[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fLsbvZpVUZI4rAdO0xfSzUBekB3Ediss7v6CQpDUE1EQ":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":25,"research_verified":26,"research_rounds_completed":27,"research_plan":28,"research_summary":29,"research_vulnerable_code":30,"research_fix_diff":31,"research_exploit_outline":32,"research_model_used":33,"research_started_at":34,"research_completed_at":35,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":26,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":26,"source_links":36},"CVE-2026-48971","product-import-export-for-woocommerce-import-export-product-csv-suite-missing-authorization","Product Import Export for WooCommerce – Import Export Product CSV Suite \u003C= 2.5.6 - Missing Authorization","The Product Import Export for WooCommerce – Import Export Product CSV Suite plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in versions up to, and including, 2.5.6. This makes it possible for authenticated attackers, with subscriber-level access and above, to perform an unauthorized action.","product-import-export-for-woo",null,"\u003C=2.5.6","2.5.7","medium",4.3,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:L\u002FUI:N\u002FS:U\u002FC:N\u002FI:L\u002FA:N","Missing Authorization","2026-05-27 00:00:00","2026-06-01 16:12:28",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002Fc506c0fb-d853-45d2-b6d5-9c3b1fa4f1e8?source=api-prod",6,[22,23,24],"admin\u002Fbanner\u002Fassets\u002Fcss\u002Fwtier-bfcm-twenty-twenty-four.css","admin\u002Fbanner\u002Fassets\u002Fjs\u002Fwtier-bfcm-twenty-twenty-four.js","admin\u002Fbanner\u002Fclass-wt-p-iew-cta-banner-default-page.php","researched",false,3,"# Exploitation Research Plan: CVE-2026-48971 - Missing Authorization\n\n## 1. Vulnerability Summary\nThe **Product Import Export for WooCommerce** plugin (\u003C= 2.5.6) contains a missing authorization vulnerability in its banner dismissal logic. Specifically, the AJAX handler `wt_p_iew_dismiss_cta_banner_default_page` (and potentially others like those related to BFCM banners) fails to perform a capability check (e.g., `current_user_can( 'manage_woocommerce' )`). This allows any authenticated user, including those with **Subscriber** privileges, to modify plugin options (specifically the dismissal state of admin notices) via the `admin-ajax.php` endpoint.\n\n## 2. Attack Vector Analysis\n- **Endpoint:** `\u002Fwp-admin\u002Fadmin-ajax.php`\n- **AJAX Action:** `wt_p_iew_dismiss_cta_banner_default_page` (Registered in `admin\u002Fbanner\u002Fclass-wt-p-iew-cta-banner-default-page.php`)\n- **HTTP Method:** `POST`\n- **Required Parameters:**\n    - `action`: `wt_p_iew_dismiss_cta_banner_default_page`\n    - `_wpnonce`: (Possibly required, depending on the implementation of `dismiss_product_cta_banner`)\n- **Authentication:** Authenticated, Subscriber-level or higher.\n- **Preconditions:** None, as long as the user can log in and access the WordPress dashboard (e.g., `wp-admin\u002Fprofile.php`).\n\n## 3. Code Flow\n1. **Entry Point:** The plugin registers the AJAX hook in the constructor of `WT_P_IEW_CTA_Banner_Default_Page`:\n   ```php\n   \u002F\u002F admin\u002Fbanner\u002Fclass-wt-p-iew-cta-banner-default-page.php\n   add_action('wp_ajax_wt_p_iew_dismiss_cta_banner_default_page', array($this, 'dismiss_product_cta_banner'));\n   ```\n2. **AJAX Call:** A Subscriber sends a POST request to `admin-ajax.php` with the action `wt_p_iew_dismiss_cta_banner_default_page`.\n3. **Execution:** The WordPress AJAX dispatcher calls `$this->dismiss_product_cta_banner()`.\n4. **Vulnerable Sink:** The function (inferred based on usage in `product_cta_banner_in_default_page`) likely executes:\n   ```php\n   public function dismiss_product_cta_banner() {\n       \u002F\u002F MISSING: current_user_can() check\n       update_option( 'wt_p_iew_product_cta_banner_default_page_dismissed', 1 );\n       wp_send_json_success();\n   }\n   ```\n   The logic flaw is that any logged-in user can trigger this `update_option` call because the `wp_ajax_` hook is available to all authenticated users.\n\n## 4. Nonce Acquisition Strategy\nWhile the provided snippet is truncated, the JS file `admin\u002Fbanner\u002Fassets\u002Fjs\u002Fwtier-bfcm-twenty-twenty-four.js` shows a pattern for nonces:\n`_wpnonce: wtier_bfcm_twenty_twenty_four_banner_js_params.nonce`\n\nIf `wt_p_iew_dismiss_cta_banner_default_page` requires a nonce, it is likely localized via `wp_localize_script`. Since a Subscriber can access `wp-admin\u002Fprofile.php`, we can check if the plugin enqueues its parameters there.\n\n**Steps:**\n1. Log in as a **Subscriber**.\n2. Navigate to `\u002Fwp-admin\u002Fprofile.php`.\n3. Use `browser_eval` to search for localized objects. Possible candidates based on the code:\n   - `window.wtier_bfcm_twenty_twenty_four_banner_js_params`\n   - `window.wt_p_iew_params` (Inferred common pattern)\n   - `window.wt_p_iew_banner_params` (Inferred)\n4. If a nonce is found, use it in the POST request. If no nonce check is implemented in the PHP handler, the request will work without it.\n\n## 5. Exploitation Strategy\nWe will attempt to trigger the dismissal of the \"Default Page Banner\" by updating the `wt_p_iew_product_cta_banner_default_page_dismissed` option.\n\n### Step 1: Discover the Nonce (if applicable)\nNavigate to the admin dashboard as a Subscriber and extract any potential nonces.\n```javascript\n\u002F\u002F Example JS to run via browser_eval\nJSON.stringify(window.wtier_bfcm_twenty_twenty_four_banner_js_params || window.wt_p_iew_params || \"No nonce object found\")\n```\n\n### Step 2: Trigger the Unauthorized Action\nSend the AJAX request using the `http_request` tool.\n\n**Request:**\n- **URL:** `http:\u002F\u002Flocalhost:8080\u002Fwp-admin\u002Fadmin-ajax.php`\n- **Method:** `POST`\n- **Headers:** `Content-Type: application\u002Fx-www-form-urlencoded`\n- **Body:**\n  ```text\n  action=wt_p_iew_dismiss_cta_banner_default_page&_wpnonce=[NONCE_IF_FOUND]\n  ```\n\n## 6. Test Data Setup\n1. **Target User:** Create a user with the `subscriber` role.\n2. **Plugin State:** Ensure the plugin is active.\n3. **Verify Initial State:**\n   - Run `wp option get wt_p_iew_product_cta_banner_default_page_dismissed`.\n   - It should return `false` or \"Could not find\" (meaning the banner is NOT dismissed).\n\n## 7. Expected Results\n- The server should respond with a `200 OK` and likely a JSON success message: `{\"success\":true}`.\n- The option `wt_p_iew_product_cta_banner_default_page_dismissed` should be created\u002Fupdated in the database.\n\n## 8. Verification Steps\nAfter performing the HTTP request, use WP-CLI to confirm the option was changed:\n```bash\nwp option get wt_p_iew_product_cta_banner_default_page_dismissed\n```\n**Success Criteria:** The command returns `1` or `true`.\n\n## 9. Alternative Approaches\nIf `wt_p_iew_dismiss_cta_banner_default_page` is protected, investigate the **BFCM (Black Friday)** banner dismissal, which uses the following identifiers from the provided JS\u002FCSS:\n- **JS Action Param:** `wtier_bfcm_twenty_twenty_four_banner_js_params.action`\n- **Likely AJAX Action:** `wtier_bfcm_twenty_twenty_four_banner_action` (inferred from variable names)\n- **Likely Option:** `wtier_bfcm_twenty_twenty_four_banner_dismissed` (inferred)\n\nUse the same logic: find the localized object `wtier_bfcm_twenty_twenty_four_banner_js_params` and trigger its action as a Subscriber.","The Product Import Export for WooCommerce plugin is vulnerable to unauthorized modification of plugin settings due to a missing capability check in its AJAX handlers for admin notice dismissal. Authenticated attackers with subscriber-level permissions or higher can trigger the dismissal of promotional banners across the site by invoking the 'wt_p_iew_dismiss_cta_banner_default_page' AJAX action.","\u002F\u002F admin\u002Fbanner\u002Fclass-wt-p-iew-cta-banner-default-page.php\npublic function __construct()\n{\n    add_action('admin_footer', array($this, 'product_cta_banner_in_default_page'));\n    \u002F\u002F Vulnerable AJAX hook registered for all authenticated users without capability check\n    add_action('wp_ajax_wt_p_iew_dismiss_cta_banner_default_page', array($this, 'dismiss_product_cta_banner'));\n}\n\n\u002F\u002F Line numbers inferred based on constructor position (~190-200)\npublic function dismiss_product_cta_banner() {\n    \u002F\u002F MISSING: current_user_can('manage_woocommerce') check\n    update_option( 'wt_p_iew_product_cta_banner_default_page_dismissed', 1 );\n    wp_send_json_success();\n}","diff -ru \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fproduct-import-export-for-woo\u002F2.5.6\u002Fadmin\u002Fbanner\u002Fclass-wt-p-iew-cta-banner-default-page.php \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fproduct-import-export-for-woo\u002F2.5.7\u002Fadmin\u002Fbanner\u002Fclass-wt-p-iew-cta-banner-default-page.php\n--- \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fproduct-import-export-for-woo\u002F2.5.6\u002Fadmin\u002Fbanner\u002Fclass-wt-p-iew-cta-banner-default-page.php\t2025-09-02 17:31:06.000000000 +0000\n+++ \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fproduct-import-export-for-woo\u002F2.5.7\u002Fadmin\u002Fbanner\u002Fclass-wt-p-iew-cta-banner-default-page.php\t2025-10-30 10:52:08.000000000 +0000\n@@ -154,7 +154,7 @@\n                             type: 'POST',\n                             data: {\n                                 action: 'wt_p_iew_dismiss_cta_banner_default_page',\n-                                nonce: '\u003C?php echo wp_create_nonce( 'wt_p_iew_dismiss_cta_banner_default_page' ); ?>'\n+                                nonce: '\u003C?php echo esc_js(wp_create_nonce( 'wt_p_iew_dismiss_cta_banner_default_page' )); ?>'\n                             },\n                             dataType: 'json',\n                             success: function(response) {\n@@ -194,6 +194,10 @@\n \t\t *\u002F\n \t\tpublic function dismiss_product_cta_banner() {\n \t\t\tcheck_ajax_referer( 'wt_p_iew_dismiss_cta_banner_default_page', 'nonce' );\n+\n+\t\t\tif ( ! current_user_can( 'manage_woocommerce' ) ) {\n+\t\t\t\twp_send_json_error( array( 'message' => __( 'You do not have permission to perform this action.', 'product-import-export-for-woo' ) ) );\n+\t\t\t}\n+\n \t\t\tupdate_option( 'wt_p_iew_product_cta_banner_default_page_dismissed', 1 );\n \t\t\twp_send_json_success();\n \t\t}","1. Authentication: Log in as a user with at least Subscriber-level privileges.\n2. Nonce Acquisition: Access any admin page (like \u002Fwp-admin\u002Fprofile.php) and inspect the localized JavaScript objects (e.g., in the source of the banner rendering logic) to find the 'wt_p_iew_dismiss_cta_banner_default_page' nonce.\n3. Payload Construction: Prepare an AJAX POST request to '\u002Fwp-admin\u002Fadmin-ajax.php'.\n4. Request Parameters: Set 'action' to 'wt_p_iew_dismiss_cta_banner_default_page' and '_wpnonce' to the extracted nonce value.\n5. Execution: Dispatch the POST request. The server will execute 'dismiss_product_cta_banner', which updates the 'wt_p_iew_product_cta_banner_default_page_dismissed' option to '1', effectively altering site-wide plugin configurations without the necessary administrative permissions.","gemini-3-flash-preview","2026-06-04 18:22:09","2026-06-04 18:23:42",{"type":37,"vulnerable_version":38,"fixed_version":11,"vulnerable_browse":39,"vulnerable_zip":40,"fixed_browse":41,"fixed_zip":42,"all_tags":43},"plugin","2.5.6","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fproduct-import-export-for-woo\u002Ftags\u002F2.5.6","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fproduct-import-export-for-woo.2.5.6.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fproduct-import-export-for-woo\u002Ftags\u002F2.5.7","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fproduct-import-export-for-woo.2.5.7.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fproduct-import-export-for-woo\u002Ftags"]