Research Plan: CVE-2026-24581 - Missing Authorization in Points and Rewards for WooCommerce

1. Vulnerability Summary

The Points and Rewards for WooCommerce plugin (versions <= 2.9.5) contains a missing authorization vulnerability. Specifically, one or more AJAX handlers registered via wp_ajax_ hooks lack a current_user_can() check. While these handlers may implement nonce verification, the nonces are often accessible to authenticated users (Subscriber-level and above) or the handlers verify nonces without verifying the user's administrative privileges. This allows any authenticated user to perform administrative actions such as modifying plugin settings or adjusting user point balances.

2. Attack Vector Analysis

• Endpoint: /wp-admin/admin-ajax.php
• HTTP Method: POST
• Action (Inferred): Likely mwb_wpr_save_settings, mwb_wpr_points_update, or mwb_wpr_save_general_settings.
• Parameter: action, nonce, and setting-specific parameters (e.g., mwb_wpr_points_on_registration).
• Authentication: Subscriber-level access is required (PR:L).
• Precondition: The plugin must be active. A nonce must be obtained from the WordPress dashboard or a localized script.

3. Code Flow (Inferred)

1. Registration: The plugin registers AJAX handlers in a file like includes/class-points-rewards-for-woocommerce-ajax.php or admin/class-points-rewards-for-woocommerce-admin.php.
   • Hook: add_action( 'wp_ajax_mwb_wpr_save_settings', array( $this, 'mwb_wpr_save_settings' ) );
2. Entry Point: A POST request is sent to admin-ajax.php with action=mwb_wpr_save_settings.
3. Execution: The function mwb_wpr_save_settings() is called.
4. Vulnerability:
   • The function calls check_ajax_referer( 'mwb_wpr_nonce', 'nonce' ) (or similar).
   • Crucially, it fails to call current_user_can( 'manage_options' ).
5. Sink: The function proceeds to update plugin options using update_option() based on the values provided in $_POST.

4. Nonce Acquisition Strategy

The plugin likely localizes a nonce for its AJAX operations. Even if intended for the admin dashboard, Subscriber-level users can often access the dashboard (/wp-admin/profile.php) where common scripts are enqueued.

1. Identification: Search the source code for wp_localize_script to find the JavaScript object name.
   • Search Command: grep -rn "wp_localize_script" .
2. Detection: Look for an object like mwb_wpr_admin_obj or mwb_wpr_obj.
3. Acquisition:
   • Create a Subscriber user.
   • Log in as the Subscriber.
   • Navigate to /wp-admin/profile.php.
   • Use browser_eval to extract the nonce:
     browser_eval("window.mwb_wpr_admin_obj?.nonce") (Replace with actual variable/key found).

5. Exploitation Strategy

Step 1: Discover the exact vulnerable action

Search the plugin for AJAX actions that lack capability checks:

grep -rn "add_action.*wp_ajax_" .

Then, check the corresponding functions for the absence of current_user_can.

Step 2: Identify the Nonce Name and Variable

Find where the nonce is created and localized:

grep -rn "wp_create_nonce" .
grep -rn "wp_localize_script" .

Step 3: Craft the Payload

If the vulnerable action is mwb_wpr_save_settings, the payload would target changing a sensitive setting (e.g., points awarded for a simple action).

Target URL: http://localhost:8080/wp-admin/admin-ajax.php
Headers: Content-Type: application/x-www-form-urlencoded
Body Parameters:

• action: mwb_wpr_save_settings (or the discovered action)
• nonce: [EXTRACTED_NONCE]
• mwb_wpr_points_registration: 999999 (Example setting to manipulate)

6. Test Data Setup

1. Plugin: Install and activate "Points and Rewards for WooCommerce" v2.9.5.
2. User: Create a Subscriber user:
   wp user create attacker attacker@example.com --role=subscriber --user_pass=password
3. WooCommerce: Ensure WooCommerce is installed and set up (required dependency).

7. Expected Results

• Response: The server should return a 200 OK response, often with a JSON body like {"success": true} or a simple 1.
• Impact: Administrative settings of the plugin will be updated to the values provided by the Subscriber.

8. Verification Steps

1. Check Option via WP-CLI:
   Check if the targeted option was modified in the database:
   wp option get mwb_wpr_points_registration (or the specific option discovered).
2. UI Verification:
   Login as Admin and check the plugin's settings page to see if the values have changed.

9. Alternative Approaches

If mwb_wpr_save_settings is not the vulnerable action, look for:

• mwb_wpr_update_user_points: If this lacks authorization, a Subscriber could grant themselves infinite points.
• mwb_wpr_reset_points: If this lacks authorization, a Subscriber could delete all points for all users.
• Settings Export/Import: Look for wp_ajax_mwb_wpr_import_settings which might allow uploading malicious configuration files.

Search query for the agent:
grep -r "function mwb_wpr_" . | xargs grep -L "current_user_can" to find functions starting with the plugin prefix that do not contain a capability check.