[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fpymdHKo7QdPcRhjuAoQazL9XhIRV-snFSzcBWEVHiWM":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":30,"research_verified":31,"research_rounds_completed":32,"research_plan":33,"research_summary":34,"research_vulnerable_code":9,"research_fix_diff":35,"research_exploit_outline":36,"research_model_used":37,"research_started_at":38,"research_completed_at":39,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":31,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":31,"source_links":40},"CVE-2026-45217","payment-gateway-of-stripe-for-woocommerce-missing-authorization","Payment Gateway of Stripe for WooCommerce \u003C= 5.0.7 - Missing Authorization","The Payment Gateway of Stripe for WooCommerce plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in all versions up to, and including, 5.0.7. This makes it possible for unauthenticated attackers to perform an unauthorized action.","payment-gateway-stripe-and-woocommerce-integration",null,"\u003C=5.0.7","5.0.8","medium",5.3,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:N\u002FUI:N\u002FS:U\u002FC:N\u002FI:L\u002FA:N","Missing Authorization","2026-05-12 00:00:00","2026-05-19 16:14:14",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F938f0ac2-6454-472b-8119-4ffaa7a3670c?source=api-prod",8,[22,23,24,25,26,27,28,29],"assets\u002Fcss\u002Feh-style.css","assets\u002Fjs\u002Feh-affirm.js","assets\u002Fjs\u002Feh-afterpay.js","assets\u002Fjs\u002Feh-alipay.js","assets\u002Fjs\u002Feh-bancontact.js","assets\u002Fjs\u002Feh-becs.js","assets\u002Fjs\u002Feh-boleto.js","assets\u002Fjs\u002Feh-checkout.js","researched",false,3,"# Exploitation Research Plan - CVE-2026-45217\n\n## 1. Vulnerability Summary\nThe **Payment Gateway of Stripe for WooCommerce** plugin (up to 5.0.7) contains a missing authorization vulnerability. This flaw exists because a specific function, registered as an AJAX action, fails to perform a capability check (e.g., `current_user_can( 'manage_options' )`). This allows unauthenticated attackers to trigger sensitive operations, likely related to plugin configuration or order state modification, by sending a request to `admin-ajax.php`.\n\nGiven the CVSS score of 5.3 (Integrity: Low), the vulnerability likely allows modifying non-critical settings (like toggling debug logs) or performing actions like disconnecting the Stripe account, which disrupts service but doesn't necessarily lead to full site takeover.\n\n## 2. Attack Vector Analysis\n- **Endpoint:** `\u002Fwp-admin\u002Fadmin-ajax.php`\n- **Action:** Likely `eh_stripe_save_settings`, `eh_stripe_disconnect_account`, or `eh_stripe_clear_log` (inferred from common WebToffee\u002FEh plugin patterns).\n- **Authentication:** None (Unauthenticated).\n- **Preconditions:** The plugin must be active. Some actions may require a valid WordPress nonce, though unauthenticated AJAX (`wp_ajax_nopriv_`) often lacks them or exposes them on the frontend.\n\n## 3. Code Flow\n1. **Entry Point:** The plugin registers AJAX handlers during the `init` or `plugins_loaded` hook.\n2. **Registration:** `add_action( 'wp_ajax_nopriv_[ACTION_NAME]', 'callback_function' )`.\n3. **The Sink:** The `callback_function` performs an action such as `update_option()` or interacts with the Stripe API without verifying if the requester has administrative privileges.\n4. **Vulnerable Path:**\n   - Client sends POST request to `admin-ajax.php` with `action=[ACTION_NAME]`.\n   - WordPress executes the registered callback.\n   - The callback executes privileged logic without checking `current_user_can()`.\n\n## 4. Nonce Acquisition Strategy\nThe provided JS files (`eh-affirm.js`, `eh-becs.js`, etc.) show that the plugin localizes several data objects. If a nonce is required for the vulnerable AJAX action, it is likely contained within one of these objects.\n\n**Strategy:**\n1. **Identify the Trigger:** The scripts are typically enqueued on the WooCommerce Checkout page or the \"Add Payment Method\" page.\n2. **Setup:**\n   - Ensure WooCommerce is installed and a product exists.\n   - Add a product to the cart and navigate to the checkout page.\n3. **Extraction:**\n   - Use `browser_navigate` to go to the checkout page.\n   - Use `browser_eval` to extract the localized data.\n   - **Target Variables (from source):**\n     - `eh_affirm_val`\n     - `eh_afterpay_val`\n     - `eh_alipay_val`\n     - `eh_bancontact_val`\n     - `eh_becs_val`\n     - `eh_boleto_val`\n     - `eh_stripe_checkout_params` (from `eh-checkout.js`)\n4. **Command:** \n   `browser_eval(\"window.eh_affirm_val?.nonce || window.eh_stripe_checkout_params?.nonce\")`\n\n*Note: If `wp_ajax_nopriv_` is used, the developer may have omitted the nonce check entirely, or used a generic nonce like `wp_rest`.*\n\n## 5. Exploitation Strategy\nThe agent will first confirm the vulnerable handler by searching the PHP source.\n\n### Step 1: Locate the Vulnerable Handler\nSearch the plugin directory for unauthenticated AJAX registrations:\n`grep -rn \"wp_ajax_nopriv_\" wp-content\u002Fplugins\u002Fpayment-gateway-stripe-and-woocommerce-integration\u002F`\n\n### Step 2: Analyze the Callback\nExamine the function associated with the `nopriv` action. Look for:\n- Lack of `current_user_can()`\n- Use of `update_option()`\n- Use of `delete_option()`\n- Sensitive Stripe API calls (e.g., `account->delete()`)\n\n### Step 3: Craft Payload\nAssuming the action is `eh_stripe_disconnect_account` (a common \"I:L\" vulnerability):\n- **URL:** `http:\u002F\u002F[TARGET]\u002Fwp-admin\u002Fadmin-ajax.php`\n- **Method:** POST\n- **Headers:** `Content-Type: application\u002Fx-www-form-urlencoded`\n- **Body:** `action=eh_stripe_disconnect_account&nonce=[EXTRACTED_NONCE]`\n\n### Step 4: Execute via http_request\n```javascript\n\u002F\u002F Example using Playwright tool\nawait http_request({\n  url: \"http:\u002F\u002Flocalhost:8080\u002Fwp-admin\u002Fadmin-ajax.php\",\n  method: \"POST\",\n  body: \"action=eh_stripe_disconnect_account&nonce=\" + extractedNonce,\n  headers: { \"Content-Type\": \"application\u002Fx-www-form-urlencoded\" }\n});\n```\n\n## 6. Test Data Setup\n1. **Install Plugin:** Ensure `payment-gateway-stripe-and-woocommerce-integration` version 5.0.7 is installed.\n2. **Configure Stripe:** Add dummy API keys in the plugin settings to provide \"state\" that can be modified.\n3. **WooCommerce Setup:** \n   - Create a test product: `wp post create --post_type=product --post_title='Test' --post_status=publish`.\n   - Enable the \"Stripe\" payment gateway in WooCommerce settings.\n4. **Nonce Page:** Create a page with the `[woocommerce_checkout]` shortcode if not already present.\n\n## 7. Expected Results\n- **Response:** The server returns a `200 OK` or a JSON success message (e.g., `{\"success\": true}`).\n- **Effect:** The plugin settings are altered. For example, the Stripe API keys are cleared or the \"Connection Status\" in the plugin dashboard changes to \"Disconnected\".\n\n## 8. Verification Steps\nAfter the HTTP request, use WP-CLI to check the database state:\n- **Check Options:** `wp option get eh_stripe_settings`\n- **Check Connection Status:** `wp option get eh_stripe_account_id` (or similar keys found during the search).\n- If the option is cleared or changed to a default\u002Fmalicious value, the exploit is confirmed.\n\n## 9. Alternative Approaches\n- **Settings Injection:** If the vulnerable function is `eh_stripe_save_settings`, attempt to overwrite the `publishable_key` with an attacker-controlled key to intercept future payment intents.\n- **Log Exposure\u002FClearing:** Check for `eh_stripe_clear_log` or `eh_stripe_get_log` which could be used to hide tracks or potentially leak transaction metadata (though CVSS 5.3 C:N suggests focus is on Integrity).\n- **Order Manipulation:** Look for actions that take an `order_id` and change status (e.g., `eh_stripe_update_order_status`).","The Payment Gateway of Stripe for WooCommerce plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function registered as an AJAX action. This allows unauthenticated attackers to perform sensitive administrative operations, such as modifying plugin settings or disconnecting the Stripe account connection.","diff -ru \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fpayment-gateway-stripe-and-woocommerce-integration\u002F5.0.7\u002Fassets\u002Fcss\u002Feh-style.css \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fpayment-gateway-stripe-and-woocommerce-integration\u002F5.0.8\u002Fassets\u002Fcss\u002Feh-style.css\n--- \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fpayment-gateway-stripe-and-woocommerce-integration\u002F5.0.7\u002Fassets\u002Fcss\u002Feh-style.css\t2026-01-06 03:11:06.000000000 +0000\n+++ \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fpayment-gateway-stripe-and-woocommerce-integration\u002F5.0.8\u002Fassets\u002Fcss\u002Feh-style.css\t2026-05-04 21:15:36.000000000 +0000\n@@ -48,3 +48,33 @@\n #eh-stripe-payment-request-button{\n     padding: 20px 0;\n }\n+\n+.we-chat-overlay{\n+    position:fixed;\n+    top:0;\n+    left:0;\n+    width:100%;\n+    height:100%;\n+    background: rgba(0,0,0,0.5);\n+    display:flex;\n+    align-items:center;\n+    justify-content:center;\n+    z-index:9999;\n+}\n+\n+#eh-wechat-qr{\n+    background:#fff;\n+    padding:20px;\n+    border-radius:8px;\n+    text-align:center;\n+    display: flex;\n+    align-items: center;\n+    flex-direction: column;\n+    justify-content: center;\n+}\n+\n+#eh-wechat-message{\n+    margin-bottom:15px;\n+    font-weight:600;\n+    color:#333;\n+}\ndiff -ru \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fpayment-gateway-stripe-and-woocommerce-integration\u002F5.0.7\u002Fassets\u002Fjs\u002Feh-affirm.js \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fpayment-gateway-stripe-and-woocommerce-integration\u002F5.0.8\u002Fassets\u002Fjs\u002Feh-affirm.js\n--- \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fpayment-gateway-stripe-and-woocommerce-integration\u002F5.0.7\u002Fassets\u002Fjs\u002Feh-affirm.js\t2026-01-06 03:11:06.000000000 +0000\n+++ \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fpayment-gateway-stripe-and-woocommerce-integration\u002F5.0.8\u002Fassets\u002Fjs\u002Feh-affirm.js\t2026-05-04 21:15:36.000000000 +0000\n@@ -3,7 +3,8 @@\n     \n \n try {\n-    var stripe = Stripe( eh_affirm_val.key, {apiVersion: eh_affirm_val.version} );\n+    \u002F\u002Fvar stripe = Stripe( eh_affirm_val.key, {apiVersion: eh_affirm_val.version} );\n+    var stripe = Stripe( eh_affirm_val.key );\n } catch( error ) {\n     console.log( error );\n     return;\n... (truncated)","1. Identify the targeted AJAX handler that lacks authorization checks, such as 'eh_stripe_disconnect_account' or 'eh_stripe_save_settings'.\n2. Navigate to a public page (e.g., the WooCommerce checkout page) to find localized JavaScript objects like 'eh_stripe_checkout_params' or 'eh_payment_request_params'.\n3. Extract the required security nonce from these localized objects (e.g., 'window.eh_stripe_checkout_params.nonce').\n4. Craft a POST request to '\u002Fwp-admin\u002Fadmin-ajax.php' with the 'action' parameter set to the vulnerable callback and the extracted nonce in the request body.\n5. Execute the request to perform unauthorized administrative actions, such as clearing plugin logs or resetting the Stripe API connection.","gemini-3-flash-preview","2026-05-20 18:18:25","2026-05-20 18:19:57",{"type":41,"vulnerable_version":42,"fixed_version":11,"vulnerable_browse":43,"vulnerable_zip":44,"fixed_browse":45,"fixed_zip":46,"all_tags":47},"plugin","5.0.7","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fpayment-gateway-stripe-and-woocommerce-integration\u002Ftags\u002F5.0.7","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fpayment-gateway-stripe-and-woocommerce-integration.5.0.7.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fpayment-gateway-stripe-and-woocommerce-integration\u002Ftags\u002F5.0.8","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fpayment-gateway-stripe-and-woocommerce-integration.5.0.8.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fpayment-gateway-stripe-and-woocommerce-integration\u002Ftags"]