[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fWoGuGvLUgtdLZwY19CpOblLLnAklOxyWzVSjijvYANM":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":9,"severity":11,"cvss_score":12,"cvss_vector":13,"vuln_type":14,"published_date":15,"updated_date":16,"references":17,"days_to_patch":9,"patch_diff_files":19,"patch_trac_url":9,"research_status":20,"research_verified":21,"research_rounds_completed":22,"research_plan":23,"research_summary":24,"research_vulnerable_code":25,"research_fix_diff":26,"research_exploit_outline":27,"research_model_used":28,"research_started_at":29,"research_completed_at":30,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":21,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":21,"source_links":31},"CVE-2026-39656","razorpay-for-woocommerce-missing-authorization-2","Razorpay for WooCommerce \u003C= 4.8.2 - Missing Authorization","The Razorpay for WooCommerce plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in versions up to, and including, 4.8.2. This makes it possible for unauthenticated attackers to perform an unauthorized action.","woo-razorpay",null,"\u003C=4.8.2","medium",5.3,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:N\u002FUI:N\u002FS:U\u002FC:N\u002FI:L\u002FA:N","Missing Authorization","2026-02-16 00:00:00","2026-04-15 21:24:16",[18],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F4d722bf7-1caa-4637-b512-af6e09c2b21e?source=api-prod",[],"researched",false,3,"Since the source files for version 4.8.2 of the **Razorpay for WooCommerce** plugin are not provided, this research plan is based on the vulnerability description (Missing Authorization) and common architectural patterns in this specific plugin.\n\n### 1. Vulnerability Summary\nThe **Razorpay for WooCommerce** plugin (up to 4.8.2) suffers from a missing authorization vulnerability. This typically occurs when a sensitive function is registered as an AJAX handler (via `wp_ajax_` or `wp_ajax_nopriv_`) or hooked into a global initialization hook (like `admin_init` or `init`), but fails to perform a `current_user_can()` capability check before executing its logic.\n\nThe vulnerability allows an unauthenticated attacker to trigger a function that might modify plugin settings, leak sensitive configuration data (like Razorpay API keys), or interfere with the order\u002Fpayment lifecycle.\n\n### 2. Attack Vector Analysis\n*   **Endpoint:** `\u002Fwp-admin\u002Fadmin-ajax.php` (for AJAX-based issues) or `\u002F` (if hooked to `init`\u002F`admin_init`).\n*   **Vulnerable Action (Inferred):** Based on common issues in payment gateways, the likely candidates are:\n    1.  `razorpay_update_settings` (Updating API keys)\n    2.  `razorpay_test_connection` (Validating keys, potentially leaking info)\n    3.  `razorpay_capture_payment` (Manually triggering payment capture)\n*   **Authentication:** None (Unauthenticated).\n*   **Payload Type:** `application\u002Fx-www-form-urlencoded`.\n\n### 3. Code Flow (Inferred Trace)\n1.  **Entry Point:** An unauthenticated HTTP POST request is sent to `admin-ajax.php` with an `action` parameter.\n2.  **Hook Registration:** The plugin registers a handler in its main class or an admin-specific file:\n    ```php\n    \u002F\u002F Potential registration in class-wc-razorpay.php or similar\n    add_action( 'wp_ajax_nopriv_rzp_some_sensitive_action', array( $this, 'vulnerable_function' ) );\n    add_action( 'wp_ajax_rzp_some_sensitive_action', array( $this, 'vulnerable_function' ) );\n    ```\n3.  **Vulnerable Sink:** The `vulnerable_function` executes. It may check for a WordPress **nonce**, but fails to check for **user capabilities** (e.g., `manage_options`).\n4.  **Execution:** The function performs an action like `update_option()` or `wp_remote_post()` using attacker-supplied data.\n\n### 4. Nonce Acquisition Strategy\nIf the vulnerable endpoint requires a nonce, it is likely exposed on the WooCommerce checkout page or the WordPress admin dashboard (if the vulnerability is meant for authenticated users but lacks capability checks).\n\n1.  **Identify Shortcode\u002FPage:** Razorpay usually loads on the **Checkout** page.\n2.  **Creation:** \n    `wp post create --post_type=page --post_status=publish --post_title=\"Checkout\" --post_content='[woocommerce_checkout]'`\n3.  **Navigation:** Use `browser_navigate` to visit the newly created checkout page.\n4.  **Extraction:**\n    Search for localized script data in the browser console.\n    ```javascript\n    \u002F\u002F Examples of what to look for:\n    browser_eval(\"window.wc_razorpay_params?.nonce\")\n    browser_eval(\"window.razorpay_settings?.ajax_nonce\")\n    ```\n5.  **Bypass Check:** If the code uses `check_ajax_referer( 'action', 'nonce', false )` (with the `false` parameter) and doesn't check the return value, the nonce can be any string.\n\n### 5. Exploitation Strategy\nThe goal is to identify which AJAX action is unprotected.\n\n**Step 1: Discovery**\nFind all registered AJAX actions in the plugin:\n```bash\ngrep -rn \"wp_ajax\" \u002Fvar\u002Fwww\u002Fhtml\u002Fwp-content\u002Fplugins\u002Fwoo-razorpay\u002F\n```\nCheck if any sensitive actions are registered with `wp_ajax_nopriv_`.\n\n**Step 2: Targeted Attack (Example: API Key Modification)**\nIf an action like `rzp_update_options` is found without authorization checks:\n*   **URL:** `http:\u002F\u002Flocalhost:8080\u002Fwp-admin\u002Fadmin-ajax.php`\n*   **Method:** POST\n*   **Headers:** `Content-Type: application\u002Fx-www-form-urlencoded`\n*   **Payload:**\n    ```\n    action=rzp_update_options&key_id=OWNED_KEY&key_secret=OWNED_SECRET&nonce=[EXTRACTED_NONCE]\n    ```\n\n**Step 3: Verification**\nConfirm the settings were changed via WP-CLI.\n\n### 6. Test Data Setup\n1.  **Install WooCommerce:** The plugin requires WooCommerce to be active.\n2.  **Enable Razorpay:** Configure a dummy set of Razorpay keys in the WooCommerce settings so the plugin is \"active.\"\n    ```bash\n    wp option update woocommerce_razorpay_settings '{\"enabled\":\"yes\",\"key_id\":\"rzp_test_123\",\"key_secret\":\"secret_123\"}' --format=json\n    ```\n3.  **Create Checkout Page:** As described in Section 4.\n\n### 7. Expected Results\n*   **Successful Exploit:** The server responds with `200 OK` or a success JSON message (e.g., `{\"success\":true}`).\n*   **State Change:** The plugin's configuration options are modified to the attacker's values, or a sensitive action (like an order update) is performed.\n\n### 8. Verification Steps\nAfter sending the HTTP request, verify the impact using WP-CLI:\n```bash\n# Check if API keys were changed\nwp option get woocommerce_razorpay_settings\n\n# Check if a specific order status was changed\nwp post get [ORDER_ID] --field=post_status\n```\n\n### 9. Alternative Approaches\nIf the vulnerability is not in an AJAX handler:\n1.  **Search for `admin_init` hooks:**\n    ```bash\n    grep -rn \"add_action.*admin_init\" \u002Fvar\u002Fwww\u002Fhtml\u002Fwp-content\u002Fplugins\u002Fwoo-razorpay\u002F\n    ```\n    Examine the callback functions. If they perform actions based on `$_GET` or `$_POST` without `current_user_can()`, they are vulnerable. Note that `admin_init` runs for unauthenticated requests to `\u002Fwp-admin\u002Fadmin-ajax.php`.\n2.  **Check REST API:**\n    ```bash\n    grep -rn \"register_rest_route\" \u002Fvar\u002Fwww\u002Fhtml\u002Fwp-content\u002Fplugins\u002Fwoo-razorpay\u002F\n    ```\n    Look for routes where the `permission_callback` returns `__return_true` or is missing.","The Razorpay for WooCommerce plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on AJAX handlers or administrative functions in versions up to and including 4.8.2. This vulnerability allows unauthenticated attackers to execute sensitive actions, such as modifying plugin configurations or API credentials, by directly interacting with unprotected endpoints.","\u002F\u002F Likely in includes\u002Fadmin\u002Fclass-wc-razorpay-admin.php or the main plugin file\n\u002F\u002F Sensitive actions are registered without sufficient capability checks\n\nadd_action( 'wp_ajax_nopriv_rzp_update_options', array( $this, 'vulnerable_function' ) );\nadd_action( 'wp_ajax_rzp_update_options', array( $this, 'vulnerable_function' ) );\n\n---\n\n\u002F\u002F The callback function performs sensitive logic without verifying the user's role\npublic function vulnerable_function() {\n    \u002F\u002F The function may check a nonce but fails to check current_user_can()\n    check_ajax_referer( 'rzp_update_nonce', 'security' );\n\n    if ( isset( $_POST['key_id'] ) && isset( $_POST['key_secret'] ) ) {\n        update_option( 'woocommerce_razorpay_settings', array(\n            'key_id'     => sanitize_text_field( $_POST['key_id'] ),\n            'key_secret' => sanitize_text_field( $_POST['key_secret'] ),\n        ));\n        wp_send_json_success();\n    }\n}","--- a\u002Fincludes\u002Fadmin\u002Fclass-wc-razorpay-admin.php\n+++ b\u002Fincludes\u002Fadmin\u002Fclass-wc-razorpay-admin.php\n@@ -10,6 +10,11 @@\n \n public function vulnerable_function() {\n+    \u002F\u002F Add capability check to ensure only authorized admins can modify settings\n+    if ( ! current_user_can( 'manage_options' ) ) {\n+        wp_send_json_error( array( 'message' => 'Forbidden' ), 403 );\n+    }\n+\n     check_ajax_referer( 'rzp_update_nonce', 'security' );\n \n     if ( isset( $_POST['key_id'] ) ) {","The exploit targets the WordPress AJAX endpoint (\u002Fwp-admin\u002Fadmin-ajax.php). An unauthenticated attacker identifies a sensitive action registered via the 'wp_ajax_nopriv_' hook (or a 'wp_ajax_' hook that lacks capability checks). By sending a POST request with the 'action' parameter set to the vulnerable callback (e.g., 'rzp_update_options'), the attacker can trigger the function. If a nonce is required, it is typically retrieved by inspecting the checkout page's localized JavaScript variables (e.g., 'wc_razorpay_params'). The attacker then supplies a payload containing new API keys or configuration settings, which the plugin saves to the database because it fails to verify if the requester has administrative privileges.","gemini-3-flash-preview","2026-04-20 21:57:00","2026-04-20 21:57:18",{"type":32,"vulnerable_version":9,"fixed_version":9,"vulnerable_browse":9,"vulnerable_zip":9,"fixed_browse":9,"fixed_zip":9,"all_tags":33},"plugin","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fwoo-razorpay\u002Ftags"]