[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fHWqgrVDICzzCV8mguWN0ZIoy3sThnJ1rz6CIW407dkA":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":30,"research_verified":31,"research_rounds_completed":32,"research_plan":33,"research_summary":9,"research_vulnerable_code":9,"research_fix_diff":9,"research_exploit_outline":9,"research_model_used":34,"research_started_at":35,"research_completed_at":36,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":31,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":31,"source_links":37},"CVE-2026-24553","fraud-prevention-for-woocommerce-authenticated-subscriber-information-exposure","Fraud Prevention For Woocommerce \u003C= 2.3.2 - Authenticated (Subscriber+) Information Exposure","The Fraud Prevention For WooCommerce and EDD plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.3.2. This makes it possible for authenticated attackers, with Subscriber-level access and above, to extract sensitive user or configuration data.","woo-blocker-lite-prevent-fake-orders-and-blacklist-fraud-customers",null,"\u003C=2.3.2","2.3.3","medium",4.3,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:L\u002FUI:N\u002FS:U\u002FC:L\u002FI:N\u002FA:N","Exposure of Sensitive Information to an Unauthorized Actor","2026-01-22 00:00:00","2026-02-24 22:21:59",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F0253e3fa-c0ee-4c76-bd92-a450771cae0c?source=api-prod",34,[22,23,24,25,26,27,28,29],"README.txt","admin\u002Fclass-woocommerce-blocker-prevent-fake-orders-and-blacklist-fraud-customers-admin.php","admin\u002Fcss\u002Fplugin-new-style.css","admin\u002Fcss\u002Fwoocommerce-blocker-prevent-fake-orders-and-blacklist-fraud-customers-admin.css","admin\u002Fjs\u002Fwblp-order-widget.js","admin\u002Fjs\u002Fwoocommerce-blocker-prevent-fake-orders-and-blacklist-fraud-customers-admin.js","admin\u002Fpartials\u002Fdots-dashboard.php","admin\u002Fpartials\u002Fdots-edd-dashboard.php","researched",false,3,"# Research Plan: CVE-2026-24553 - Information Exposure in Fraud Prevention For WooCommerce\n\n## 1. Vulnerability Summary\nThe \"Fraud Prevention For WooCommerce and EDD\" plugin (\u003C= 2.3.2) suffers from a sensitive information exposure vulnerability. The plugin registers several AJAX actions intended for administrative use (like exporting settings and viewing dashboard reports) but fails to implement proper capability checks. This allows authenticated users with Subscriber-level permissions to trigger these actions. By exploiting this, an attacker can extract the plugin's configuration, which includes blacklisted IP addresses, email patterns, and potentially other sensitive store security configurations.\n\n## 2. Attack Vector Analysis\n*   **Endpoint**: `\u002Fwp-admin\u002Fadmin-ajax.php`\n*   **Action**: `wcblu_export_lite_settings` (for exporting configuration\u002Fblacklist) or `wcblu_get_dashboard_data` (for viewing report metrics).\n*   **Method**: `POST` (standard for WordPress AJAX).\n*   **Parameters**:\n    *   `action`: `wcblu_export_lite_settings`\n    *   `nonce`: A valid nonce for the `wcblu-ajax-nonce` action.\n*   **Authentication**: Required (Subscriber or higher).\n*   **Preconditions**: The attacker must be logged in and able to retrieve a valid nonce.\n\n## 3. Code Flow\n1.  **Entry Point**: The `admin_enqueue_scripts` hook (implemented as `enqueue_scripts` in `class-woocommerce-blocker-prevent-fake-orders-and-blacklist-fraud-customers-admin.php`) registers and localizes scripts.\n2.  **Nonce Generation**: Inside `enqueue_scripts`, the plugin calls `wp_create_nonce( 'wcblu-ajax-nonce' )` and assigns it to the `adminajax` JavaScript object:\n    ```php\n    wp_localize_script( 'jquery-wblp-order-widget-js', 'adminajax', array(\n        'ajaxurl' => admin_url( 'admin-ajax.php' ),\n        'nonce'   => wp_create_nonce( 'wcblu-ajax-nonce' ),\n    ) );\n    ```\n3.  **AJAX Registration**: The plugin registers AJAX handlers (likely in the truncated part of the admin class or a loader) using `add_action( 'wp_ajax_wcblu_export_lite_settings', ... )`.\n4.  **Vulnerable Sink**: The handler for `wcblu_export_lite_settings` checks the nonce using `check_ajax_referer( 'wcblu-ajax-nonce', 'nonce' )` but fails to call `current_user_can( 'manage_options' )`.\n5.  **Output**: The handler then fetches the plugin options (e.g., `get_option( 'wcblu_settings' )`) and returns them as a JSON response.\n\n## 4. Nonce Acquisition Strategy\nThe nonce is localized on several admin pages defined in the `$valid_hooks` and `$order_blacklist` arrays. To exploit this as a Subscriber, we must find if any of these pages are accessible to the `read` capability or if the plugin misconfigures a menu.\n\n1.  **Target Page**: `wp-admin\u002Fadmin.php?page=wcblu-dashboard` (The \"Fraud Prevention\" dashboard).\n2.  **Method**:\n    *   Navigate to the dashboard as a Subscriber.\n    *   Use `browser_eval` to extract the nonce from the `adminajax` object.\n3.  **JavaScript**: `window.adminajax?.nonce`\n4.  **Note**: If the dashboard is correctly protected by `manage_options`, we will check if the plugin enqueues these scripts on the Subscriber's profile page (`profile.php`) or if any other menu item (like `wblp-get-started`) is incorrectly granted to the `read` capability.\n\n## 5. Exploitation Strategy\n1.  **Authentication**: Log in to the WordPress instance as a Subscriber.\n2.  **Nonce Retrieval**: \n    *   Navigate to `\u002Fwp-admin\u002Fadmin.php?page=wcblu-dashboard`.\n    *   Execute `browser_eval(\"adminajax.nonce\")` to get the token.\n3.  **Data Extraction**: Send a POST request to `admin-ajax.php` to dump the settings.\n    *   **URL**: `http:\u002F\u002Flocalhost:8080\u002Fwp-admin\u002Fadmin-ajax.php`\n    *   **Headers**: `Content-Type: application\u002Fx-www-form-urlencoded`\n    *   **Body**: `action=wcblu_export_lite_settings&nonce=[NONCE]`\n4.  **Data Analysis**: The response will be a JSON object containing the `wcblu_settings`, which typically includes the `blacklist_emails`, `blacklist_ips`, and `blacklist_zipcodes`.\n\n## 6. Test Data Setup\n1.  **Administrator Actions**:\n    *   Go to **Fraud Prevention > Blacklist Settings**.\n    *   Add `evil-attacker@example.com` to the \"Blacklisted Emails\".\n    *   Add `1.3.3.7` to the \"Blacklisted IPs\".\n    *   Save settings.\n2.  **User Creation**:\n    *   Create a user `attacker_sub` with the `Subscriber` role.\n3.  **Confirm Plugin State**:\n    *   Verify `get_option('wcblu_settings')` contains the test data using WP-CLI.\n\n## 7. Expected Results\nA successful exploit will return a JSON response with `success: true` and a `data` field containing a serialized or JSON-encoded string of the plugin's configuration. This configuration will expose the blacklisted email (`evil-attacker@example.com`) and IP (`1.3.3.7`).\n\n## 8. Verification Steps\n1.  **HTTP Check**: Verify the HTTP response status is `200 OK` and the body contains the string `evil-attacker@example.com`.\n2.  **Database Comparison**: Use WP-CLI to confirm the output matches the actual plugin settings:\n    `wp option get wcblu_settings --format=json`\n\n## 9. Alternative Approaches\nIf `wcblu_export_lite_settings` is not the correct action name (it varies between lite versions), try:\n*   `wcblu_export_settings`\n*   `wcblu_get_dashboard_data` (This might return a summary of fraud attempts, exposing customer transaction amounts or emails).\n*   Check the HTML source of the dashboard page for a hidden input named `wcblu_export_action` which contains the dynamic action name:\n    `browser_eval(\"document.querySelector('input[name=\\\"wcblu_export_action\\\"]')?.value\")`","gemini-3-flash-preview","2026-05-05 03:04:54","2026-05-05 03:05:29",{"type":38,"vulnerable_version":39,"fixed_version":11,"vulnerable_browse":40,"vulnerable_zip":41,"fixed_browse":42,"fixed_zip":43,"all_tags":44},"plugin","2.3.2","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fwoo-blocker-lite-prevent-fake-orders-and-blacklist-fraud-customers\u002Ftags\u002F2.3.2","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fwoo-blocker-lite-prevent-fake-orders-and-blacklist-fraud-customers.2.3.2.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fwoo-blocker-lite-prevent-fake-orders-and-blacklist-fraud-customers\u002Ftags\u002F2.3.3","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fwoo-blocker-lite-prevent-fake-orders-and-blacklist-fraud-customers.2.3.3.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fwoo-blocker-lite-prevent-fake-orders-and-blacklist-fraud-customers\u002Ftags"]