[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$frRIa-IEGbxWhCxpEaYK4v2h-Y8iljXGXFcwCT7YmYLE":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":30,"research_verified":31,"research_rounds_completed":32,"research_plan":33,"research_summary":34,"research_vulnerable_code":35,"research_fix_diff":36,"research_exploit_outline":37,"research_model_used":38,"research_started_at":39,"research_completed_at":40,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":31,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":31,"source_links":41},"CVE-2026-42763","sepay-gateway-unauthenticated-information-exposure","SePay Gateway \u003C= 1.1.20 - Unauthenticated Information Exposure","The SePay Gateway plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.1.20. This makes it possible for unauthenticated attackers to extract sensitive user or configuration data.","sepay-gateway",null,"\u003C=1.1.20","1.1.21","medium",5.3,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:N\u002FUI:N\u002FS:U\u002FC:L\u002FI:N\u002FA:N","Exposure of Sensitive Information to an Unauthorized Actor","2026-05-26 00:00:00","2026-05-26 19:47:24",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F73d188a5-97b4-4f54-8cb4-f26481ddcb56?source=api-prod",1,[22,23,24,25,26,27,28,29],"assets\u002Fjs\u002Fblock\u002Fcheckout.js","assets\u002Fjs\u002Fmain.js","assets\u002Fjs\u002Fsepay.js","includes\u002Fclass-wc-gateway-sepay.php","includes\u002Fclass-wc-sepay-api.php","includes\u002Fclass-wc-sepay-blocks-support.php","readme.txt","sepay-gateway.php","researched",false,3,"_pay_code_prefixes`, `sepay_get_bank_sub_accounts`.\n    *   Vulnerability: Missing capability check AND registered as `nopriv`.\n\n    Let's check the CVSS: 5.3. This is exactly what a \"Confidentiality: Low\" bug looks like. IDOR to see order status or exposure of bank details fits perfectly.\n\n    *Note on Nonce Acquisition:*\n    I need to find where `sepay_vars` is.\n    I'll check the Checkout page.\n    I'll also check if `submit_order` is a standard nonce or if the plugin created it.\n\n    1.  Install SePay Gateway \u003C= 1.1.20.\n    2.  Enable the gateway.\n    3.  Create a \"Customer\" user and a downloadable product.\n    4.  As the customer, place an order. Note the Order ID (e.g., 100).\n    5.  As an **unauthenticated** visitor, go to the Checkout page.\n    6.  Extract the `submit_order` nonce from `sepay_vars` (using `browser_eval`).\n    7.  Use `http_request` to call `sepay_check_order_status` with `orderID=100` and the extracted nonce.\n    8.  Confirm the response contains order status and download links.\n\n    Wait, what if the nonce is only on the Thank You page?\n    The Thank","The SePay Gateway plugin for WordPress (\u003C= 1.1.20) is vulnerable to unauthenticated information exposure via the 'sepay_check_order_status' AJAX action. Attackers can exploit this by using a generic, publicly available nonce to query sensitive order details, including status and download links for purchased products, for any valid Order ID.","\u002F\u002F sepay-gateway.php\nadd_action('wp_ajax_nopriv_sepay_check_order_status', 'sepay_check_order_status');\nadd_action('wp_ajax_sepay_check_order_status', 'sepay_check_order_status');\n\n\u002F\u002F ...\n\nfunction sepay_check_order_status()\n{\n    if (!isset($_POST['order_nonce']) || !wp_verify_nonce(sanitize_text_field(wp_unslash($_POST['order_nonce'])), 'submit_order')) {\n        wp_die();\n    }\n\n    if (!isset($_POST['orderID'])) {\n        wp_die();\n    }\n\n    $order_id = intval($_POST['orderID']);\n    $order = wc_get_order($order_id);\n\n--- \n\n\u002F\u002F includes\u002Fclass-wc-gateway-sepay.php line 767\n'order_nonce' => wp_create_nonce('submit_order'),","--- \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fsepay-gateway\u002F1.1.20\u002Fincludes\u002Fclass-wc-gateway-sepay.php\n+++ \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fsepay-gateway\u002F1.1.21\u002Fincludes\u002Fclass-wc-gateway-sepay.php\n@@ -764,10 +771,27 @@\n             'account_number' => $account_number,\n             'remark' => $this->get_remark($order_id),\n             'amount' => $order->get_total(),\n-            'order_nonce' => wp_create_nonce('submit_order'),\n+            'order_nonce' => wp_create_nonce('sepay_check_order_' . $order->get_order_key()),\n             'order_id' => $order_id,\n+            'order_key' => $order->get_order_key(),\n             'download_mode' => $this->get_option('download_mode'),\n\n--- \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fsepay-gateway\u002F1.1.20\u002Fsepay-gateway.php\n+++ \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fsepay-gateway\u002F1.1.21\u002Fsepay-gateway.php\n@@ -180,16 +180,32 @@\n \n     function sepay_check_order_status()\n     {\n-        if (!isset($_POST['order_nonce']) || !wp_verify_nonce(sanitize_text_field(wp_unslash($_POST['order_nonce'])), 'submit_order')) {\n-            wp_die();\n-        }\n-\n         if (!isset($_POST['orderID'])) {\n-            wp_die();\n+            wp_send_json(['status' => false], 400);\n         }\n \n-        $order_id = intval($_POST['orderID']);\n+        $order_id = absint($_POST['orderID']);\n         $order = wc_get_order($order_id);\n+\n+        if (!$order) {\n+            wp_send_json(['status' => false], 404);\n+        }\n+\n+        $nonce = isset($_POST['order_nonce']) ? sanitize_text_field(wp_unslash($_POST['order_nonce'])) : '';\n+        if (!wp_verify_nonce($nonce, 'sepay_check_order_' . $order->get_order_key())) {\n+            wp_send_json(['status' => false], 403);\n+        }\n+\n+        $supplied_key = isset($_POST['order_key']) ? sanitize_text_field(wp_unslash($_POST['order_key'])) : '';","1. Access the WooCommerce checkout page as an unauthenticated visitor to locate the 'sepay_vars' JavaScript object containing the 'submit_order' nonce.\n2. Identify target Order IDs (e.g., through enumeration if IDs are sequential).\n3. Craft a POST request to '\u002Fwp-admin\u002Fadmin-ajax.php' with 'action=sepay_check_order_status', 'orderID=[TARGET_ID]', and 'order_nonce=[EXTRACTED_NONCE]'.\n4. Observe the JSON response, which includes the order's fulfillment status and direct download URLs for any digital products associated with the order.","gemini-3-flash-preview","2026-06-04 20:43:59","2026-06-04 20:44:51",{"type":42,"vulnerable_version":43,"fixed_version":11,"vulnerable_browse":44,"vulnerable_zip":45,"fixed_browse":46,"fixed_zip":47,"all_tags":48},"plugin","1.1.20","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fsepay-gateway\u002Ftags\u002F1.1.20","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fsepay-gateway.1.1.20.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fsepay-gateway\u002Ftags\u002F1.1.21","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fsepay-gateway.1.1.21.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fsepay-gateway\u002Ftags"]