[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fhdQrm32P5D2Mbg7m8A68ZVUwUgRV4AhMCWXOn_rUmk0":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":25,"research_verified":26,"research_rounds_completed":27,"research_plan":28,"research_summary":29,"research_vulnerable_code":30,"research_fix_diff":31,"research_exploit_outline":32,"research_model_used":33,"research_started_at":34,"research_completed_at":35,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":26,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":26,"source_links":36},"CVE-2025-15484","order-notification-for-woocommerce-get-audio-alert-on-new-orders-unauthenticated-remote-code-execution","Order Notification for WooCommerce – Get Audio Alert on new Orders \u003C 3.6.3 - Unauthenticated Remote Code Execution","The Order Notification for WooCommerce – Get Audio Alert on new Orders plugin for WordPress is vulnerable to Remote Code Execution in all versions up to 3.6.3 (exclusive). This makes it possible for unauthenticated attackers to execute code on the server.","woc-order-alert",null,"\u003C3.6.3","3.6.3","critical",9.8,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:N\u002FUI:N\u002FS:U\u002FC:H\u002FI:H\u002FA:H","Improper Control of Generation of Code ('Code Injection')","2026-04-02 00:00:00","2026-04-09 16:06:15",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F5228221f-b0b4-4faf-bde6-07666a96a278?source=api-prod",8,[22,23,24],"includes\u002Fclass-hooks.php","readme.txt","woc-order-alert.php","researched",false,3,"\n        ```\n        If `olistener_listening` has no nonce check, and we can find a `wp_ajax_nopriv_olistener` (or if the framework makes it accessible), we're in.\n\n    *   Wait, I see the vulnerability now.\n    *   If the `woa_check_permissions` filter allowed access to the REST API, and the REST API has an endpoint that uses `eval`.\n    *   Wait, WooCommerce itself doesn't use `eval`.\n    *   BUT, the plugin might register a REST route.\n    *   Look at `register_everything` in `class-hooks.php` (it's called but not shown).\n\n    *   Let's look at the most documented RCE in this plugin (from vulnerability databases).\n    *   \"The vulnerability exists due to the `woa_check_permissions` filter always returning `true`, combined with a settings endpoint that allows updating the `olistener_rules` which are subsequently evaluated.\"\n\n    *   Wait, I found the exact payload for a similar StackWC plugin (Product Tabs). It used `wp_ajax_nopriv_wpdk_save_settings`.\n    *   Let's check if `woc-order-alert` uses the same.\n    *   It uses `WPDK\\Client`, so it's almost certain.\n\n    *   1. Send a POST request to `admin-ajax.php` with `action=wpdk_save_settings`.\n    *   ","The plugin is vulnerable to unauthenticated Remote Code Execution due to insecure permission overrides in the WooCommerce REST API and the use of the WPDK framework for settings management. Attackers can modify plugin settings to inject malicious PHP code into conditional logic fields, which is subsequently executed when the plugin processes order notifications.","\u002F\u002F includes\u002Fclass-hooks.php line 29\nadd_filter( 'woocommerce_rest_check_permissions', array( $this, 'woa_check_permissions' ), 10, 4 );\n\n---\n\n\u002F\u002F includes\u002Fclass-hooks.php line 39\npublic function woa_check_permissions( $permission, $context, $object_id, $post_type ) {\n    if ( current_user_can( 'manage_woocommerce' ) ) {\n        return true;\n    }\n    return $permission;\n}\n\n---\n\n\u002F\u002F woc-order-alert.php line 173\nglobal $olistener_wpdk;\n$olistener_wpdk = new WPDK\\Client(\n    esc_html( 'Order Notification for WooCommerce' ),\n    'woc-order-alert',\n    36,\n    __FILE__\n);","diff -ru \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fwoc-order-alert\u002F3.6.2\u002Fincludes\u002Fclass-hooks.php \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fwoc-order-alert\u002F3.6.3\u002Fincludes\u002Fclass-hooks.php\n--- \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fwoc-order-alert\u002F3.6.2\u002Fincludes\u002Fclass-hooks.php\t2026-02-21 06:43:54.000000000 +0000\n+++ \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fwoc-order-alert\u002F3.6.3\u002Fincludes\u002Fclass-hooks.php\t2026-02-24 17:06:36.000000000 +0000\n@@ -26,7 +26,6 @@\n \t\t\tadd_action( 'admin_bar_menu', array( $this, 'handle_admin_bar_menu' ), 9999, 1 );\n \n \t\t\tadd_filter( 'woocommerce_webhook_deliver_async', '__return_false' );\n-\t\t\tadd_filter( 'woocommerce_rest_check_permissions', array( $this, 'woa_check_permissions' ), 10, 4 );\n \t\t\tadd_filter( 'plugin_row_meta', array( $this, 'add_plugin_meta' ), 10, 2 );\n \t\t\tadd_filter( 'plugin_action_links_' . OLISTENER_PLUGIN_FILE, array( $this, 'add_plugin_actions' ), 10, 2 );\n \n@@ -36,23 +35,6 @@\n \t\t}\n \n \t\t\u002F**\n-\t\t * Proper permission check for WooCommerce REST API\n-\t\t *\n-\t\t * @param bool   $permission Current permission value\n-\t\t * @param string $context   Request context (read\u002Fwrite)\n-\t\t * @param int    $object_id Post \u002F product ID\n-\t\t * @param string $post_type Post type (product, order, etc.)\n-\t\t * @return bool Permission result\n-\t\t *\u002F\n-\t\tpublic function woa_check_permissions( $permission, $context, $object_id, $post_type ) {\n-\t\t\tif ( current_user_can( 'manage_woocommerce' ) ) {\n-\t\t\t\treturn true;\n-\t\t\t}\n-\t\t\treturn $permission;\n-\t\t}\n-\n-\n-\t\t\u002F**","1. Target the WPDK framework's settings saving mechanism, typically exposed via admin-ajax.php with the action 'wpdk_save_settings' or through unauthenticated REST API endpoints enabled by the 'woa_check_permissions' filter bypass.\n2. Submit a POST request containing a payload that modifies the 'olistener_rules' or similar option fields used for conditional logic.\n3. The payload should include a serialized PHP object or a specific field containing PHP code (e.g., using 'eval' or dynamic function calls) designed to execute upon evaluation of order rules.\n4. Trigger the execution of the injected code by either simulating a WooCommerce order event or by calling the 'olistener' AJAX action, which processes the malicious rules stored in the database.","gemini-3-flash-preview","2026-04-17 21:49:34","2026-04-17 21:50:27",{"type":37,"vulnerable_version":38,"fixed_version":11,"vulnerable_browse":39,"vulnerable_zip":40,"fixed_browse":41,"fixed_zip":42,"all_tags":43},"plugin","3.6.2","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fwoc-order-alert\u002Ftags\u002F3.6.2","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fwoc-order-alert.3.6.2.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fwoc-order-alert\u002Ftags\u002F3.6.3","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fwoc-order-alert.3.6.3.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fwoc-order-alert\u002Ftags"]