CVE-2026-39571

Instantio <= 3.3.30 - Unauthenticated Information Exposure

mediumExposure of Sensitive Information to an Unauthorized Actor
5.3
CVSS Score
5.3
CVSS Score
medium
Severity
3.3.31
Patched in
42d
Time to patch

Description

The Instantio — Side Cart & One-Page Checkout for WooCommerce plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 3.3.30. This makes it possible for unauthenticated attackers to extract sensitive user or configuration data.

CVSS Vector Breakdown

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Low
Confidentiality
None
Integrity
None
Availability

Technical Details

Affected versions<=3.3.30
PublishedMarch 25, 2026
Last updatedMay 5, 2026
Affected plugininstantio

What Changed in the Fix

Changes introduced in v3.3.31

Loading patch diff...

Source Code

WordPress.org SVN
Research Plan
Unverified

# Exploitation Research Plan - CVE-2026-39571 (Instantio) ## 1. Vulnerability Summary The **Instantio** plugin (<= 3.3.30) for WooCommerce is vulnerable to **Sensitive Information Exposure**. This occurs because several AJAX handlers, specifically those registered with `wp_ajax_nopriv_`, do not imp…

Show full research plan

Exploitation Research Plan - CVE-2026-39571 (Instantio)

1. Vulnerability Summary

The Instantio plugin (<= 3.3.30) for WooCommerce is vulnerable to Sensitive Information Exposure. This occurs because several AJAX handlers, specifically those registered with wp_ajax_nopriv_, do not implement sufficient capability checks or nonce verification. This allows unauthenticated attackers to trigger actions that return sensitive data, such as user PII (from checkout fragments) or plugin configuration settings (wiopt option).

2. Attack Vector Analysis

  • Endpoint: /wp-admin/admin-ajax.php
  • Action: ins_update_order_review_callback (Identified in JS) or ins_ajax_cart_reload (Identified in App.php).
  • Method: POST
  • Authentication: Unauthenticated (via nopriv hooks).
  • Vulnerability: Information exposure of session-based PII or global configuration data.

3. Code Flow

  1. Registration: In includes/controller/App.php, various AJAX actions are registered as nopriv.
    • wp_ajax_nopriv_ins_ajax_cart_reload (Line 25)
    • wp_ajax_nopriv_ins_ajax_update_cart (Line 41)
  2. Frontend Execution: The JS file `assets/app/
Research Findings
Static analysis — not yet PoC-verified

Summary

The Instantio plugin for WordPress is vulnerable to unauthenticated sensitive information exposure because it lacks nonce verification and capability checks on multiple AJAX handlers, including 'ins_ajax_cart_single' and 'ins_ajax_cart_reload'. This allows unauthenticated attackers to trigger cart and checkout updates that return sensitive session data, potentially including user PII or configuration details.

Vulnerable Code

// includes/controller/App.php

// Line 25
add_action( 'wp_ajax_nopriv_ins_ajax_cart_reload', array( $this, 'ins_ajax_cart_reload' ), 20 );
add_action( 'wp_ajax_ins_ajax_cart_reload', array( $this, 'ins_ajax_cart_reload' ), 20 );

// Line 29
add_action( 'wp_ajax_nopriv_ins_ajax_cart_single', array( $this, 'ins_ajax_cart_single' ), 20 );
add_action( 'wp_ajax_ins_ajax_cart_single', array( $this, 'ins_ajax_cart_single' ), 20 );

---

// includes/controller/App.php line 395
public function ins_ajax_cart_single() {
    $product_id = apply_filters( 'woocommerce_add_to_cart_product_id', absint( $_POST['product_id'] ) );
    $quantity = empty( $_POST['quantity'] ) ? 1 : wc_stock_amount( $_POST['quantity'] );
    $variation_id = absint( $_POST['variation_id'] );
    $passed_validation = apply_filters( 'woocommerce_add_to_cart_validation', true, $product_id, $quantity );
    $product_status = get_post_status( $product_id );

    if ( $passed_validation && WC()->cart->add_to_cart( $product_id, $quantity, $variation_id ) && $product_status === 'publish' ) {

        do_action( 'woocommerce_ajax_added_to_cart', $product_id );

        if ( get_option( 'woocommerce_cart_redirect_after_add' ) === 'yes' ) {
            wc_add_to_cart_message( array( $product_id => $quantity ), true );
        }

        $this->ins_ajax_cart_reload();

    } else {
        $data = array(
            'error' => true,
            'product_url' => apply_filters( 'woocommerce_cart_redirect_after_error', get_permalink( $product_id ), $product_id ) );

        echo wp_send_json( $data );
    }
    wp_die();
}

Security Fix

diff -ru /home/deploy/wp-safety.org/data/plugin-versions/instantio/3.3.30/includes/controller/App.php /home/deploy/wp-safety.org/data/plugin-versions/instantio/3.3.31/includes/controller/App.php
--- /home/deploy/wp-safety.org/data/plugin-versions/instantio/3.3.30/includes/controller/App.php	2026-02-08 07:33:54.000000000 +0000
+++ /home/deploy/wp-safety.org/data/plugin-versions/instantio/3.3.31/includes/controller/App.php	2026-03-04 17:21:34.000000000 +0000
@@ -394,15 +394,196 @@
 		wp_die();
 	}
 
-	// Ajax Single Page Add to Cart
 	public function ins_ajax_cart_single() {
-		$product_id = apply_filters( 'woocommerce_add_to_cart_product_id', absint( $_POST['product_id'] ) );
-		$quantity = empty( $_POST['quantity'] ) ? 1 : wc_stock_amount( $_POST['quantity'] );
-		$variation_id = absint( $_POST['variation_id'] );
-		$passed_validation = apply_filters( 'woocommerce_add_to_cart_validation', true, $product_id, $quantity );
+
+		if ( ! isset( $_POST['nonce'] ) || 
+			! wp_verify_nonce( $_POST['nonce'], 'ins_ajax_nonce' ) ) {
+			wp_send_json( [ 'error' => true ] );
+		}
+
+		if ( ! isset( $_POST['product_id'] ) ) {
+			wp_send_json( [ 'error' => true ] );
+		}
+
+		$product_id   = apply_filters( 'woocommerce_add_to_cart_product_id', absint( $_POST['product_id'] ) );
+		$variation_id = isset( $_POST['variation_id'] ) ? absint( $_POST['variation_id'] ) : 0;
+		$product      = wc_get_product( $product_id );
+
+		if ( ! $product || get_post_status( $product_id ) !== 'publish' ) {
+			wp_send_json( [ 'error' => true ] );
+		}
+
 		$product_status = get_post_status( $product_id );

Exploit Outline

The exploit target is the `ins_ajax_cart_single` AJAX action accessible via `/wp-admin/admin-ajax.php`. 1. **Endpoint Hit**: The attacker sends a POST request to `/wp-admin/admin-ajax.php`. 2. **Payload Configuration**: The payload includes `action=ins_ajax_cart_single` and a valid `product_id`. 3. **Bypassing Authentication**: Because the action is registered with `wp_ajax_nopriv_` and lacked nonce verification in versions <= 3.3.30, any unauthenticated user can trigger the logic. 4. **Data Extraction**: Upon success, the function calls `ins_ajax_cart_reload()`, which returns WooCommerce cart fragments. These fragments often contain user-specific data, including PII or session-related configuration details stored in the cart/checkout object, resulting in information disclosure.

Check if your site is affected.

Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.