Instantio <= 3.3.30 - Unauthenticated Information Exposure
Description
The Instantio — Side Cart & One-Page Checkout for WooCommerce plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 3.3.30. This makes it possible for unauthenticated attackers to extract sensitive user or configuration data.
CVSS Vector Breakdown
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:NTechnical Details
What Changed in the Fix
Changes introduced in v3.3.31
Source Code
WordPress.org SVN# Exploitation Research Plan - CVE-2026-39571 (Instantio) ## 1. Vulnerability Summary The **Instantio** plugin (<= 3.3.30) for WooCommerce is vulnerable to **Sensitive Information Exposure**. This occurs because several AJAX handlers, specifically those registered with `wp_ajax_nopriv_`, do not imp…
Show full research plan
Exploitation Research Plan - CVE-2026-39571 (Instantio)
1. Vulnerability Summary
The Instantio plugin (<= 3.3.30) for WooCommerce is vulnerable to Sensitive Information Exposure. This occurs because several AJAX handlers, specifically those registered with wp_ajax_nopriv_, do not implement sufficient capability checks or nonce verification. This allows unauthenticated attackers to trigger actions that return sensitive data, such as user PII (from checkout fragments) or plugin configuration settings (wiopt option).
2. Attack Vector Analysis
- Endpoint:
/wp-admin/admin-ajax.php - Action:
ins_update_order_review_callback(Identified in JS) orins_ajax_cart_reload(Identified inApp.php). - Method:
POST - Authentication: Unauthenticated (via
noprivhooks). - Vulnerability: Information exposure of session-based PII or global configuration data.
3. Code Flow
- Registration: In
includes/controller/App.php, various AJAX actions are registered asnopriv.wp_ajax_nopriv_ins_ajax_cart_reload(Line 25)wp_ajax_nopriv_ins_ajax_update_cart(Line 41)
- Frontend Execution: The JS file `assets/app/
Summary
The Instantio plugin for WordPress is vulnerable to unauthenticated sensitive information exposure because it lacks nonce verification and capability checks on multiple AJAX handlers, including 'ins_ajax_cart_single' and 'ins_ajax_cart_reload'. This allows unauthenticated attackers to trigger cart and checkout updates that return sensitive session data, potentially including user PII or configuration details.
Vulnerable Code
// includes/controller/App.php // Line 25 add_action( 'wp_ajax_nopriv_ins_ajax_cart_reload', array( $this, 'ins_ajax_cart_reload' ), 20 ); add_action( 'wp_ajax_ins_ajax_cart_reload', array( $this, 'ins_ajax_cart_reload' ), 20 ); // Line 29 add_action( 'wp_ajax_nopriv_ins_ajax_cart_single', array( $this, 'ins_ajax_cart_single' ), 20 ); add_action( 'wp_ajax_ins_ajax_cart_single', array( $this, 'ins_ajax_cart_single' ), 20 ); --- // includes/controller/App.php line 395 public function ins_ajax_cart_single() { $product_id = apply_filters( 'woocommerce_add_to_cart_product_id', absint( $_POST['product_id'] ) ); $quantity = empty( $_POST['quantity'] ) ? 1 : wc_stock_amount( $_POST['quantity'] ); $variation_id = absint( $_POST['variation_id'] ); $passed_validation = apply_filters( 'woocommerce_add_to_cart_validation', true, $product_id, $quantity ); $product_status = get_post_status( $product_id ); if ( $passed_validation && WC()->cart->add_to_cart( $product_id, $quantity, $variation_id ) && $product_status === 'publish' ) { do_action( 'woocommerce_ajax_added_to_cart', $product_id ); if ( get_option( 'woocommerce_cart_redirect_after_add' ) === 'yes' ) { wc_add_to_cart_message( array( $product_id => $quantity ), true ); } $this->ins_ajax_cart_reload(); } else { $data = array( 'error' => true, 'product_url' => apply_filters( 'woocommerce_cart_redirect_after_error', get_permalink( $product_id ), $product_id ) ); echo wp_send_json( $data ); } wp_die(); }
Security Fix
@@ -394,15 +394,196 @@ wp_die(); } - // Ajax Single Page Add to Cart public function ins_ajax_cart_single() { - $product_id = apply_filters( 'woocommerce_add_to_cart_product_id', absint( $_POST['product_id'] ) ); - $quantity = empty( $_POST['quantity'] ) ? 1 : wc_stock_amount( $_POST['quantity'] ); - $variation_id = absint( $_POST['variation_id'] ); - $passed_validation = apply_filters( 'woocommerce_add_to_cart_validation', true, $product_id, $quantity ); + + if ( ! isset( $_POST['nonce'] ) || + ! wp_verify_nonce( $_POST['nonce'], 'ins_ajax_nonce' ) ) { + wp_send_json( [ 'error' => true ] ); + } + + if ( ! isset( $_POST['product_id'] ) ) { + wp_send_json( [ 'error' => true ] ); + } + + $product_id = apply_filters( 'woocommerce_add_to_cart_product_id', absint( $_POST['product_id'] ) ); + $variation_id = isset( $_POST['variation_id'] ) ? absint( $_POST['variation_id'] ) : 0; + $product = wc_get_product( $product_id ); + + if ( ! $product || get_post_status( $product_id ) !== 'publish' ) { + wp_send_json( [ 'error' => true ] ); + } + $product_status = get_post_status( $product_id );
Exploit Outline
The exploit target is the `ins_ajax_cart_single` AJAX action accessible via `/wp-admin/admin-ajax.php`. 1. **Endpoint Hit**: The attacker sends a POST request to `/wp-admin/admin-ajax.php`. 2. **Payload Configuration**: The payload includes `action=ins_ajax_cart_single` and a valid `product_id`. 3. **Bypassing Authentication**: Because the action is registered with `wp_ajax_nopriv_` and lacked nonce verification in versions <= 3.3.30, any unauthenticated user can trigger the logic. 4. **Data Extraction**: Upon success, the function calls `ins_ajax_cart_reload()`, which returns WooCommerce cart fragments. These fragments often contain user-specific data, including PII or session-related configuration details stored in the cart/checkout object, resulting in information disclosure.
Check if your site is affected.
Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.