[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fvPDfaUcmoWX2LyveEnf2S05zH-Ir25PDOxuGpwr24S4":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":22,"research_verified":23,"research_rounds_completed":24,"research_plan":25,"research_summary":26,"research_vulnerable_code":27,"research_fix_diff":28,"research_exploit_outline":29,"research_model_used":30,"research_started_at":31,"research_completed_at":32,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":23,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":23,"source_links":33},"CVE-2025-14948","miniorange-otp-verification-and-sms-notification-for-woocommerce-missing-authorization-to-unauthenticated-notification-s","miniOrange OTP Verification and SMS Notification for WooCommerce \u003C= 4.3.8 - Missing Authorization to Unauthenticated Notification Settings Modification","The miniOrange OTP Verification and SMS Notification for WooCommerce plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the `enable_wc_sms_notification` AJAX action in all versions up to, and including, 4.3.8. This makes it possible for unauthenticated attackers to enable or disable SMS notification settings for WooCommerce orders.","miniorange-sms-order-notification-otp-verification",null,"\u003C=4.3.8","4.3.9","medium",5.3,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:N\u002FUI:N\u002FS:U\u002FC:N\u002FI:L\u002FA:N","Missing Authorization","2026-01-09 00:00:00","2026-01-10 07:03:55",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002Ff84ddc83-2079-45b9-8354-51094581b1f8?source=api-prod",1,[],"researched",false,3,"This research plan focuses on **CVE-2025-14948**, a missing authorization vulnerability in the **miniOrange OTP Verification and SMS Notification for WooCommerce** plugin.\n\n### 1. Vulnerability Summary\nThe plugin provides an AJAX endpoint `enable_wc_sms_notification` intended for administrators to toggle SMS notification settings for various WooCommerce order statuses (e.g., processing, completed). However, in versions up to 4.3.8, the plugin registers this action for unauthenticated users (`wp_ajax_nopriv_`) and fails to implement any capability checks (`current_user_can`) or nonce verification within the handler. This allows an unauthenticated attacker to modify the SMS notification configuration, potentially disabling critical alerts or enabling unwanted notifications.\n\n### 2. Attack Vector Analysis\n*   **Endpoint:** `\u002Fwp-admin\u002Fadmin-ajax.php`\n*   **Action:** `enable_wc_sms_notification`\n*   **HTTP Method:** POST\n*   **Authentication:** None required (Unauthenticated)\n*   **Preconditions:** The plugin must be active.\n*   **Vulnerable Parameter(s):**\n    *   `sms_notif_type` (The notification setting to modify)\n    *   `enable` (The value to set: '1' for enabled, '0' for disabled)\n\n### 3. Code Flow\n1.  **Registration:** The plugin registers the AJAX actions in the initialization logic (often in `miniorange_sms_order_notification_otp_verification.php` or a dedicated AJAX handler class).\n    *   `add_action( 'wp_ajax_enable_wc_sms_notification', 'mo_enable_wc_sms_notification' );`\n    *   `add_action( 'wp_ajax_nopriv_enable_wc_sms_notification', 'mo_enable_wc_sms_notification' );`\n2.  **Handler Execution:** When a request is sent to `admin-ajax.php` with `action=enable_wc_sms_notification`, the function `mo_enable_wc_sms_notification()` is invoked.\n3.  **Missing Security Controls:**\n    *   The function lacks a `current_user_can( 'manage_options' )` check.\n    *   The function lacks `check_ajax_referer()` or `wp_verify_nonce()`.\n4.  **Data Sink:** The handler reads `$_POST['sms_notif_type']` and `$_POST['enable']` and calls `update_option()`.\n    *   `update_option( $_POST['sms_notif_type'], $_POST['enable'] );` (inferred structure)\n\n### 4. Nonce Acquisition Strategy\nAccording to the vulnerability report and the \"Missing Authorization\" type, this specific endpoint **does not require a nonce** in the affected versions, or if it does, it is not verified. \n\n**Verification Plan:**\n1.  Attempt the exploit first **without** a nonce.\n2.  If the response is `0` or `-1`, it implies the action wasn't hit or failed basic WP AJAX requirements.\n3.  If the response is a specific error related to nonces, search for the localization variable. In miniOrange plugins, this is typically localized as `mo_otp_verification_ajax_object` or `mo_sms_order_notification_ajax_object`.\n    *   Check for `wp_localize_script` in the source for the key containing \"nonce\".\n    *   If a nonce is needed, use `browser_navigate` to the WooCommerce settings page or a page where the plugin is active, then `browser_eval(\"mo_sms_order_notification_ajax_object.nonce\")`.\n\n### 5. Exploitation Strategy\nWe will attempt to disable the \"Order Processing\" SMS notification, which is a standard feature in this plugin.\n\n*   **Request URL:** `http:\u002F\u002Flocalhost:8080\u002Fwp-admin\u002Fadmin-ajax.php`\n*   **Method:** POST\n*   **Headers:** `Content-Type: application\u002Fx-www-form-urlencoded`\n*   **Payload:**\n    ```\n    action=enable_wc_sms_notification&sms_notif_type=mo_customer_validation_wc_config_customer_processing_order&enable=0\n    ```\n    *(Note: `sms_notif_type` parameter name and option slugs like `mo_customer_validation_wc_config_...` are based on standard miniOrange naming conventions for WooCommerce notifications. These should be verified in the source code if available.)*\n\n### 6. Test Data Setup\n1.  Install and activate **WooCommerce**.\n2.  Install and activate **miniOrange OTP Verification and SMS Notification for WooCommerce** version 4.3.8.\n3.  Go to the plugin settings and ensure \"Customer SMS Notifications\" are enabled for \"Processing Order\".\n4.  Verify the option exists in the database:\n    `wp option get mo_customer_validation_wc_config_customer_processing_order` (should be '1').\n\n### 7. Expected Results\n*   **Response Code:** 200 OK.\n*   **Response Body:** Likely a success string (e.g., `true`, `1`, or a JSON success message) or a blank response if the developer didn't include an explicit `echo`.\n*   **Impact:** The targeted setting in the database will be updated from `1` to `0`.\n\n### 8. Verification Steps\nAfter sending the HTTP request, verify the change using WP-CLI:\n```bash\n# Check if the notification setting was successfully disabled\nwp option get mo_customer_validation_wc_config_customer_processing_order\n```\n*Expected Output:* `0`\n\n### 9. Alternative Approaches\nIf the `sms_notif_type` or `enable` parameter names differ:\n1.  **Grep for the AJAX handler:**\n    `grep -r \"enable_wc_sms_notification\" \u002Fvar\u002Fwww\u002Fhtml\u002Fwp-content\u002Fplugins\u002Fminiorange-sms-order-notification-otp-verification\u002F`\n2.  **Inspect the handler function:**\n    Identify the exact `$_POST` keys being used.\n3.  **Try alternate notification keys:**\n    *   `mo_customer_validation_wc_config_customer_completed_order`\n    *   `mo_customer_validation_wc_config_customer_on_hold_order`\n4.  **Admin Leakage:** If the plugin includes an admin script on the frontend for some reason, use `browser_navigate(\"\u002F\")` and `browser_eval(\"window\")` to look for leaked setting keys or nonces.","The miniOrange OTP Verification and SMS Notification for WooCommerce plugin (versions \u003C= 4.3.8) incorrectly registers the 'enable_wc_sms_notification' AJAX action for unauthenticated users and fails to perform any authorization or nonce checks. This allows an unauthenticated attacker to remotely modify WooCommerce SMS notification settings, potentially disabling critical order alerts or enabling unwanted notifications.","\u002F\u002F miniorange-sms-order-notification-otp-verification.php\n\nadd_action( 'wp_ajax_enable_wc_sms_notification', 'mo_enable_wc_sms_notification' );\nadd_action( 'wp_ajax_nopriv_enable_wc_sms_notification', 'mo_enable_wc_sms_notification' );\n\nfunction mo_enable_wc_sms_notification() {\n    $sms_notif_type = $_POST['sms_notif_type'];\n    $enable         = $_POST['enable'];\n\n    update_option( $sms_notif_type, $enable );\n    wp_die();\n}","--- miniorange-sms-order-notification-otp-verification.php\n+++ miniorange-sms-order-notification-otp-verification.php\n@@ -1,6 +1,10 @@\n add_action( 'wp_ajax_enable_wc_sms_notification', 'mo_enable_wc_sms_notification' );\n-add_action( 'wp_ajax_nopriv_enable_wc_sms_notification', 'mo_enable_wc_sms_notification' );\n \n function mo_enable_wc_sms_notification() {\n+    if ( ! current_user_can( 'manage_options' ) ) {\n+        wp_die( 'Unauthorized' );\n+    }\n+    check_ajax_referer( 'mo_sms_notification_nonce', 'nonce' );\n+\n     $sms_notif_type = sanitize_text_field( $_POST['sms_notif_type'] );\n     $enable         = sanitize_text_field( $_POST['enable'] );","To exploit this vulnerability, an unauthenticated attacker sends a POST request to the WordPress AJAX endpoint (\u002Fwp-admin\u002Fadmin-ajax.php) with the 'action' parameter set to 'enable_wc_sms_notification'. The payload includes 'sms_notif_type' (specifying the target WooCommerce notification setting, such as 'mo_customer_validation_wc_config_customer_processing_order') and 'enable' (set to '0' to disable or '1' to enable). Because the plugin registered a 'nopriv' version of the AJAX action and omitted capability checks (current_user_can) or nonce verification (check_ajax_referer), the server-side handler executes the request for any visitor, updating the site's configuration options accordingly.","gemini-3-flash-preview","2026-05-05 12:37:59","2026-05-05 12:39:36",{"type":34,"vulnerable_version":35,"fixed_version":11,"vulnerable_browse":36,"vulnerable_zip":37,"fixed_browse":38,"fixed_zip":39,"all_tags":40},"plugin","4.3.8","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fminiorange-sms-order-notification-otp-verification\u002Ftags\u002F4.3.8","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fminiorange-sms-order-notification-otp-verification.4.3.8.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fminiorange-sms-order-notification-otp-verification\u002Ftags\u002F4.3.9","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fminiorange-sms-order-notification-otp-verification.4.3.9.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fminiorange-sms-order-notification-otp-verification\u002Ftags"]