[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fXjKs9-agQ8EpbWwHVWXWGZ71FtAvOOWNZ7aETe-gDQg":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":9,"severity":11,"cvss_score":12,"cvss_vector":13,"vuln_type":14,"published_date":15,"updated_date":16,"references":17,"days_to_patch":9,"patch_diff_files":19,"patch_trac_url":9,"research_status":20,"research_verified":21,"research_rounds_completed":22,"research_plan":23,"research_summary":24,"research_vulnerable_code":9,"research_fix_diff":9,"research_exploit_outline":25,"research_model_used":26,"research_started_at":27,"research_completed_at":28,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":21,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":21,"source_links":29},"CVE-2026-27066","live-sales-notification-for-woocommerce-missing-authorization","Live sales notification for WooCommerce \u003C= 2.3.46 - Missing Authorization","The Live sales notification for WooCommerce plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in versions up to, and including, 2.3.46. This makes it possible for unauthenticated attackers to perform an unauthorized action.","live-sales-notifications-for-woocommerce",null,"\u003C=2.3.46","medium",5.3,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:N\u002FUI:N\u002FS:U\u002FC:N\u002FI:L\u002FA:N","Missing Authorization","2026-01-11 00:00:00","2026-03-07 01:12:51",[18],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F322e2de7-297c-4c43-93da-7adff1f4a738?source=api-prod",[],"researched",false,3,"This research plan outlines the process for investigating and exploiting **CVE-2026-27066**, a missing authorization vulnerability in the **PiWeb Live sales notification for WooCommerce** plugin.\n\n## 1. Vulnerability Summary\nThe **Live sales notification for WooCommerce** plugin (versions \u003C= 2.3.46) suffers from a missing authorization vulnerability. Specifically, a function responsible for performing sensitive actions (likely updating settings or managing notification data) is accessible via a WordPress hook (such as `admin_init` or a `wp_ajax_nopriv_` action) without a sufficient capability check (e.g., `current_user_can( 'manage_options' )`). This allows unauthenticated attackers to modify plugin configurations or perform unauthorized actions by sending crafted HTTP requests.\n\n## 2. Attack Vector Analysis\n*   **Endpoint:** `wp-admin\u002Fadmin-ajax.php` (if AJAX-based) or any page (if hooked to `admin_init` or `init`).\n*   **Action:** To be identified (look for `pi_lsn_`, `lsn_`, or `piweb_` prefixes).\n*   **Authentication:** None (Unauthenticated).\n*   **Vulnerability Type:** Missing Authorization (Missing `current_user_can` check).\n*   **Payload:** POST parameters aimed at modifying plugin options (e.g., `update_option`).\n\n## 3. Code Flow\n1.  **Entry Point:** An unauthenticated user sends a request to `admin-ajax.php` or a frontend page.\n2.  **Hook Registration:** The plugin registers a callback using `add_action('wp_ajax_nopriv_[ACTION_NAME]', ...)` or `add_action('admin_init', ...)`.\n3.  **Missing Check:** The callback function is invoked. It lacks a check for `current_user_can()` to verify administrative privileges.\n4.  **Action Execution:** The function processes user-supplied input (from `$_POST` or `$_GET`) and performs an action, such as calling `update_option()` or modifying database records via `$wpdb`.\n\n## 4. Nonce Acquisition Strategy\nIf the vulnerable endpoint requires a nonce, the researcher must identify where the nonce is generated and exposed.\n1.  **Identify Localization:** Look for `wp_localize_script` in the plugin source (often in a class handling assets or frontend displays).\n2.  **Target Variable:** Look for a JS object like `pi_lsn_ajax_object` or `lsn_vars` containing a `nonce` or `security` key.\n3.  **Extraction Method:**\n    *   Identify a shortcode that loads the plugin assets (e.g., `[piweb_live_sales_notification]` - *inferred*).\n    *   Create a test page: `wp post create --post_type=page --post_status=publish --post_content='[SHORTCODE]'`.\n    *   Navigate to the page and use `browser_eval(\"window.LSN_VARS?.nonce\")` to retrieve the token.\n4.  **Bypass Check:** If the vulnerable function uses `check_ajax_referer` with the `die` parameter set to `false` and doesn't check the return value, the nonce is irrelevant.\n\n## 5. Exploitation Strategy\n### Step 1: Identification\nSearch for the vulnerable action\u002Fhook:\n```bash\n# Search for AJAX actions\ngrep -rn \"wp_ajax_nopriv_\" .\n\n# Search for settings-related AJAX or admin_init hooks\ngrep -rn \"add_action.*admin_init\" .\ngrep -rn \"update_option\" .\n```\n\n### Step 2: Payload Crafting\nIf an action like `lsn_save_settings` (inferred) is found hooked to `wp_ajax_nopriv_`:\n*   **URL:** `http:\u002F\u002F[TARGET]\u002Fwp-admin\u002Fadmin-ajax.php`\n*   **Method:** POST\n*   **Headers:** `Content-Type: application\u002Fx-www-form-urlencoded`\n*   **Body:** `action=lsn_save_settings&lsn_option_name=new_value&security=[NONCE]`\n\n### Step 3: Execution\nUse the `http_request` tool to send the crafted payload to the target.\n\n## 6. Test Data Setup\n1.  **Install WooCommerce:** The plugin depends on WooCommerce to function.\n2.  **Install Plugin:** Install version \u003C= 2.3.46 of `live-sales-notifications-for-woocommerce`.\n3.  **Identify Options:** Use WP-CLI to identify the option names used by the plugin:\n    ```bash\n    wp option list --search=\"*lsn*\"\n    wp option list --search=\"*piweb*\"\n    ```\n\n## 7. Expected Results\n*   **Successful Exploit:** The server returns a success code (e.g., `200 OK` or a JSON `{\"success\":true}`).\n*   **Impact:** The targeted WordPress option (e.g., `lsn_settings`) is modified with the attacker's value, which could be used to disable notifications, change the message to include malicious links, or perform XSS if the settings are output unescaped.\n\n## 8. Verification Steps\nAfter sending the exploit request, verify the change using WP-CLI:\n```bash\n# Check if the targeted option was updated\nwp option get [VULNERABLE_OPTION_NAME]\n```\n\n## 9. Alternative Approaches\n*   **Settings Injection:** If the plugin doesn't have a specific \"save settings\" AJAX action, check for a generic one that might allow calling `update_option` dynamically.\n*   **Import\u002FExport:** Look for unauthenticated import\u002Fexport actions (e.g., `wp_ajax_nopriv_lsn_import_settings`) which might allow overwriting the entire plugin configuration with a JSON payload.\n*   **Direct Option Manipulation:** If the vulnerability is in an `admin_init` hook, check if simply visiting `wp-admin\u002Fadmin-ajax.php?action=...` or `wp-admin\u002Fadmin-post.php` with specific GET\u002FPOST parameters triggers the state change.","The PiWeb Live sales notification for WooCommerce plugin for WordPress is vulnerable to unauthorized access and settings modification in versions up to, and including, 2.3.46. This is due to missing capability checks on functions accessible via AJAX or admin hooks, allowing unauthenticated attackers to perform unauthorized actions such as updating plugin configurations.","The exploit involves identifying a vulnerable AJAX action registered via the 'wp_ajax_nopriv_' hook (or an 'admin_init' hook) that processes administrative settings. An unauthenticated attacker sends a POST request to '\u002Fwp-admin\u002Fadmin-ajax.php' with the 'action' parameter corresponding to the vulnerable hook and payload parameters containing the target configuration values. If the endpoint requires a nonce, it can typically be retrieved from a public-facing page by extracting localized JavaScript variables (such as 'LSN_VARS') where the plugin is active.","gemini-3-flash-preview","2026-05-05 11:47:42","2026-05-05 11:48:03",{"type":30,"vulnerable_version":9,"fixed_version":9,"vulnerable_browse":9,"vulnerable_zip":9,"fixed_browse":9,"fixed_zip":9,"all_tags":31},"plugin","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Flive-sales-notifications-for-woocommerce\u002Ftags"]