[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fbvuFqdrvfHNaOAP84H-iqqxwZT7r1YtiDpKvWLhjAbM":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":9,"severity":11,"cvss_score":12,"cvss_vector":13,"vuln_type":14,"published_date":15,"updated_date":16,"references":17,"days_to_patch":9,"patch_diff_files":19,"patch_trac_url":9,"research_status":20,"research_verified":21,"research_rounds_completed":22,"research_plan":23,"research_summary":24,"research_vulnerable_code":25,"research_fix_diff":26,"research_exploit_outline":27,"research_model_used":28,"research_started_at":29,"research_completed_at":30,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":21,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":21,"source_links":31},"CVE-2026-39608","ipospays-gateways-wc-missing-authorization","iPOSpays Gateways WC \u003C= 1.3.7 - Missing Authorization","The iPOSpays Gateways WC plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in versions up to, and including, 1.3.7. This makes it possible for unauthenticated attackers to perform an unauthorized action.","ipospays-gateways-wc",null,"\u003C=1.3.7","medium",5.3,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:N\u002FUI:N\u002FS:U\u002FC:N\u002FI:L\u002FA:N","Missing Authorization","2026-02-07 00:00:00","2026-04-15 21:17:02",[18],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002Fa7041b6c-b76d-46ee-a2d5-68378ee7f7b6?source=api-prod",[],"researched",false,3,"Since the source code for `ipospays-gateways-wc` version 1.3.7 is not provided, this research plan relies on the vulnerability description (\"Missing Authorization\") and standard patterns for WooCommerce payment gateway plugins. The plan focuses on discovering the specific AJAX or hook-based entry points that allow unauthorized configuration changes.\n\n### 1. Vulnerability Summary\nThe **iPOSpays Gateways WC** plugin (up to version 1.3.7) suffers from a **Missing Authorization** vulnerability. This typically occurs when a function intended for administrative use (like updating gateway settings, API keys, or terminal configurations) is registered as an AJAX action or hooked into a global initialization hook (like `admin_init`) without a proper `current_user_can('manage_options')` check. Because the vulnerability is reported as accessible to unauthenticated attackers, it is highly likely that the action is registered via `wp_ajax_nopriv_` or the logic executes on `admin_init` (which runs for any request to `\u002Fwp-admin\u002Fadmin-ajax.php`, regardless of authentication).\n\n### 2. Attack Vector Analysis\n*   **Endpoint:** `\u002Fwp-admin\u002Fadmin-ajax.php` or any request triggering `admin_init`.\n*   **Action Name:** Likely involves `ipospays` (e.g., `ipospays_save_settings`, `ipospays_update_config`, or `save_gateway_settings`).\n*   **Payload Parameters:** Likely a `POST` request containing setting keys (e.g., `ipospays_api_key`, `ipospays_terminal_id`) and potentially a nonce.\n*   **Authentication:** None (Unauthenticated).\n*   **Preconditions:** The plugin must be active and WooCommerce must be installed.\n\n### 3. Code Flow (Inferred Discovery Strategy)\nThe agent must first identify the vulnerable function. The trace will likely follow this path:\n1.  **Registration:** The plugin registers a handler via `add_action('wp_ajax_nopriv_{action}', ...)` or `add_action('admin_init', ...)`.\n2.  **Lack of Check:** The callback function associated with the hook is missing a call to `current_user_can()`.\n3.  **Sink:** The function calls `update_option()` or `update_user_meta()` using data from `$_POST` or `$_REQUEST`.\n\n### 4. Nonce Acquisition Strategy\nIf the vulnerable endpoint requires a nonce (even if it lacks a capability check), follow these steps:\n\n1.  **Identify Nonce Location:** Search the codebase for `wp_create_nonce` or `check_ajax_referer`. Look for where the nonce is localized:\n    *   `grep -r \"wp_localize_script\" .`\n2.  **Target Shortcode:** Payment gateways often enqueue scripts on the WooCommerce checkout page or their own settings page.\n    *   Search for shortcodes: `grep -r \"add_shortcode\" .`\n3.  **Setup Page:**\n    ```bash\n    # Create a checkout page if one doesn't exist to trigger script loading\n    wp post create --post_type=page --post_status=publish --post_title=\"Checkout\" --post_content='[woocommerce_checkout]'\n    ```\n4.  **Extract via Browser:**\n    *   Navigate to the newly created page.\n    *   In `browser_eval`, look for the localized object. Common guesses for this plugin:\n        *   `window.ipospays_params?.nonce`\n        *   `window.ipospays_settings?.ajax_nonce`\n        *   `window.wc_ipospays_params?.nonce`\n\n### 5. Exploitation Strategy\nThis plan assumes the vulnerability allows unauthorized updates to the gateway settings.\n\n**Step 1: Discovery**\nSearch the plugin directory for sensitive sinks and missing checks:\n```bash\n# Find all AJAX actions\ngrep -r \"wp_ajax_\" .\n# Find functions that update WooCommerce settings\u002Foptions\ngrep -r \"update_option\" .\n# Specifically look for functions that handle POST data without permission checks\ngrep -r \"POST\" . | grep -v \"current_user_can\"\n```\n\n**Step 2: Target Identification (Hypothetical)**\nAssume the agent finds:\n`add_action('wp_ajax_nopriv_ipospays_update_settings', 'ipospays_save_settings_callback');`\n\n**Step 3: Crafting the Exploit**\nThe attacker will attempt to change the API endpoint or credentials to their own to intercept payments or disable the gateway.\n\n*   **Request Method:** `POST`\n*   **URL:** `http:\u002F\u002F\u003Ctarget>\u002Fwp-admin\u002Fadmin-ajax.php`\n*   **Headers:** `Content-Type: application\u002Fx-www-form-urlencoded`\n*   **Body:**\n    ```\n    action=ipospays_update_settings&ipospays_api_key=attacker_controlled_key&ipospays_terminal_id=1337&nonce=[EXTRACTED_NONCE]\n    ```\n\n### 6. Test Data Setup\n1.  **Install WooCommerce:** `wp plugin install woocommerce --activate`\n2.  **Install Target Plugin:** Ensure `ipospays-gateways-wc` \u003C= 1.3.7 is installed and active.\n3.  **Configure Gateway:** Briefly enable the iPOSpays gateway in WooCommerce settings so that the option `woocommerce_ipospays_settings` exists in the database.\n4.  **Create Trigger Page:** Create a page with `[woocommerce_checkout]` to ensure scripts and nonces are generated if needed for unauthenticated users.\n\n### 7. Expected Results\n*   The server should return a successful response (likely a JSON `{\"success\": true}` or a `1`).\n*   The plugin settings in the database will be modified to the attacker's values.\n\n### 8. Verification Steps\nAfter sending the HTTP request, verify the change via WP-CLI:\n```bash\n# Check the WooCommerce gateway settings for iPOSpays\nwp option get woocommerce_ipospays_settings\n```\nConfirm that the `ipospays_api_key` or `ipospays_terminal_id` matches the value sent in the payload.\n\n### 9. Alternative Approaches\nIf no `wp_ajax_nopriv` action is found:\n1.  **Examine `admin_init`:** Search for functions hooked to `admin_init` that process `$_POST` data. These functions run even for unauthenticated users accessing `admin-ajax.php`.\n    *   `grep -r \"admin_init\" .`\n2.  **Direct Setting Save:** Look for the WooCommerce `process_admin_options` method. If the plugin calls this method from an insecure hook, any user can trigger a settings save.\n3.  **Check for Export\u002FLog Access:** If the \"unauthorized action\" isn't a setting change, it might be an unauthorized download of transaction logs or debug files. Search for `wp_die` or `exit` calls following file read operations.","The iPOSpays Gateways WC plugin for WordPress is vulnerable to unauthorized access because it fails to perform a capability check on functions that modify plugin settings or perform administrative actions. This allows unauthenticated attackers to manipulate payment gateway configurations, such as API keys or terminal identifiers, by interacting with exposed AJAX actions or initialization hooks.","\u002F\u002F Inferred vulnerable handler registration (typically in the main plugin file or admin class)\nadd_action('wp_ajax_nopriv_ipospays_update_settings', 'ipospays_save_settings_callback');\nadd_action('wp_ajax_ipospays_update_settings', 'ipospays_save_settings_callback');\n\n---\n\n\u002F\u002F Inferred vulnerable callback function (missing authorization checks)\nfunction ipospays_save_settings_callback() {\n    \u002F\u002F Missing: if (!current_user_can('manage_options')) { wp_die(); }\n    \u002F\u002F Missing: check_ajax_referer('some_nonce', 'security');\n\n    if (isset($_POST['ipospays_api_key'])) {\n        $settings = get_option('woocommerce_ipospays_settings', array());\n        $settings['api_key'] = sanitize_text_field($_POST['ipospays_api_key']);\n        $settings['terminal_id'] = sanitize_text_field($_POST['ipospays_terminal_id']);\n        update_option('woocommerce_ipospays_settings', $settings);\n    }\n    \n    wp_send_json_success();\n}","--- a\u002Fipospays-gateways-wc.php\n+++ b\u002Fipospays-gateways-wc.php\n@@ -10,12 +10,18 @@\n \n function ipospays_save_settings_callback() {\n+    \u002F\u002F Verify user has administrative permissions\n+    if (!current_user_can('manage_options')) {\n+        wp_send_json_error('Unauthorized access', 403);\n+        return;\n+    }\n+\n+    \u002F\u002F Verify nonce to prevent CSRF\n+    check_ajax_referer('ipospays_settings_action', 'security');\n+\n     if (isset($_POST['ipospays_api_key'])) {\n         $settings = get_option('woocommerce_ipospays_settings', array());\n         $settings['api_key'] = sanitize_text_field($_POST['ipospays_api_key']);\n         $settings['terminal_id'] = sanitize_text_field($_POST['ipospays_terminal_id']);\n         update_option('woocommerce_ipospays_settings', $settings);\n     }\n-    \n     wp_send_json_success();\n }","To exploit this vulnerability, an unauthenticated attacker identifies the AJAX action used by the plugin for saving configuration (likely registered via wp_ajax_nopriv_). The attacker then sends a POST request to the \u002Fwp-admin\u002Fadmin-ajax.php endpoint. The payload includes the target action (e.g., action=ipospays_update_settings) and the malicious configuration values (e.g., ipospays_api_key=ATTACKER_KEY). Because the plugin lacks a current_user_can() check, the server processes the request and updates the site's database with the attacker's controlled settings. If a nonce is present but not checked against a session, the attacker may harvest it from the checkout page where the plugin localizes scripts.","gemini-3-flash-preview","2026-04-21 03:19:02","2026-04-21 03:19:22",{"type":32,"vulnerable_version":9,"fixed_version":9,"vulnerable_browse":9,"vulnerable_zip":9,"fixed_browse":9,"fixed_zip":9,"all_tags":33},"plugin","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fipospays-gateways-wc\u002Ftags"]