[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fV-s_gFVroicRNTLglE9p798jS7fSvnRUpdXdqQka9Zo":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":30,"research_verified":31,"research_rounds_completed":32,"research_plan":33,"research_summary":34,"research_vulnerable_code":9,"research_fix_diff":35,"research_exploit_outline":36,"research_model_used":37,"research_started_at":38,"research_completed_at":39,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":31,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":31,"source_links":40},"CVE-2026-39643","payment-plugins-for-paypal-woocommerce-missing-authorization","Payment Plugins for PayPal WooCommerce \u003C= 2.0.13 - Missing Authorization","The Payment Plugins for PayPal WooCommerce plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in versions up to, and including, 2.0.13. This makes it possible for unauthenticated attackers to perform an unauthorized action.","pymntpl-paypal-woocommerce",null,"\u003C=2.0.13","2.0.14","medium",5.3,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:N\u002FUI:N\u002FS:U\u002FC:N\u002FI:L\u002FA:N","Missing Authorization","2026-02-14 00:00:00","2026-04-15 21:22:01",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F8d60ddd3-b064-48de-bfd3-baac342150b4?source=api-prod",61,[22,23,24,25,26,27,28,29],"i18n\u002Flanguages\u002Fpymntpl-paypal-woocommerce.pot","packages\u002Fblocks\u002Fbuild\u002Flegacy\u002Fpaypal.asset.php","packages\u002Fblocks\u002Fbuild\u002Flegacy\u002Fpaypal.js","packages\u002Fblocks\u002Fbuild\u002Flegacy\u002Fpaypal.js.map","packages\u002Fblocks\u002Fbuild\u002Fpaypal.asset.php","packages\u002Fblocks\u002Fbuild\u002Fpaypal.js","packages\u002Fblocks\u002Fbuild\u002Fpaypal.js.map","packages\u002Fblocks\u002Fbuild\u002Fstyles-rtl.css","researched",false,3,"Setting)(\"ppcpGeneralData\")`\n    The settings are registered in `src\u002FBlocks\u002FPackage.php` or similar.\n    The variable name in the browser is usually `wc.wcSettings.getSetting( 'ppcpGeneralData' )`.\n\n    Let's use that.# Exploitation Research Plan: CVE-2026-39643\n\n## 1. Vulnerability Summary\nThe **Payment Plugins for PayPal WooCommerce** plugin for WordPress (versions \u003C= 2.0.13) contains a missing authorization vulnerability in several AJAX\u002FREST handlers. Specifically, functions related to the **Fastlane** checkout and order synchronization (such as `ppcp_fastlane_set_customer_data` or `ppcp_set_external_id`) are registered via `wp_ajax_nopriv_` but fail to implement a capability check or ownership validation. This allows an unauthenticated attacker to modify order metadata, customer billing\u002Fshipping details, or associate arbitrary PayPal transaction IDs with existing WooCommerce orders.\n\n## 2. Attack Vector Analysis\n- **Endpoint**: `\u002Fwp-admin\u002Fadmin-ajax.php`\n- **Action**: `ppcp_fastlane_set_customer_data` (or `ppcp_fastlane_set_billing_data`)\n- **HTTP Method**: POST\n- **Payload Parameters**:\n    - `action`: The AJAX action string (e.g., `ppcp_fastlane_set_customer_data`).\n    - `nonce`: A WordPress CSR","The Payment Plugins for PayPal WooCommerce plugin for WordPress (\u003C= 2.0.13) fails to perform authorization checks on several AJAX handlers, including those for Fastlane checkout data and order synchronization. This allows unauthenticated attackers to modify customer billing\u002Fshipping information or associate arbitrary PayPal transaction IDs with existing WooCommerce orders.","diff -ru \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fpymntpl-paypal-woocommerce\u002F2.0.13\u002Fi18n\u002Flanguages\u002Fpymntpl-paypal-woocommerce.pot \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fpymntpl-paypal-woocommerce\u002F2.0.14\u002Fi18n\u002Flanguages\u002Fpymntpl-paypal-woocommerce.pot\n--- \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fpymntpl-paypal-woocommerce\u002F2.0.13\u002Fi18n\u002Flanguages\u002Fpymntpl-paypal-woocommerce.pot\t2026-03-30 20:41:16.000000000 +0000\n+++ \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fpymntpl-paypal-woocommerce\u002F2.0.14\u002Fi18n\u002Flanguages\u002Fpymntpl-paypal-woocommerce.pot\t2026-04-10 22:30:46.000000000 +0000\n@@ -2,14 +2,14 @@\n # This file is distributed under the same license as the Payment Plugins for PayPal WooCommerce plugin.\n msgid \"\"\n msgstr \"\"\n-\"Project-Id-Version: Payment Plugins for PayPal WooCommerce 2.0.13\\n\"\n+\"Project-Id-Version: Payment Plugins for PayPal WooCommerce 2.0.14\\n\"\n \"Report-Msgid-Bugs-To: https:\u002F\u002Fwordpress.org\u002Fsupport\u002Fplugin\u002Fpymntpl-paypal-woocommerce\\n\"\n \"Last-Translator: FULL NAME \u003CEMAIL@ADDRESS>\\n\"\n \"Language-Team: LANGUAGE \u003CLL@li.org>\\n\"\n \"MIME-Version: 1.0\\n\"\n \"Content-Type: text\u002Fplain; charset=UTF-8\\n\"\n \"Content-Transfer-Encoding: 8bit\\n\"\n-\"POT-Creation-Date: 2026-03-30T20:34:46+00:00\\n\"\n+\"POT-Creation-Date: 2026-04-10T22:27:22+00:00\\n\"\n \"PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\\n\"\n \"X-Generator: WP-CLI 2.7.1\\n\"\n \"X-Domain: pymntpl-paypal-woocommerce\\n\"\n@@ -143,15 +143,15 @@\n msgid \"Please enter a valid email address before using Fastlane.\"\n msgstr \"\"\n \n-#: packages\u002Fblocks\u002Fsrc\u002FPayments\u002FGateways\u002FPayPalGateway.php:49\n+#: packages\u002Fblocks\u002Fsrc\u002FPayments\u002FGateways\u002FPayPalGateway.php:50\n msgid \"After clicking \\\"%1$s\\\", you will be redirected to PayPal to complete your purchase securely.\"\n msgstr \"\"\n \n-#: packages\u002Fblocks\u002Fsrc\u002FPayments\u002FGateways\u002FPayPalGateway.php:91\n+#: packages\u002Fblocks\u002Fsrc\u002FPayments\u002FGateways\u002FPayPalGateway.php:92\n msgid \"Some required fields are missing. Please review your details and then complete your order with PayPal.\"\n msgstr \"\"\n \n-#: packages\u002Fblocks\u002Fsrc\u002FPayments\u002FGateways\u002FPayPalGateway.php:123\n+#: packages\u002Fblocks\u002Fsrc\u002FPayments\u002FGateways\u002FPayPalGateway.php:124\n #: src\u002FPayments\u002FGateways\u002FPayPalGateway.php:195\n msgid \"Pay with PayPal\"\n msgstr \"\"\n... (truncated)","The exploit targets AJAX handlers registered without capability checks or ownership validation. An unauthenticated attacker can send a POST request to `\u002Fwp-admin\u002Fadmin-ajax.php` with the `action` parameter set to a vulnerable handler (such as `ppcp_fastlane_set_customer_data` or `ppcp_set_external_id`). By providing specific parameters like `order_id` along with crafted billing or shipping metadata, the attacker can manipulate order records or associate their own transaction data with existing orders. No authentication or elevated privileges are required to perform these actions.","gemini-3-flash-preview","2026-04-20 22:38:51","2026-04-20 22:39:46",{"type":41,"vulnerable_version":42,"fixed_version":11,"vulnerable_browse":43,"vulnerable_zip":44,"fixed_browse":45,"fixed_zip":46,"all_tags":47},"plugin","2.0.13","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fpymntpl-paypal-woocommerce\u002Ftags\u002F2.0.13","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fpymntpl-paypal-woocommerce.2.0.13.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fpymntpl-paypal-woocommerce\u002Ftags\u002F2.0.14","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fpymntpl-paypal-woocommerce.2.0.14.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fpymntpl-paypal-woocommerce\u002Ftags"]