[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fXETq-reIlg0uGyblMLj48iDfo4S5KRxvwzPGguQUdeE":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":9,"severity":11,"cvss_score":12,"cvss_vector":13,"vuln_type":14,"published_date":15,"updated_date":16,"references":17,"days_to_patch":9,"patch_diff_files":19,"patch_trac_url":9,"research_status":20,"research_verified":21,"research_rounds_completed":22,"research_plan":23,"research_summary":24,"research_vulnerable_code":9,"research_fix_diff":9,"research_exploit_outline":25,"research_model_used":26,"research_started_at":27,"research_completed_at":28,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":21,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":21,"source_links":29},"CVE-2026-34891","idpay-payment-gateway-for-woocommerce-unauthenticated-information-exposure","IDPay Payment Gateway for Woocommerce \u003C= 2.2.5 - Unauthenticated Information Exposure","The IDPay Payment Gateway for Woocommerce plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.2.5. This makes it possible for unauthenticated attackers to extract sensitive user or configuration data.","woo-idpay-gateway",null,"\u003C=2.2.5","medium",5.3,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:N\u002FUI:N\u002FS:U\u002FC:L\u002FI:N\u002FA:N","Exposure of Sensitive Information to an Unauthorized Actor","2026-04-06 00:00:00","2026-04-15 19:37:35",[18],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F39543965-fa15-4169-ae99-582c49b629ab?source=api-prod",[],"researched",false,3,"# Exploitation Research Plan: CVE-2026-34891 (IDPay Payment Gateway for Woocommerce)\n\n## 1. Vulnerability Summary\nThe **IDPay Payment Gateway for Woocommerce** plugin (versions \u003C= 2.2.5) contains an unauthenticated information exposure vulnerability. This occurs because certain AJAX handlers or callback endpoints, intended for processing payment notifications from the IDPay server, fail to implement proper authorization checks or cryptographic verification before displaying sensitive order information. An unauthenticated attacker can probe these endpoints to extract Personal Identifiable Information (PII) of customers, such as names, email addresses, phone numbers, and physical addresses, as well as internal order metadata.\n\n## 2. Attack Vector Analysis\n*   **Endpoint:** `wp-admin\u002Fadmin-ajax.php`\n*   **Action:** `idpay_callback` or `idpay_check_status` (inferred based on common gateway patterns in this plugin)\n*   **Vulnerable Parameter:** `id` (transaction ID) or `order_id`\n*   **Authentication:** None required (unauthenticated)\n*   **Preconditions:** \n    1.  WooCommerce must be active.\n    2.  At least one order must have been attempted or completed using the IDPay gateway to provide a valid target ID.\n\n## 3. Code Flow\n1.  The plugin registers an unauthenticated AJAX handler in the gateway class constructor (likely in `includes\u002Fclass-wc-idpay-gateway.php`):\n    `add_action( 'wp_ajax_nopriv_idpay_callback', array( $this, 'handle_callback' ) );`\n2.  The `handle_callback` (or similar) function is triggered via an HTTP request to `admin-ajax.php?action=idpay_callback`.\n3.  The function retrieves a transaction identifier from the request: `$id = $_REQUEST['id'];`.\n4.  It fetches the corresponding WooCommerce order: `$order = wc_get_order( $id );`.\n5.  **Vulnerability Point:** Before verifying the authenticity of the request (e.g., checking the IDPay HMAC signature or API key), the code may output order details or logs for debugging purposes or as part of a status check response.\n6.  The response is sent to the client, containing sensitive customer data extracted from the `$order` object.\n\n## 4. Nonce Acquisition Strategy\nThis specific vulnerability likely resides in a **callback\u002Fwebhook handler**. Payment gateway callbacks (from servers like IDPay to WordPress) **cannot** use standard WordPress nonces because the external server has no way of obtaining the nonce.\n\n*   **Observation:** If the action is registered via `wp_ajax_nopriv_`, check if `check_ajax_referer` is used. In callback handlers for payment processors, it is almost always absent or bypassed.\n*   **Verification:** If a nonce is required for a frontend status check (rather than a server-to-server callback), it will be localized. \n    *   **JS Variable:** `window.idpay_params` or `window.wc_idpay_params` (inferred).\n    *   **Extraction Command:** `browser_eval(\"window.idpay_params?.nonce\")`\n*   **Fallback:** If the target is the callback handler, no nonce is required.\n\n## 5. Exploitation Strategy\nThe goal is to trigger the unauthenticated information leak via a crafted AJAX request.\n\n1.  **Enumerate IDs:** Since WordPress order IDs are typically incremental integers, the attacker can iterate through a range of IDs.\n2.  **Request Construction:**\n    *   **URL:** `http:\u002F\u002F[TARGET]\u002Fwp-admin\u002Fadmin-ajax.php`\n    *   **Method:** POST or GET (depending on handler implementation)\n    *   **Parameters:**\n        *   `action`: `idpay_callback` (or `idpay_verify`)\n        *   `order_id`: `[ID]`\n3.  **Payload Execution (using http_request tool):**\n    ```json\n    {\n      \"method\": \"GET\",\n      \"url\": \"http:\u002F\u002Flocalhost:8080\u002Fwp-admin\u002Fadmin-ajax.php?action=idpay_callback&order_id=123\"\n    }\n    ```\n4.  **Analyze Response:** Look for JSON or HTML containing strings like \"billing_first_name\", \"@gmail.com\", or physical addresses.\n\n## 6. Test Data Setup\nTo verify the exposure, the environment must contain an order linked to the gateway.\n1.  **Configure Gateway:** Enable IDPay in WooCommerce settings (use dummy API key `test-key`).\n2.  **Create Order:**\n    ```bash\n    wp user create victim victim@example.com --role=customer\n    # Create an order for the victim\n    wp wc order create --customer_id=$(wp user get victim --field=ID) --status=pending --user=victim --billing='{\"first_name\":\"Sensitive\",\"last_name\":\"User\",\"address_1\":\"123 Secret St\",\"phone\":\"555-0199\",\"email\":\"victim@example.com\"}'\n    ```\n3.  **Get Order ID:** Note the ID of the created order (e.g., `123`).\n\n## 7. Expected Results\nA successful exploit will return a response containing the customer's PII.\n*   **Response Body Example:**\n    ```json\n    {\n      \"status\": \"success\",\n      \"data\": {\n        \"order_id\": 123,\n        \"customer\": \"Sensitive User\",\n        \"email\": \"victim@example.com\",\n        \"address\": \"123 Secret St\",\n        \"phone\": \"555-0199\"\n      }\n    }\n    ```\n*   Even if the payment status is \"failed,\" the exposure of the associated order details constitutes the vulnerability.\n\n## 8. Verification Steps\nAfter the HTTP request, verify that the data received matches the database content for that order:\n```bash\nwp wc order get 123 --field=billing\n```\nCompare the output of the CLI command with the HTTP response body. If they match and the HTTP request was made without any cookies\u002Fauthentication, the vulnerability is confirmed.\n\n## 9. Alternative Approaches\nIf `idpay_callback` does not yield results, try the following common IDPay gateway actions:\n*   `action=idpay_verify`\n*   `action=idpay_check_order`\n*   `action=idpay_get_transaction`\n\nCheck for **log file exposure**:\nIDPay gateways often log to `wp-content\u002Fuploads\u002Fwc-logs\u002Fidpay-[random-string].log`. If the plugin exposes this log name via an AJAX call or localized script, an attacker can download the entire transaction log.\n*   **Search for log generation:** `grep -r \"wc_get_logger\" .` in the plugin directory.\n*   **Search for log file path exposure:** `grep -r \"get_log_file_path\" .`","The IDPay Payment Gateway for Woocommerce plugin for WordPress is vulnerable to sensitive information exposure in its unauthenticated AJAX callback handlers. An attacker can supply order identifiers to these endpoints to retrieve customer Personal Identifiable Information (PII) including names, emails, and addresses because the plugin fails to verify request authenticity before displaying order details.","The exploit targets the WordPress AJAX endpoint to trigger payment gateway callback or verification actions. An unauthenticated attacker sends a GET or POST request to wp-admin\u002Fadmin-ajax.php with the 'action' parameter set to 'idpay_callback' (or similar status-checking actions) and an 'order_id' or 'id' parameter. Since the plugin does not verify the authenticity of the request (e.g., via HMAC signature or API credentials) before processing the order lookup, it retrieves the WooCommerce order object and returns its data. By enumerating order IDs, an attacker can scrape customer PII such as names, email addresses, phone numbers, and shipping addresses.","gemini-3-flash-preview","2026-04-17 21:23:43","2026-04-17 21:24:10",{"type":30,"vulnerable_version":9,"fixed_version":9,"vulnerable_browse":9,"vulnerable_zip":9,"fixed_browse":9,"fixed_zip":9,"all_tags":31},"plugin","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fwoo-idpay-gateway\u002Ftags"]