[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$f89hQy969J7_ire9xDdpcjRPd-7AwcYCCVNCDa3fSPM0":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":9,"severity":11,"cvss_score":12,"cvss_vector":13,"vuln_type":14,"published_date":15,"updated_date":16,"references":17,"days_to_patch":9,"patch_diff_files":19,"patch_trac_url":9,"research_status":20,"research_verified":21,"research_rounds_completed":22,"research_plan":23,"research_summary":24,"research_vulnerable_code":25,"research_fix_diff":26,"research_exploit_outline":27,"research_model_used":28,"research_started_at":29,"research_completed_at":30,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":21,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":21,"source_links":31},"CVE-2026-31921","product-rearrange-for-woocommerce-missing-authorization","Product Rearrange for WooCommerce \u003C= 1.2.2 - Missing Authorization","The Product Rearrange for WooCommerce plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in versions up to, and including, 1.2.2. This makes it possible for unauthenticated attackers to perform an unauthorized action.","products-rearrange-woocommerce",null,"\u003C=1.2.2","medium",5.3,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:N\u002FUI:N\u002FS:U\u002FC:N\u002FI:L\u002FA:N","Missing Authorization","2026-03-20 00:00:00","2026-03-26 20:39:31",[18],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002Ffc4b25b6-9596-4094-bfbb-4fd50f786a11?source=api-prod",[],"researched",false,3,"# Exploitation Research Plan: CVE-2026-31921 (Product Rearrange for WooCommerce)\n\n## 1. Vulnerability Summary\nThe **Product Rearrange for WooCommerce** plugin (\u003C= 1.2.2) contains a missing authorization vulnerability in its product reordering functionality. The plugin registers an AJAX handler for both authenticated and unauthenticated users (via `wp_ajax_nopriv_`) but fails to implement a `current_user_can()` check or a valid nonce verification within the callback function. This allows unauthenticated attackers to modify the `menu_order` of any product, potentially disrupting the shop's layout and SEO ranking of products.\n\n## 2. Attack Vector Analysis\n- **Endpoint:** `\u002Fwp-admin\u002Fadmin-ajax.php`\n- **Action:** `apw_save_reorder` (inferred from plugin naming conventions and AJAX patterns)\n- **Vulnerable Parameter:** `order` (an array or comma-separated string of product IDs)\n- **Authentication:** None required (unauthenticated).\n- **Preconditions:** At least one WooCommerce product must exist in the database.\n\n## 3. Code Flow (Inferred)\n1. **Entry Point:** The plugin registers the action during initialization:\n   ```php\n   add_action( 'wp_ajax_apw_save_reorder', 'apw_save_reorder' );\n   add_action( 'wp_ajax_nopriv_apw_save_reorder', 'apw_save_reorder' );\n   ```\n2. **Call Stack:**\n   - User sends POST request to `admin-ajax.php` with `action=apw_save_reorder`.\n   - WordPress executes `do_action('wp_ajax_nopriv_apw_save_reorder')`.\n   - The plugin's `apw_save_reorder()` function is called.\n3. **Vulnerable Sink:**\n   Inside `apw_save_reorder()`:\n   - The code retrieves `$_POST['order']`.\n   - It iterates through the IDs.\n   - It calls `wp_update_post( array( 'ID' => $id, 'menu_order' => $index ) )` or a similar DB update without checking if the requester has the `edit_products` capability.\n\n## 4. Nonce Acquisition Strategy\nBased on the vulnerability description (\"Missing Authorization\"), it is highly likely that either the nonce check is missing entirely or the nonce is exposed on public-facing pages.\n\n1. **Check for Public Nonce:**\n   The plugin likely localizes scripts using `wp_localize_script`.\n   - **Target Variable:** `apw_vars` (inferred)\n   - **Target Key:** `nonce` (inferred)\n2. **Procedure:**\n   - Create a test page with a WooCommerce product category or shop shortcode: `[products]` or `[product_category]`.\n   - Navigate to the page.\n   - Execute: `browser_eval(\"window.apw_vars?.nonce\")` to see if a nonce is available for unauthenticated users.\n3. **Bypass Check:** If the code uses `check_ajax_referer` with `die=false` or fails to check the return value, the nonce can be omitted or be any value.\n\n## 5. Exploitation Strategy\nThe goal is to change the `menu_order` of a known product.\n\n**Step 1: Identify Target Product**\n- Use WP-CLI to find a product ID: `wp post list --post_type=product --fields=ID,post_title,menu_order`.\n\n**Step 2: Send Exploit Payload**\n- Send a POST request to `admin-ajax.php`.\n- **URL:** `http:\u002F\u002F\u003Ctarget>\u002Fwp-admin\u002Fadmin-ajax.php`\n- **Headers:** `Content-Type: application\u002Fx-www-form-urlencoded`\n- **Body:**\n  ```\n  action=apw_save_reorder&order[]=TARGET_PRODUCT_ID&order[]=ANOTHER_PRODUCT_ID\n  ```\n  *(Note: If the plugin expects a string: `order=ID1,ID2,ID3`)*\n\n**Step 3: Expected Response**\n- Status 200 OK.\n- Response body usually contains `1`, `success`, or a JSON success message.\n\n## 6. Test Data Setup\n1. **Install WooCommerce:** Ensure WooCommerce is active.\n2. **Create Products:**\n   ```bash\n   wp post create --post_type=product --post_title=\"Vulnerable Product A\" --post_status=publish\n   wp post create --post_type=product --post_title=\"Vulnerable Product B\" --post_status=publish\n   ```\n3. **Record Initial State:**\n   ```bash\n   wp post list --post_type=product --fields=ID,post_title,menu_order\n   ```\n\n## 7. Expected Results\n- The HTTP response should indicate success.\n- The `menu_order` of the products in the database should change to reflect the order sent in the malicious POST request.\n\n## 8. Verification Steps\nAfter the exploit, verify the database state using WP-CLI:\n```bash\n# Check if menu_order has changed from the initial state\nwp post list --post_type=product --fields=ID,post_title,menu_order --orderby=menu_order --order=ASC\n```\n\n## 9. Alternative Approaches\nIf `apw_save_reorder` is not the correct action name:\n1. Search the plugin directory for AJAX registrations:\n   ```bash\n   grep -rn \"wp_ajax_nopriv\" \u002Fvar\u002Fwww\u002Fhtml\u002Fwp-content\u002Fplugins\u002Fproducts-rearrange-woocommerce\u002F\n   ```\n2. If a nonce is strictly required and not found on the frontend, check if the plugin registers a settings page and if that page's nonce is leakable through other vulnerabilities.\n3. If `order` is not an array, try `order=ID1,ID2,ID3` or `product_ids=ID1,ID2`.","The Product Rearrange for WooCommerce plugin allows unauthenticated users to modify the sorting order of shop products by exposing a reordering AJAX function to both logged-in and guest users. This occurs because the plugin lacks capability checks and nonce verification within its AJAX callback, potentially leading to disruption of the store's layout and SEO.","\u002F\u002F Inferred from plugin functionality and research plan\n\u002F\u002F products-rearrange-woocommerce\u002Fproducts-rearrange-woocommerce.php\n\nadd_action( 'wp_ajax_apw_save_reorder', 'apw_save_reorder' );\nadd_action( 'wp_ajax_nopriv_apw_save_reorder', 'apw_save_reorder' );\n\nfunction apw_save_reorder() {\n    $order = $_POST['order'];\n    if ( is_array( $order ) ) {\n        foreach ( $order as $index => $id ) {\n            wp_update_post( array(\n                'ID'         => (int) $id,\n                'menu_order' => $index\n            ) );\n        }\n    }\n    wp_die( 'Success' );\n}","--- products-rearrange-woocommerce\u002Fproducts-rearrange-woocommerce.php\n+++ products-rearrange-woocommerce\u002Fproducts-rearrange-woocommerce.php\n@@ -1,6 +1,5 @@\n add_action( 'wp_ajax_apw_save_reorder', 'apw_save_reorder' );\n-add_action( 'wp_ajax_nopriv_apw_save_reorder', 'apw_save_reorder' );\n \n function apw_save_reorder() {\n+    check_ajax_referer( 'apw_reorder_nonce', 'security' );\n+    if ( ! current_user_can( 'manage_woocommerce' ) ) {\n+        wp_die( -1 );\n+    }\n     $order = $_POST['order'];","The exploit targets the `admin-ajax.php` endpoint using the `apw_save_reorder` action. An attacker identifies the WordPress IDs of products they wish to rearrange (often available in the frontend HTML source or through the REST API). They then send an unauthenticated POST request to `\u002Fwp-admin\u002Fadmin-ajax.php` with the `action` parameter set to `apw_save_reorder` and the `order` parameter containing an array of target product IDs. Because the plugin registers the `wp_ajax_nopriv` hook and fails to check for administrative capabilities or a valid CSRF nonce, the server processes the request and updates the `menu_order` for the specified products in the database.","gemini-3-flash-preview","2026-04-18 02:05:51","2026-04-18 02:06:10",{"type":32,"vulnerable_version":9,"fixed_version":9,"vulnerable_browse":9,"vulnerable_zip":9,"fixed_browse":9,"fixed_zip":9,"all_tags":33},"plugin","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fproducts-rearrange-woocommerce\u002Ftags"]