajax-nonce' ) and assigns it to the adminajax JavaScript object:

   wp_localize_script( 'jquery-wblp-order-widget-js', 'adminajax', array(
       'ajaxurl' => admin_url( 'admin-ajax.php' ),
       'nonce'   => wp_create_nonce( 'wcblu-ajax-nonce' ),
   ) );
   

3. AJAX Registration: The plugin registers AJAX handlers (likely in the truncated part of the admin class or a loader) using add_action( 'wp_ajax_wcblu_export_lite_settings', ... ).
4. Vulnerable Sink: The handler for wcblu_export_lite_settings checks the nonce using check_ajax_referer( 'wcblu-ajax-nonce', 'nonce' ) but fails to call current_user_can( 'manage_options' ).
5. Output: The handler then fetches the plugin options (e.g., get_option( 'wcblu_settings' )) and returns them as a JSON response.

4. Nonce Acquisition Strategy

The nonce is localized on several admin pages defined in the $valid_hooks and $order_blacklist arrays. To exploit this as a Subscriber, we must find if any of these pages are accessible to the read capability or if the plugin misconfigures a menu.

1. Target Page: wp-admin/admin.php?page=wcblu-dashboard (The "Fraud Prevention" dashboard).
2. Method:
   • Navigate to the dashboard as a Subscriber.
   • Use browser_eval to extract the nonce from the adminajax object.
3. JavaScript: window.adminajax?.nonce
4. Note: If the dashboard is correctly protected by manage_options, we will check if the plugin enqueues these scripts on the Subscriber's profile page (profile.php) or if any other menu item (like wblp-get-started) is incorrectly granted to the read capability.

5. Exploitation Strategy

1. Authentication: Log in to the WordPress instance as a Subscriber.
2. Nonce Retrieval:
   • Navigate to /wp-admin/admin.php?page=wcblu-dashboard.
   • Execute browser_eval("adminajax.nonce") to get the token.
3. Data Extraction: Send a POST request to admin-ajax.php to dump the settings.
   • URL: http://localhost:8080/wp-admin/admin-ajax.php
   • Headers: Content-Type: application/x-www-form-urlencoded
   • Body: action=wcblu_export_lite_settings&nonce=[NONCE]
4. Data Analysis: The response will be a JSON object containing the wcblu_settings, which typically includes the blacklist_emails, blacklist_ips, and blacklist_zipcodes.

6. Test Data Setup

1. Administrator Actions:
   • Go to Fraud Prevention > Blacklist Settings.
   • Add evil-attacker@example.com to the "Blacklisted Emails".
   • Add 1.3.3.7 to the "Blacklisted IPs".
   • Save settings.
2. User Creation:
   • Create a user attacker_sub with the Subscriber role.
3. Confirm Plugin State:
   • Verify get_option('wcblu_settings') contains the test data using WP-CLI.

7. Expected Results

A successful exploit will return a JSON response with success: true and a data field containing a serialized or JSON-encoded string of the plugin's configuration. This configuration will expose the blacklisted email (evil-attacker@example.com) and IP (1.3.3.7).

8. Verification Steps

1. HTTP Check: Verify the HTTP response status is 200 OK and the body contains the string evil-attacker@example.com.
2. Database Comparison: Use WP-CLI to confirm the output matches the actual plugin settings:
   wp option get wcblu_settings --format=json

9. Alternative Approaches

If wcblu_export_lite_settings is not the correct action name (it varies between lite versions), try:

• wcblu_export_settings
• wcblu_get_dashboard_data (This might return a summary of fraud attempts, exposing customer transaction amounts or emails).
• Check the HTML source of the dashboard page for a hidden input named wcblu_export_action which contains the dynamic action name:
  browser_eval("document.querySelector('input[name=\"wcblu_export_action\"]')?.value")