License Manager for WooCommerce <= 3.0.15 - Unauthenticated Insecure Direct Object Reference
Description
The License Manager for WooCommerce plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 3.0.15 due to missing validation on a user controlled key. This makes it possible for unauthenticated attackers to perform unauthorized actions.
CVSS Vector Breakdown
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:NTechnical Details
<=3.0.15What Changed in the Fix
Changes introduced in v3.0.16
Source Code
WordPress.org SVN# Exploitation Research Plan - CVE-2026-56013 ## 1. Vulnerability Summary The **License Manager for WooCommerce** plugin (versions <= 3.0.15) is vulnerable to an **Unauthenticated Insecure Direct Object Reference (IDOR)**. The vulnerability exists in the plugin's REST API endpoints (specifically t…
Show full research plan
Exploitation Research Plan - CVE-2026-56013
1. Vulnerability Summary
The License Manager for WooCommerce plugin (versions <= 3.0.15) is vulnerable to an Unauthenticated Insecure Direct Object Reference (IDOR). The vulnerability exists in the plugin's REST API endpoints (specifically those related to Generators and Licenses) and potentially its global action handlers. Due to an insufficiently restrictive permission_callback in the RestController and missing authorization checks within specific endpoint callbacks (like deleteGenerator or updateGenerator), unauthenticated users can perform actions on resources (generators, licenses, or activations) by simply providing their ID.
2. Attack Vector Analysis
- Endpoint:
/wp-json/lmfwc/v2/generators/{generator_id}or/wp-json/lmfwc/v2/licenses/{license_id} - HTTP Methods:
DELETE,PUT, orGET. - Payload Parameter:
{generator_id}or{license_id}in the URL path. - Authentication: None (Unauthenticated).
- Preconditions: The specific REST route must be enabled in the plugin settings (checked via
isRouteEnabled). By default, many are enabled for functionality.
3. Code Flow
- Route Registration: In
includes/Api/V2/Generators.php, theregister_routes()method registers theDELETEmethod for `generators/(?P<
Check if your site is affected.
Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.