CVE-2026-49059

Meta for WooCommerce <= 3.7.0 - Unauthenticated Open Redirect

mediumURL Redirection to Untrusted Site ('Open Redirect')
4.7
CVSS Score
4.7
CVSS Score
medium
Severity
3.7.1
Patched in
13d
Time to patch

Description

The Meta for WooCommerce plugin for WordPress is vulnerable to Open Redirect in all versions up to, and including, 3.7.0. This is due to insufficient validation on a redirect url supplied. This makes it possible for unauthenticated attackers to redirect users to potentially malicious sites if they can successfully trick them into performing an action.

CVSS Vector Breakdown

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
None
Confidentiality
Low
Integrity
None
Availability

Technical Details

Affected versions<=3.7.0
PublishedMay 27, 2026
Last updatedJune 8, 2026
Research Plan
Unverified

This research plan focuses on identifying and exploiting an unauthenticated open redirect vulnerability in the **Meta for WooCommerce** (formerly Facebook for WooCommerce) plugin, specifically in versions up to and including 3.7.0. ### 1. Vulnerability Summary The vulnerability exists because the p…

Show full research plan

This research plan focuses on identifying and exploiting an unauthenticated open redirect vulnerability in the Meta for WooCommerce (formerly Facebook for WooCommerce) plugin, specifically in versions up to and including 3.7.0.

1. Vulnerability Summary

The vulnerability exists because the plugin utilizes the WordPress wp_redirect() function with user-supplied input that has not been properly validated or constrained to the local site. In WordPress development, wp_safe_redirect() should be used to ensure redirects only occur within the same domain or to an allowed list of hosts. By providing an external URL to a vulnerable parameter, an attacker can redirect victims to a malicious site.

2. Attack Vector Analysis

  • Endpoint: Likely a handler triggered via admin-ajax.php (unauthenticated via wp_ajax_nopriv_) or a hook on init / template_redirect that checks for specific GET parameters.
  • Vulnerable Parameter: Likely url, redirect_url, next, or r (inferred).
  • Authentication: None required (Unauthenticated).
  • Preconditions: The plugin must be active. Some handlers may require WooCommerce to be active as well.

3. Code Flow (Inferred)

Based on typical open redirect patterns in this plugin's architecture:

  1. Entry Point: An unauthenticated user accesses a URL with a specific action (e.g., ?wc-ajax=... or wp-admin/admin-ajax.php?action=...).
  2. Hook Registration: The plugin registers a handler:
    add_action('wp_ajax_nopriv_fb_handle_redirect', 'handle_redirect_function'); (inferred action name).
  3. Source: The function retrieves a URL from the request:
    $target = $_GET['url'];
  4. Sink: The function calls wp_redirect($target); without verifying that $target is a local URL or part of an allowlist.
  5. Result: The server sends a 302 Found header with the Location set to the external domain.

4. Nonce Acquisition Strategy

Open redirects in "setup" or "pixel" flows often bypass nonce checks to facilitate seamless transitions between the Meta/Facebook platform and the WordPress site. However, if a nonce is required:

  1. Identify JS Variable: Search the codebase for wp_localize_script calls that include a nonce intended for redirects or setup.
    • Target Files: includes/class-wc-facebook-pixel.php or includes/fb-utils.php.
  2. Shortcode Discovery: Look for shortcodes that might enqueue these scripts:
    grep -r "add_shortcode" .
  3. Extraction:
    • If a shortcode like [facebook_pixel] exists, create a page:
      wp post create --post_type=page --post_status=publish --post_content='[facebook_pixel]' --post_title='Nonce Page'
    • Navigate to the page using browser_navigate.
    • Execute: browser_eval("window.facebook_for_woocommerce_settings?.nonce") (inferred JS path).

5. Exploitation Strategy

The goal is to trigger a 302 redirect to https://example.com.

Step 1: Locate the Vulnerable Handler
Search the plugin for wp_redirect calls:
grep -r "wp_redirect" /var/www/html/wp-content/plugins/facebook-for-woocommerce/

Identify calls that use $_GET or $_REQUEST variables directly. A common vulnerable pattern in this plugin family is found in handlers managing the "Connect" or "Settings" flows.

Step 2: Craft the Payload
If the handler is registered via admin-ajax.php:

  • URL: http://[TARGET]/wp-admin/admin-ajax.php
  • Action: (Found in Step 1, e.g., fb_login_callback)
  • Redirect Parameter: (Found in Step 1, e.g., redirect_url)

Step 3: Execute Request
Using the http_request tool:

{
  "method": "GET",
  "url": "http://vulnerable-wp.local/wp-admin/admin-ajax.php?action=fb_login_callback&redirect_url=https://example.com",
  "follow_redirects": false
}

6. Test Data Setup

  1. Install Plugin: Ensure facebook-for-woocommerce version 3.7.0 or lower is installed and activated.
  2. Activate Dependencies: Ensure WooCommerce is installed and the basic setup wizard is completed (to allow the Meta plugin to initialize its hooks).
  3. No Auth Needed: Perform the exploit in an unauthenticated session.

7. Expected Results

  • Status Code: 302 Found or 301 Moved Permanently.
  • Headers: The Location header must contain https://example.com.
  • Body: Usually empty or a standard WordPress redirect message.

8. Verification Steps

After the http_request tool returns the response:

  1. Check that the response_headers dictionary contains "location": "https://example.com".
  2. Confirm that the status code is in the 3xx range.
  3. Code Verification: Check the source file identified in Step 1 to confirm if wp_safe_redirect was missing and replaced in the patch (if available).

9. Alternative Approaches

  • Protocol Bypasses: If the plugin does basic string checking (e.g., checking if it starts with http), try //example.com (protocol-relative URL) or https:example.com.
  • Alternative Actions: Check for redirect parameters in the following (inferred) actions:
    • facebook_for_woocommerce_pixel_redirect
    • wc_facebook_pixel_sender
    • Any function hooked to template_redirect that looks for a facebook_redirect parameter in the URL.
  • Encoded Payloads: If a simple URL fails, try double-URL encoding the redirect target.
Research Findings
Static analysis — not yet PoC-verified

Summary

The Meta for WooCommerce plugin for WordPress (versions <= 3.7.0) is vulnerable to an unauthenticated open redirect. This is caused by the use of the wp_redirect() function on user-supplied input without proper validation or domain restriction, allowing attackers to redirect users to malicious external websites.

Exploit Outline

The exploit involves identifying an unauthenticated redirect handler within the plugin, typically triggered via 'admin-ajax.php' or an 'init' hook. An attacker crafts a request to the vulnerable endpoint (e.g., using an action like 'fb_login_callback') and provides an external URL (e.g., 'https://example.com') in a parameter such as 'url' or 'redirect_url'. When a victim visits this crafted link, the server responds with a 302 redirect to the external domain. No authentication is required.

Check if your site is affected.

Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.