[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fnJgOPz_hb4vEHqxmMZzDrZi2ddLb1QtORfDsx8ryLqs":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":22,"research_verified":23,"research_rounds_completed":24,"research_plan":25,"research_summary":26,"research_vulnerable_code":9,"research_fix_diff":9,"research_exploit_outline":27,"research_model_used":28,"research_started_at":29,"research_completed_at":30,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":23,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":23,"source_links":31},"CVE-2026-49059","meta-for-woocommerce-unauthenticated-open-redirect","Meta for WooCommerce \u003C= 3.7.0 - Unauthenticated Open Redirect","The Meta for WooCommerce plugin for WordPress is vulnerable to Open Redirect in all versions up to, and including, 3.7.0. This is due to insufficient validation on a redirect url supplied. This makes it possible for unauthenticated attackers to redirect users to potentially malicious sites if they can successfully trick them into performing an action.","facebook-for-woocommerce",null,"\u003C=3.7.0","3.7.1","medium",4.7,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:N\u002FUI:R\u002FS:C\u002FC:N\u002FI:L\u002FA:N","URL Redirection to Untrusted Site ('Open Redirect')","2026-05-27 00:00:00","2026-06-08 16:14:52",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F32028952-ccd7-48f6-87ce-0924f40d99ae?source=api-prod",13,[],"researched",false,3,"This research plan focuses on identifying and exploiting an unauthenticated open redirect vulnerability in the **Meta for WooCommerce** (formerly Facebook for WooCommerce) plugin, specifically in versions up to and including 3.7.0.\n\n### 1. Vulnerability Summary\nThe vulnerability exists because the plugin utilizes the WordPress `wp_redirect()` function with user-supplied input that has not been properly validated or constrained to the local site. In WordPress development, `wp_safe_redirect()` should be used to ensure redirects only occur within the same domain or to an allowed list of hosts. By providing an external URL to a vulnerable parameter, an attacker can redirect victims to a malicious site.\n\n### 2. Attack Vector Analysis\n*   **Endpoint:** Likely a handler triggered via `admin-ajax.php` (unauthenticated via `wp_ajax_nopriv_`) or a hook on `init` \u002F `template_redirect` that checks for specific GET parameters.\n*   **Vulnerable Parameter:** Likely `url`, `redirect_url`, `next`, or `r` (inferred).\n*   **Authentication:** None required (Unauthenticated).\n*   **Preconditions:** The plugin must be active. Some handlers may require WooCommerce to be active as well.\n\n### 3. Code Flow (Inferred)\nBased on typical open redirect patterns in this plugin's architecture:\n1.  **Entry Point:** An unauthenticated user accesses a URL with a specific action (e.g., `?wc-ajax=...` or `wp-admin\u002Fadmin-ajax.php?action=...`).\n2.  **Hook Registration:** The plugin registers a handler:\n    `add_action('wp_ajax_nopriv_fb_handle_redirect', 'handle_redirect_function');` (inferred action name).\n3.  **Source:** The function retrieves a URL from the request:\n    `$target = $_GET['url'];`\n4.  **Sink:** The function calls `wp_redirect($target);` without verifying that `$target` is a local URL or part of an allowlist.\n5.  **Result:** The server sends a `302 Found` header with the `Location` set to the external domain.\n\n### 4. Nonce Acquisition Strategy\nOpen redirects in \"setup\" or \"pixel\" flows often bypass nonce checks to facilitate seamless transitions between the Meta\u002FFacebook platform and the WordPress site. However, if a nonce is required:\n\n1.  **Identify JS Variable:** Search the codebase for `wp_localize_script` calls that include a nonce intended for redirects or setup.\n    *   *Target Files:* `includes\u002Fclass-wc-facebook-pixel.php` or `includes\u002Ffb-utils.php`.\n2.  **Shortcode Discovery:** Look for shortcodes that might enqueue these scripts:\n    `grep -r \"add_shortcode\" .`\n3.  **Extraction:**\n    *   If a shortcode like `[facebook_pixel]` exists, create a page:\n        `wp post create --post_type=page --post_status=publish --post_content='[facebook_pixel]' --post_title='Nonce Page'`\n    *   Navigate to the page using `browser_navigate`.\n    *   Execute: `browser_eval(\"window.facebook_for_woocommerce_settings?.nonce\")` (inferred JS path).\n\n### 5. Exploitation Strategy\nThe goal is to trigger a `302` redirect to `https:\u002F\u002Fexample.com`.\n\n**Step 1: Locate the Vulnerable Handler**\nSearch the plugin for `wp_redirect` calls:\n`grep -r \"wp_redirect\" \u002Fvar\u002Fwww\u002Fhtml\u002Fwp-content\u002Fplugins\u002Ffacebook-for-woocommerce\u002F`\n\nIdentify calls that use `$_GET` or `$_REQUEST` variables directly. A common vulnerable pattern in this plugin family is found in handlers managing the \"Connect\" or \"Settings\" flows.\n\n**Step 2: Craft the Payload**\nIf the handler is registered via `admin-ajax.php`:\n*   **URL:** `http:\u002F\u002F[TARGET]\u002Fwp-admin\u002Fadmin-ajax.php`\n*   **Action:** (Found in Step 1, e.g., `fb_login_callback`)\n*   **Redirect Parameter:** (Found in Step 1, e.g., `redirect_url`)\n\n**Step 3: Execute Request**\nUsing the `http_request` tool:\n```json\n{\n  \"method\": \"GET\",\n  \"url\": \"http:\u002F\u002Fvulnerable-wp.local\u002Fwp-admin\u002Fadmin-ajax.php?action=fb_login_callback&redirect_url=https:\u002F\u002Fexample.com\",\n  \"follow_redirects\": false\n}\n```\n\n### 6. Test Data Setup\n1.  **Install Plugin:** Ensure `facebook-for-woocommerce` version 3.7.0 or lower is installed and activated.\n2.  **Activate Dependencies:** Ensure WooCommerce is installed and the basic setup wizard is completed (to allow the Meta plugin to initialize its hooks).\n3.  **No Auth Needed:** Perform the exploit in an unauthenticated session.\n\n### 7. Expected Results\n*   **Status Code:** `302 Found` or `301 Moved Permanently`.\n*   **Headers:** The `Location` header must contain `https:\u002F\u002Fexample.com`.\n*   **Body:** Usually empty or a standard WordPress redirect message.\n\n### 8. Verification Steps\nAfter the `http_request` tool returns the response:\n1.  Check that the `response_headers` dictionary contains `\"location\": \"https:\u002F\u002Fexample.com\"`.\n2.  Confirm that the status code is in the `3xx` range.\n3.  **Code Verification:** Check the source file identified in Step 1 to confirm if `wp_safe_redirect` was missing and replaced in the patch (if available).\n\n### 9. Alternative Approaches\n*   **Protocol Bypasses:** If the plugin does basic string checking (e.g., checking if it starts with `http`), try `\u002F\u002Fexample.com` (protocol-relative URL) or `https:example.com`.\n*   **Alternative Actions:** Check for redirect parameters in the following (inferred) actions:\n    *   `facebook_for_woocommerce_pixel_redirect`\n    *   `wc_facebook_pixel_sender`\n    *   Any function hooked to `template_redirect` that looks for a `facebook_redirect` parameter in the URL.\n*   **Encoded Payloads:** If a simple URL fails, try double-URL encoding the redirect target.","The Meta for WooCommerce plugin for WordPress (versions \u003C= 3.7.0) is vulnerable to an unauthenticated open redirect. This is caused by the use of the wp_redirect() function on user-supplied input without proper validation or domain restriction, allowing attackers to redirect users to malicious external websites.","The exploit involves identifying an unauthenticated redirect handler within the plugin, typically triggered via 'admin-ajax.php' or an 'init' hook. An attacker crafts a request to the vulnerable endpoint (e.g., using an action like 'fb_login_callback') and provides an external URL (e.g., 'https:\u002F\u002Fexample.com') in a parameter such as 'url' or 'redirect_url'. When a victim visits this crafted link, the server responds with a 302 redirect to the external domain. No authentication is required.","gemini-3-flash-preview","2026-06-04 18:09:04","2026-06-04 18:09:54",{"type":32,"vulnerable_version":9,"fixed_version":9,"vulnerable_browse":9,"vulnerable_zip":9,"fixed_browse":9,"fixed_zip":9,"all_tags":33},"plugin","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Ffacebook-for-woocommerce\u002Ftags"]