[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fFu0rivWEgpKhZ4hlkbKMnLajW-7Nur8pdi0pnnriQ0U":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":29,"research_verified":30,"research_rounds_completed":31,"research_plan":32,"research_summary":9,"research_vulnerable_code":9,"research_fix_diff":9,"research_exploit_outline":9,"research_model_used":33,"research_started_at":34,"research_completed_at":35,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":30,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":30,"source_links":36},"CVE-2026-56013","license-manager-for-woocommerce-unauthenticated-insecure-direct-object-reference","License Manager for WooCommerce \u003C= 3.0.15 - Unauthenticated Insecure Direct Object Reference","The License Manager for WooCommerce plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 3.0.15 due to missing validation on a user controlled key. This makes it possible for unauthenticated attackers to perform unauthorized actions.","license-manager-for-woocommerce",null,"\u003C=3.0.15","3.0.16","medium",5.3,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:N\u002FUI:N\u002FS:U\u002FC:N\u002FI:L\u002FA:N","Authorization Bypass Through User-Controlled Key","2026-06-19 00:00:00","2026-06-25 13:21:32",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F36ccce3e-7d96-4a80-843e-041bc194812c?source=api-prod",7,[22,23,24,25,26,27,28],"CHANGELOG.md","includes\u002FAbstracts\u002FRestController.php","includes\u002FApi\u002FV2\u002FGenerators.php","includes\u002FIntegrations\u002FWooCommerce\u002FMyAccount.php","license-manager-for-woocommerce.php","readme.txt","templates\u002Fmyaccount\u002Flmfwc-view-license-keys.php","researched",false,3,"\n# Exploitation Research Plan - CVE-2026-56013\n\n## 1. Vulnerability Summary\nThe **License Manager for WooCommerce** plugin (versions \u003C= 3.0.15) is vulnerable to an **Unauthenticated Insecure Direct Object Reference (IDOR)**. The vulnerability exists in the plugin's REST API endpoints (specifically those related to Generators and Licenses) and potentially its global action handlers. Due to an insufficiently restrictive `permission_callback` in the `RestController` and missing authorization checks within specific endpoint callbacks (like `deleteGenerator` or `updateGenerator`), unauthenticated users can perform actions on resources (generators, licenses, or activations) by simply providing their ID.\n\n## 2. Attack Vector Analysis\n- **Endpoint:** `\u002Fwp-json\u002Flmfwc\u002Fv2\u002Fgenerators\u002F{generator_id}` or `\u002Fwp-json\u002Flmfwc\u002Fv2\u002Flicenses\u002F{license_id}`\n- **HTTP Methods:** `DELETE`, `PUT`, or `GET`.\n- **Payload Parameter:** `{generator_id}` or `{license_id}` in the URL path.\n- **Authentication:** None (Unauthenticated).\n- **Preconditions:** The specific REST route must be enabled in the plugin settings (checked via `isRouteEnabled`). By default, many are enabled for functionality.\n\n## 3. Code Flow\n1. **Route Registration:** In `includes\u002FApi\u002FV2\u002FGenerators.php`, the `register_routes()` method registers the `DELETE` method for `generators\u002F(?P\u003C","gemini-3-flash-preview","2026-06-25 20:14:40","2026-06-25 20:16:24",{"type":37,"vulnerable_version":38,"fixed_version":11,"vulnerable_browse":39,"vulnerable_zip":40,"fixed_browse":41,"fixed_zip":42,"all_tags":43},"plugin","3.0.15","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Flicense-manager-for-woocommerce\u002Ftags\u002F3.0.15","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Flicense-manager-for-woocommerce.3.0.15.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Flicense-manager-for-woocommerce\u002Ftags\u002F3.0.16","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Flicense-manager-for-woocommerce.3.0.16.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Flicense-manager-for-woocommerce\u002Ftags"]