Pixel Manager for WooCommerce <= 1.51.1 - Unauthenticated Information Exposure
Description
The Pixel Manager for WooCommerce – Track Conversions and Analytics, Google Ads, TikTok and more plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.51.1. This makes it possible for unauthenticated attackers to extract sensitive user or configuration data.
CVSS Vector Breakdown
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:NTechnical Details
<=1.51.1Source Code
WordPress.org SVNSince the source files for **Pixel Manager for WooCommerce <= 1.51.1** are not provided, this research plan is based on the vulnerability description (Unauthenticated Information Exposure) and common patterns found in this specific plugin's architecture (identifiable via its slug `woocommerce-google…
Show full research plan
Since the source files for Pixel Manager for WooCommerce <= 1.51.1 are not provided, this research plan is based on the vulnerability description (Unauthenticated Information Exposure) and common patterns found in this specific plugin's architecture (identifiable via its slug woocommerce-google-adwords-conversion-tracking-tag).
1. Vulnerability Summary
The Pixel Manager for WooCommerce plugin is vulnerable to unauthenticated information exposure. This typically occurs because a publicly accessible endpoint (either a wp_ajax_nopriv_* action or a REST API route) returns internal configuration data, user-specific details, or order information without proper authorization checks or data filtering. An attacker can query these endpoints to retrieve sensitive configuration parameters, such as API keys for tracking services, or potentially private customer/order data.
2. Attack Vector Analysis
- Endpoints to Investigate:
- AJAX:
wp-admin/admin-ajax.phpwith actions likepmw_get_data,wpm_get_settings, or similar (inferred from plugin slugpmworwpm). - REST API: Routes under the namespace
pixel-manager-for-woocommerce/v1/orwpm/v1/. - Frontend Localization: Data exposed via
wp_localize_scriptin the HTML source of the shop pages.
- AJAX:
- Authentication: None required (Unauthenticated).
- Payload: A simple GET or POST request to the identified endpoint.
- Preconditions: The plugin must be active. Some exposures may require WooCommerce to have at least one product or an active session (cart).
3. Code Flow (Inferred)
- Entry Point: The plugin registers a public-facing handler, likely using:
add_action( 'wp_ajax_nopriv_[ACTION_NAME]', ... )- OR
register_rest_route( ..., 'permission_callback' => '__return_true' )
- Data Retrieval: The handler function calls
get_option()to retrieve plugin settings or queries WooCommerce order/customer data. - Vulnerable Sink: The function returns this data directly using
wp_send_json()or a REST response without stripping sensitive keys (like Google API secrets, TikTok tokens, or internal server paths).
4. Nonce Acquisition Strategy
If the endpoint requires a nonce (common for AJAX even if nopriv), it is likely localized for the tracking scripts.
- Identify the Script Handle: Search the codebase for
wp_localize_script. Look for variable names likepmw_vars,wpmData, orpixelManagerOptions. - Shortcode/Page Creation: The tracking scripts usually load on the Shop or Cart pages.
wp post create --post_type=page --post_status=publish --post_title="Shop" --post_content='[woocommerce_shop]'(if not already present).
- Extraction via Browser:
- Navigate to the Shop page.
- Execute:
browser_eval("window.pmw_vars?.nonce")orbrowser_eval("window.wpmData?.nonce").
- Bypass Check: Check if
check_ajax_refererorwp_verify_nonceis actually implemented in the handler. Often, "Information Exposure" vulnerabilities exist because these checks are missing.
5. Exploitation Strategy
Step 1: Discover the Endpoint
Search the plugin directory for the following patterns to find the exposure point:
grep -rn "wp_ajax_nopriv" .
grep -rn "register_rest_route" .
grep -rn "wp_send_json" .
Step 2: Probe for Information Leak
If a REST route is found (e.g., /wp-json/pmw/v1/config):
- Request:
GET /wp-json/pmw/v1/config HTTP/1.1 Host: TARGET_HOST - Tool:
http_request
If an AJAX action is found (e.g., pmw_get_settings):
- Request:
POST /wp-admin/admin-ajax.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded action=pmw_get_settings&nonce=[EXTRACTED_NONCE]
Step 3: Analyze the Output
Look for JSON keys containing:
api_key,secret,token,password.customer_email,order_id,address.debug_info,path.
6. Test Data Setup
- Install WooCommerce: Ensure WooCommerce is active.
- Configure Plugin: Set dummy API keys in the Pixel Manager settings (Google Ads ID, TikTok Pixel ID, etc.) via the WordPress admin.
- Generate Traffic:
- Add a product:
wp wc product create --name="Test Product" --regular_price=10 - (Optional) Place a test order to see if order details leak.
- Add a product:
7. Expected Results
A successful exploit will return a 200 OK response with a JSON body containing sensitive configuration details that should not be visible to unauthenticated users.
- Example Vulnerable Output:
{ "success": true, "data": { "google_ads_id": "AW-123456789", "ga4_api_secret": "SENSITIVE_SECRET_KEY", "tiktok_pixel_id": "C1234567890", "internal_path": "/var/www/html/wp-content/plugins/..." } }
8. Verification Steps
- CLI Check: Use WP-CLI to view the actual options stored in the database.
wp option get pmw_settings - Compare: Match the values returned by the
http_requesttool with the values stored in the database. If the API secrets match, the information exposure is confirmed.
9. Alternative Approaches
- Debug Logs: Check if the plugin creates a public log file in
wp-content/uploads/pixel-manager-for-woocommerce/logs/. - Cart Fragments: WooCommerce uses
wc-ajax=get_refreshed_fragments. Check if the Pixel Manager hooks into this and appends sensitive configuration data to the JSON response. - Source Search: Use
grep -r "get_option" . | grep "json"to find where options are being serialized into JSON responses.
Check if your site is affected.
Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.