CVE-2025-67564

Pixel Manager for WooCommerce <= 1.51.1 - Unauthenticated Information Exposure

mediumExposure of Sensitive Information to an Unauthorized Actor
5.3
CVSS Score
5.3
CVSS Score
medium
Severity
1.52.0
Patched in
6d
Time to patch

Description

The Pixel Manager for WooCommerce – Track Conversions and Analytics, Google Ads, TikTok and more plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.51.1. This makes it possible for unauthenticated attackers to extract sensitive user or configuration data.

CVSS Vector Breakdown

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Low
Confidentiality
None
Integrity
None
Availability

Technical Details

Affected versions<=1.51.1
PublishedDecember 15, 2025
Last updatedDecember 20, 2025

Source Code

WordPress.org SVN
Research Plan
Unverified

Since the source files for **Pixel Manager for WooCommerce <= 1.51.1** are not provided, this research plan is based on the vulnerability description (Unauthenticated Information Exposure) and common patterns found in this specific plugin's architecture (identifiable via its slug `woocommerce-google…

Show full research plan

Since the source files for Pixel Manager for WooCommerce <= 1.51.1 are not provided, this research plan is based on the vulnerability description (Unauthenticated Information Exposure) and common patterns found in this specific plugin's architecture (identifiable via its slug woocommerce-google-adwords-conversion-tracking-tag).

1. Vulnerability Summary

The Pixel Manager for WooCommerce plugin is vulnerable to unauthenticated information exposure. This typically occurs because a publicly accessible endpoint (either a wp_ajax_nopriv_* action or a REST API route) returns internal configuration data, user-specific details, or order information without proper authorization checks or data filtering. An attacker can query these endpoints to retrieve sensitive configuration parameters, such as API keys for tracking services, or potentially private customer/order data.

2. Attack Vector Analysis

  • Endpoints to Investigate:
    1. AJAX: wp-admin/admin-ajax.php with actions like pmw_get_data, wpm_get_settings, or similar (inferred from plugin slug pmw or wpm).
    2. REST API: Routes under the namespace pixel-manager-for-woocommerce/v1/ or wpm/v1/.
    3. Frontend Localization: Data exposed via wp_localize_script in the HTML source of the shop pages.
  • Authentication: None required (Unauthenticated).
  • Payload: A simple GET or POST request to the identified endpoint.
  • Preconditions: The plugin must be active. Some exposures may require WooCommerce to have at least one product or an active session (cart).

3. Code Flow (Inferred)

  1. Entry Point: The plugin registers a public-facing handler, likely using:
    • add_action( 'wp_ajax_nopriv_[ACTION_NAME]', ... )
    • OR register_rest_route( ..., 'permission_callback' => '__return_true' )
  2. Data Retrieval: The handler function calls get_option() to retrieve plugin settings or queries WooCommerce order/customer data.
  3. Vulnerable Sink: The function returns this data directly using wp_send_json() or a REST response without stripping sensitive keys (like Google API secrets, TikTok tokens, or internal server paths).

4. Nonce Acquisition Strategy

If the endpoint requires a nonce (common for AJAX even if nopriv), it is likely localized for the tracking scripts.

  1. Identify the Script Handle: Search the codebase for wp_localize_script. Look for variable names like pmw_vars, wpmData, or pixelManagerOptions.
  2. Shortcode/Page Creation: The tracking scripts usually load on the Shop or Cart pages.
    • wp post create --post_type=page --post_status=publish --post_title="Shop" --post_content='[woocommerce_shop]' (if not already present).
  3. Extraction via Browser:
    • Navigate to the Shop page.
    • Execute: browser_eval("window.pmw_vars?.nonce") or browser_eval("window.wpmData?.nonce").
  4. Bypass Check: Check if check_ajax_referer or wp_verify_nonce is actually implemented in the handler. Often, "Information Exposure" vulnerabilities exist because these checks are missing.

5. Exploitation Strategy

Step 1: Discover the Endpoint
Search the plugin directory for the following patterns to find the exposure point:

grep -rn "wp_ajax_nopriv" .
grep -rn "register_rest_route" .
grep -rn "wp_send_json" .

Step 2: Probe for Information Leak
If a REST route is found (e.g., /wp-json/pmw/v1/config):

  • Request:
    GET /wp-json/pmw/v1/config HTTP/1.1
    Host: TARGET_HOST
    
  • Tool: http_request

If an AJAX action is found (e.g., pmw_get_settings):

  • Request:
    POST /wp-admin/admin-ajax.php HTTP/1.1
    Content-Type: application/x-www-form-urlencoded
    
    action=pmw_get_settings&nonce=[EXTRACTED_NONCE]
    

Step 3: Analyze the Output
Look for JSON keys containing:

  • api_key, secret, token, password.
  • customer_email, order_id, address.
  • debug_info, path.

6. Test Data Setup

  1. Install WooCommerce: Ensure WooCommerce is active.
  2. Configure Plugin: Set dummy API keys in the Pixel Manager settings (Google Ads ID, TikTok Pixel ID, etc.) via the WordPress admin.
  3. Generate Traffic:
    • Add a product: wp wc product create --name="Test Product" --regular_price=10
    • (Optional) Place a test order to see if order details leak.

7. Expected Results

A successful exploit will return a 200 OK response with a JSON body containing sensitive configuration details that should not be visible to unauthenticated users.

  • Example Vulnerable Output:
    {
        "success": true,
        "data": {
            "google_ads_id": "AW-123456789",
            "ga4_api_secret": "SENSITIVE_SECRET_KEY",
            "tiktok_pixel_id": "C1234567890",
            "internal_path": "/var/www/html/wp-content/plugins/..."
        }
    }
    

8. Verification Steps

  1. CLI Check: Use WP-CLI to view the actual options stored in the database.
    wp option get pmw_settings
    
  2. Compare: Match the values returned by the http_request tool with the values stored in the database. If the API secrets match, the information exposure is confirmed.

9. Alternative Approaches

  • Debug Logs: Check if the plugin creates a public log file in wp-content/uploads/pixel-manager-for-woocommerce/logs/.
  • Cart Fragments: WooCommerce uses wc-ajax=get_refreshed_fragments. Check if the Pixel Manager hooks into this and appends sensitive configuration data to the JSON response.
  • Source Search: Use grep -r "get_option" . | grep "json" to find where options are being serialized into JSON responses.

Check if your site is affected.

Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.