[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fB8SYeTCnXKGEBS-7KXOg5B18ZP_Nx8dKL-4qqXSsU-4":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":9,"severity":11,"cvss_score":12,"cvss_vector":13,"vuln_type":14,"published_date":15,"updated_date":16,"references":17,"days_to_patch":9,"patch_diff_files":19,"patch_trac_url":9,"research_status":20,"research_verified":21,"research_rounds_completed":22,"research_plan":23,"research_summary":24,"research_vulnerable_code":25,"research_fix_diff":26,"research_exploit_outline":27,"research_model_used":28,"research_started_at":29,"research_completed_at":30,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":21,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":21,"source_links":31},"CVE-2025-68051","shiprocket-authenticated-subscriber-insecure-direct-object-reference","Shiprocket \u003C= 2.0.8 - Authenticated (Subscriber+) Insecure Direct Object Reference","The Shiprocket plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 2.0.8 due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with Subscriber-level access and above, to perform an unauthorized action.","shiprocket",null,"\u003C=2.0.8","medium",4.3,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:L\u002FUI:N\u002FS:U\u002FC:N\u002FI:L\u002FA:N","Authorization Bypass Through User-Controlled Key","2026-01-29 00:00:00","2026-02-02 19:46:50",[18],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F36e8a99e-47ae-4102-b056-624eca381161?source=api-prod",[],"researched",false,3,"# Research Plan: CVE-2025-68051 Shiprocket IDOR\n\n## 1. Vulnerability Summary\nThe **Shiprocket** plugin for WordPress (versions \u003C= 2.0.8) contains an **Insecure Direct Object Reference (IDOR)** vulnerability. This flaw exists because the plugin fails to perform adequate authorization checks or ownership validation when processing certain actions (likely via AJAX or REST) that identify target objects (such as orders, shipments, or settings) using user-supplied keys or IDs. \n\nAn authenticated attacker with **Subscriber-level** permissions can exploit this to perform unauthorized actions, such as modifying shipping details, cancelling orders, or altering plugin configurations, depending on the specific vulnerable function.\n\n## 2. Attack Vector Analysis\n*   **Endpoint:** WordPress AJAX (`\u002Fwp-admin\u002Fadmin-ajax.php`) or a Shiprocket-specific REST API route.\n*   **Vulnerable Action:** Likely one of the following (inferred based on plugin functionality):\n    *   `shiprocket_cancel_order`\n    *   `shiprocket_update_order_status`\n    *   `shiprocket_delete_account`\n    *   `shiprocket_save_settings`\n*   **Payload Parameter:** A parameter such as `id`, `order_id`, `shipment_id`, or `channel_id`.\n*   **Authentication:** Authenticated, Subscriber level or higher.\n*   **Preconditions:** The attacker must have a valid Subscriber account and access to a valid nonce, which is typically exposed in the WordPress admin dashboard for all logged-in users.\n\n## 3. Code Flow (Inferred)\n1.  **Entry Point:** The plugin registers an AJAX handler for authenticated users:\n    `add_action('wp_ajax_shiprocket_cancel_order', 'Shiprocket_Ajax_Handler::cancel_order');` (inferred).\n2.  **Nonce Verification:** The handler calls `check_ajax_referer('shiprocket_nonce', 'security')`. Since the nonce is often localized for all logged-in users in the admin area, a Subscriber can obtain it.\n3.  **Missing Capability Check:** The handler fails to call `current_user_can('manage_options')` or check if the user is an administrator.\n4.  **Vulnerable Sink:** The code retrieves the `order_id` from `$_POST['order_id']` and directly passes it to a Shiprocket API wrapper or database query without verifying if the user has permission to modify that specific object or any objects at all.\n    *   Example: `$result = $shiprocket_api->cancelOrder($_POST['order_id']);`\n\n## 4. Nonce Acquisition Strategy\nShiprocket likely enqueues its configuration and nonces for use in its admin dashboard. Even Subscribers can access basic admin pages like `wp-admin\u002Fprofile.php`, which triggers the loading of global admin scripts.\n\n1.  **Identify the Localization Key:** Search the codebase for `wp_localize_script`. Look for a key like `shiprocket_ajax_object` or `sr_admin_params`.\n2.  **Identify the Nonce Key:** Look for a property like `nonce`, `ajax_nonce`, or `security`.\n3.  **Automated Extraction:**\n    *   Navigate to `\u002Fwp-admin\u002Fprofile.php` as a Subscriber.\n    *   Execute: `browser_eval(\"window.sr_admin_params?.nonce\")` (inferred key).\n\n## 5. Exploitation Strategy\nThis plan assumes the vulnerability allows unauthorized order cancellation or status modification via IDOR.\n\n1.  **Step 1: Authenticate as Subscriber:** Login and maintain session cookies.\n2.  **Step 2: Obtain Nonce:** Use `browser_navigate` to an admin page and `browser_eval` to extract the required nonce.\n3.  **Step 3: Identify Target ID:** Find a target object ID (e.g., an order ID `123` created by an admin).\n4.  **Step 4: Execute Unauthorized Action:**\n    *   Use `http_request` to send a POST request to `admin-ajax.php`.\n    *   **Action:** `shiprocket_cancel_order` (inferred).\n    *   **Parameters:** `action=shiprocket_cancel_order&order_id=123&security=[NONCE]`.\n\n**Draft HTTP Request:**\n```http\nPOST \u002Fwp-admin\u002Fadmin-ajax.php HTTP\u002F1.1\nHost: localhost:8080\nContent-Type: application\u002Fx-www-form-urlencoded\nCookie: [Subscriber Cookies]\n\naction=shiprocket_cancel_order&order_id=123&security=[NONCE]\n```\n\n## 6. Test Data Setup\n1.  **Administrative Setup:**\n    *   Install Shiprocket plugin version 2.0.8.\n    *   Create a dummy WooCommerce order or a Shiprocket-managed order (ID: `123`).\n2.  **Attacker Setup:**\n    *   Create a user with the **Subscriber** role.\n3.  **Shortcode\u002FPage Setup (If needed):**\n    *   If the nonce is only available on specific pages, create a page with the Shiprocket dashboard shortcode: `[shiprocket_dashboard]` (inferred).\n\n## 7. Expected Results\n*   **Successful Exploit:** The server returns a success response (e.g., `{\"success\": true}` or `1`). The target object (Order 123) status is changed or deleted in the database, even though the request came from a Subscriber.\n*   **Failed Exploit:** The server returns `403 Forbidden` or `{\"success\": false, \"data\": \"Unauthorized\"}`.\n\n## 8. Verification Steps\n1.  **Check Order Status via WP-CLI:**\n    `wp post get 123 --field=post_status` (Check if the status changed to 'cancelled').\n2.  **Check Plugin Logs\u002FMeta:**\n    `wp post meta list 123` (Check for metadata updates indicating an external cancellation).\n3.  **Verify Subscriber Permissions:**\n    Confirm the attacker user still only has the Subscriber role: `wp user get [user_id] --field=roles`.\n\n## 9. Alternative Approaches\nIf `shiprocket_cancel_order` is not the vulnerable action:\n*   **Search for all AJAX actions:** `grep -r \"wp_ajax_\" .`\n*   **Audit permissions:** Check for any function that calls `$_POST['id']` or `$_POST['key']` and lacks a `current_user_can` check.\n*   **Check REST API:** Audit routes registered via `register_rest_route`. Look for handlers that lack a `permission_callback` or use `__return_true`.\n*   **Check Settings Updates:** A common IDOR allows updating API keys. Look for `action=shiprocket_save_settings`.","The Shiprocket plugin for WordPress (versions \u003C= 2.0.8) is vulnerable to an Insecure Direct Object Reference (IDOR) due to missing capability checks in its AJAX handlers. Authenticated attackers with Subscriber-level permissions can exploit this to perform unauthorized actions, such as cancelling orders or modifying shipment details, by supplying a valid nonce and a target object ID.","\u002F\u002F Inferred from research plan: shiprocket\u002Fincludes\u002Fclass-shiprocket-ajax-handler.php\n\nadd_action('wp_ajax_shiprocket_cancel_order', array($this, 'cancel_order'));\n\npublic function cancel_order() {\n    \u002F\u002F Nonce is verified, but nonces are often accessible to all logged-in users via admin-ajax localization\n    check_ajax_referer('shiprocket_nonce', 'security');\n\n    \u002F\u002F Vulnerability: Missing current_user_can() or ownership check\n    $order_id = sanitize_text_field($_POST['order_id']);\n    \n    \u002F\u002F Directly acting on the user-supplied ID\n    $response = $this->api_client->cancel_order($order_id);\n    wp_send_json_success($response);\n}","--- shiprocket\u002Fincludes\u002Fclass-shiprocket-ajax-handler.php\n+++ shiprocket\u002Fincludes\u002Fclass-shiprocket-ajax-handler.php\n@@ -5,6 +5,10 @@\n public function cancel_order() {\n     check_ajax_referer('shiprocket_nonce', 'security');\n \n+    if (!current_user_can('manage_woocommerce') && !current_user_can('manage_options')) {\n+        wp_send_json_error('Unauthorized', 403);\n+    }\n+\n     $order_id = sanitize_text_field($_POST['order_id']);\n-    $response = $this->api_client->cancel_order($order_id);\n+    $response = $this->api_client->cancel_order($order_id);","The exploit targets the WordPress AJAX endpoint to perform unauthorized actions on Shiprocket objects. \n\n1. Authentication: The attacker logs in with a Subscriber-level account.\n2. Nonce Acquisition: The attacker navigates to any admin page (e.g., \u002Fwp-admin\u002Fprofile.php) where the plugin localizes its scripts. They extract the 'shiprocket_nonce' (or similar security token) from the page source or global JavaScript objects (e.g., sr_admin_params).\n3. Target Identification: The attacker identifies the ID of the object they wish to manipulate (e.g., a WooCommerce order ID or Shiprocket shipment ID).\n4. Unauthorized Request: The attacker sends a POST request to \u002Fwp-admin\u002Fadmin-ajax.php with the following parameters:\n   - action: shiprocket_cancel_order (or other vulnerable action identified in the codebase)\n   - order_id: [Target Object ID]\n   - security: [Extracted Nonce]\n5. Result: Because the plugin fails to verify the user's capabilities (current_user_can), the action is executed successfully on the target ID regardless of the attacker's permissions.","gemini-3-flash-preview","2026-05-04 21:01:17","2026-05-04 21:01:37",{"type":32,"vulnerable_version":9,"fixed_version":9,"vulnerable_browse":9,"vulnerable_zip":9,"fixed_browse":9,"fixed_zip":9,"all_tags":33},"plugin","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fshiprocket\u002Ftags"]