iPOSpays Gateways WC <= 1.3.7 - Missing Authorization

Since the source code for ipospays-gateways-wc version 1.3.7 is not provided, this research plan relies on the vulnerability description ("Missing Authorization") and standard patterns for WooCommerce payment gateway plugins. The plan focuses on discovering the specific AJAX or hook-based entry points that allow unauthorized configuration changes.

1. Vulnerability Summary

The iPOSpays Gateways WC plugin (up to version 1.3.7) suffers from a Missing Authorization vulnerability. This typically occurs when a function intended for administrative use (like updating gateway settings, API keys, or terminal configurations) is registered as an AJAX action or hooked into a global initialization hook (like admin_init) without a proper current_user_can('manage_options') check. Because the vulnerability is reported as accessible to unauthenticated attackers, it is highly likely that the action is registered via wp_ajax_nopriv_ or the logic executes on admin_init (which runs for any request to /wp-admin/admin-ajax.php, regardless of authentication).

2. Attack Vector Analysis

• Endpoint: /wp-admin/admin-ajax.php or any request triggering admin_init.
• Action Name: Likely involves ipospays (e.g., ipospays_save_settings, ipospays_update_config, or save_gateway_settings).
• Payload Parameters: Likely a POST request containing setting keys (e.g., ipospays_api_key, ipospays_terminal_id) and potentially a nonce.
• Authentication: None (Unauthenticated).
• Preconditions: The plugin must be active and WooCommerce must be installed.

3. Code Flow (Inferred Discovery Strategy)

The agent must first identify the vulnerable function. The trace will likely follow this path:

1. Registration: The plugin registers a handler via add_action('wp_ajax_nopriv_{action}', ...) or add_action('admin_init', ...).
2. Lack of Check: The callback function associated with the hook is missing a call to current_user_can().
3. Sink: The function calls update_option() or update_user_meta() using data from $_POST or $_REQUEST.

4. Nonce Acquisition Strategy

If the vulnerable endpoint requires a nonce (even if it lacks a capability check), follow these steps:

1. Identify Nonce Location: Search the codebase for wp_create_nonce or check_ajax_referer. Look for where the nonce is localized:
   • grep -r "wp_localize_script" .
2. Target Shortcode: Payment gateways often enqueue scripts on the WooCommerce checkout page or their own settings page.
   • Search for shortcodes: grep -r "add_shortcode" .
3. Setup Page:

   # Create a checkout page if one doesn't exist to trigger script loading
   wp post create --post_type=page --post_status=publish --post_title="Checkout" --post_content='[woocommerce_checkout]'
   

4. Extract via Browser:
   • Navigate to the newly created page.
   • In browser_eval, look for the localized object. Common guesses for this plugin:
     • window.ipospays_params?.nonce
     • window.ipospays_settings?.ajax_nonce
     • window.wc_ipospays_params?.nonce

5. Exploitation Strategy

This plan assumes the vulnerability allows unauthorized updates to the gateway settings.

Step 1: Discovery
Search the plugin directory for sensitive sinks and missing checks:

# Find all AJAX actions
grep -r "wp_ajax_" .
# Find functions that update WooCommerce settings/options
grep -r "update_option" .
# Specifically look for functions that handle POST data without permission checks
grep -r "POST" . | grep -v "current_user_can"

Step 2: Target Identification (Hypothetical)
Assume the agent finds:
add_action('wp_ajax_nopriv_ipospays_update_settings', 'ipospays_save_settings_callback');

Step 3: Crafting the Exploit
The attacker will attempt to change the API endpoint or credentials to their own to intercept payments or disable the gateway.

• Request Method: POST
• URL: http://<target>/wp-admin/admin-ajax.php
• Headers: Content-Type: application/x-www-form-urlencoded
• Body:

  action=ipospays_update_settings&ipospays_api_key=attacker_controlled_key&ipospays_terminal_id=1337&nonce=[EXTRACTED_NONCE]
  

6. Test Data Setup

1. Install WooCommerce: wp plugin install woocommerce --activate
2. Install Target Plugin: Ensure ipospays-gateways-wc <= 1.3.7 is installed and active.
3. Configure Gateway: Briefly enable the iPOSpays gateway in WooCommerce settings so that the option woocommerce_ipospays_settings exists in the database.
4. Create Trigger Page: Create a page with [woocommerce_checkout] to ensure scripts and nonces are generated if needed for unauthenticated users.

7. Expected Results

• The server should return a successful response (likely a JSON {"success": true} or a 1).
• The plugin settings in the database will be modified to the attacker's values.

8. Verification Steps

After sending the HTTP request, verify the change via WP-CLI:

# Check the WooCommerce gateway settings for iPOSpays
wp option get woocommerce_ipospays_settings

Confirm that the ipospays_api_key or ipospays_terminal_id matches the value sent in the payload.

9. Alternative Approaches

If no wp_ajax_nopriv action is found:

1. Examine admin_init: Search for functions hooked to admin_init that process $_POST data. These functions run even for unauthenticated users accessing admin-ajax.php.
   • grep -r "admin_init" .
2. Direct Setting Save: Look for the WooCommerce process_admin_options method. If the plugin calls this method from an insecure hook, any user can trigger a settings save.
3. Check for Export/Log Access: If the "unauthorized action" isn't a setting change, it might be an unauthorized download of transaction logs or debug files. Search for wp_die or exit calls following file read operations.