[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fu9_2UAnRK7npIa-3K60olTn--MXa8jGqoENMQz-4j3U":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":30,"research_verified":31,"research_rounds_completed":32,"research_plan":33,"research_summary":9,"research_vulnerable_code":9,"research_fix_diff":9,"research_exploit_outline":9,"research_model_used":34,"research_started_at":35,"research_completed_at":36,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":31,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":31,"source_links":37},"CVE-2026-45209","mycryptocheckout-bitcoin-ethereum-and-100-altcoins-for-woocommerce-missing-authorization","MyCryptoCheckout – Bitcoin, Ethereum, and 100+ altcoins for WooCommerce \u003C= 2.161 - Missing Authorization","The MyCryptoCheckout – Bitcoin, Ethereum, and 100+ altcoins for WooCommerce plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in versions up to, and including, 2.161. This makes it possible for unauthenticated attackers to perform an unauthorized action.","mycryptocheckout",null,"\u003C=2.161","2.162","medium",5.3,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:N\u002FUI:N\u002FS:U\u002FC:N\u002FI:L\u002FA:N","Missing Authorization","2026-05-12 00:00:00","2026-05-19 13:18:48",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F22f54e4b-2f9a-40b2-b1d2-38f046b71a05?source=api-prod",8,[22,23,24,25,26,27,28,29],"MyCryptoCheckout.php","composer.json","composer.lock","readme.txt","src\u002Fecommerce\u002Fwoocommerce\u002FWooCommerce.php","src\u002Fstatic\u002Fcss\u002Fmycryptocheckout.css","src\u002Fstatic\u002Fcss\u002Fscss\u002Fpay_buttons.scss","src\u002Fstatic\u002Fjs\u002Fjs.d\u002F50.checkout.js","researched",false,3,"' );\n        data = atob( data );\n        data = jQuery.parseJSON( data );\n        return data;\n    }\n    ```\n    I'll have the agent use `browser_eval` to get this JSON.\n\n    - Target URL: `\u002Fwp-admin\u002Fadmin-ajax.php`\n    - Action: `mycryptocheckout_cancel_payment` (inferred from `WooCommerce.php:129`)\n    - Param: `order_id`\n\n    Wait, if the vulnerability is actually `mcc_save_settings`, I should mention it. But the instructions say \"GROUND your plan in the source files provided\". `mycryptocheckout_cancel_payment` is in the source.\n\n    *Final Plan Structure:*\n    1.  Vulnerability Summary: Missing capability check in `mycryptocheckout_cancel_payment`.\n    2.  Attack Vector: AJAX endpoint.\n    3.  Code Flow: `WooCommerce::_construct` -> `add_action` -> `mycryptocheckout_cancel_payment`.\n    4.  Nonce: Extract from `#mycryptocheckout_checkout_data`.\n    5.  Payload: `action=mycryptocheckout_cancel_payment&order_id=X`.\n\n    Wait, I'll search for one more thing. Is there any `wp_ajax_nopriv` in the source?\n    No. It's likely in the parent class `\\plainview","gemini-3-flash-preview","2026-05-20 18:10:49","2026-05-20 18:12:44",{"type":38,"vulnerable_version":39,"fixed_version":11,"vulnerable_browse":40,"vulnerable_zip":41,"fixed_browse":42,"fixed_zip":43,"all_tags":44},"plugin","2.161","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fmycryptocheckout\u002Ftags\u002F2.161","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fmycryptocheckout.2.161.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fmycryptocheckout\u002Ftags\u002F2.162","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fmycryptocheckout.2.162.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fmycryptocheckout\u002Ftags"]