WP-Safety
CVE-2026-39672

ShipTime: Discounted Shipping Rates <= 1.1.1 - Missing Authorization

mediumMissing Authorization
5.3
CVSS Score
5.3
CVSS Score
medium
Severity
Unpatched
Patched in
N/A
Time to patch

Description

The ShipTime: Discounted Shipping Rates plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in versions up to, and including, 1.1.1. This makes it possible for unauthenticated attackers to perform an unauthorized action.

CVSS Vector Breakdown

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
None
Confidentiality
Low
Integrity
None
Availability

Technical Details

Affected versions<=1.1.1
PublishedFebruary 19, 2026
Last updatedApril 15, 2026
Affected pluginshiptime-discount-shipping
Research Plan
Unverified

# Exploitation Research Plan: CVE-2026-39672 (ShipTime Missing Authorization) ## 1. Vulnerability Summary The **ShipTime: Discounted Shipping Rates** plugin for WordPress (versions <= 1.1.1) is vulnerable to missing authorization. The plugin registers an AJAX handler that performs sensitive configu…

Show full research plan

Exploitation Research Plan: CVE-2026-39672 (ShipTime Missing Authorization)

1. Vulnerability Summary

The ShipTime: Discounted Shipping Rates plugin for WordPress (versions <= 1.1.1) is vulnerable to missing authorization. The plugin registers an AJAX handler that performs sensitive configuration changes but fails to implement a current_user_can() check or a robust nonce verification that distinguishes between administrative and unauthenticated sessions. This allows an unauthenticated attacker to modify plugin settings, such as API credentials or shipping configurations, by directly interacting with the admin-ajax.php endpoint.

2. Attack Vector Analysis

  • Endpoint: /wp-admin/admin-ajax.php
  • Action: shiptime_save_settings (inferred based on plugin functionality and common "Missing Authorization" patterns in shipping plugins).
  • Method: HTTP POST
  • Parameters:
    • action: shiptime_save_settings
    • settings_data: A serialized or array-based payload containing plugin configuration (e.g., shiptime_api_key, shiptime_environment).
    • _wpnonce: (If required, likely leaked via the public-facing shipping calculator or checkout page).
  • Preconditions: The plugin must be active. No authentication is required for wp_ajax_nopriv_ actions.

3. Code Flow (Inferred)

  1. Registration: The plugin uses add_action( 'wp_ajax_nopriv_shiptime_save_settings', '...' ) or a similar hook in an initialization file (e.g., includes/class-shiptime.php or shiptime-discount-shipping.php).
  2. Entry Point: An HTTP POST request hits admin-ajax.php with the action parameter.
  3. Handler Execution: The associated function (e.g., save_settings()) is called.
  4. Vulnerability: The function lacks a current_user_can( 'manage_options' ) check. It may attempt a check_ajax_referer() check, but the nonce used is often the same one exposed to unauthenticated users for shipping rate calculations.
  5. Sink: The handler calls update_option( 'shiptime_settings', ... ) with user-supplied data from $_POST.

4. Nonce Acquisition Strategy

The plugin likely enqueues scripts for the shipping calculator on the WooCommerce Cart or Checkout pages. These scripts often contain a nonce for AJAX operations.

  1. Identify Script Localization: Search for wp_localize_script in the plugin source to find the object name and nonce key.
    • Inferred Object Name: shiptime_ajax or shiptime_vars.
    • Inferred Nonce Key: nonce or shiptime_nonce.
  2. Setup Page: Create a WooCommerce product and add it to the cart to ensure shipping calculator scripts load.
    wp eval "if(!get_page_by_path('shop')){ wc_create_page( 'shop' ); }"
wp post create --post_type=product --post_title="Test Product" --post_status=publish
  3. Extract Nonce:
    • Navigate to the Cart page: /cart/.
    • Use browser_eval to extract the nonce:
      // Example check for localized data
window.shiptime_ajax?.nonce || window.shiptime_vars?.nonce

5. Exploitation Strategy

We will attempt to overwrite the ShipTime API key to a controlled value, confirming the ability to modify settings.

  • Request URL: http://localhost:8080/wp-admin/admin-ajax.php
  • Headers: Content-Type: application/x-www-form-urlencoded
  • Payload:
    action=shiptime_save_settings&shiptime_api_key=EVIL_API_KEY_1337&_wpnonce=[EXTRACTED_NONCE]
  • Alternative Payload (if settings are nested):
    action=shiptime_save_settings&settings[api_key]=EVIL_API_KEY_1337&_wpnonce=[EXTRACTED_NONCE]

6. Test Data Setup

  1. Install Plugin: Ensure shiptime-discount-shipping version 1.1.1 is installed.
  2. Configure Basics: Set an initial dummy API key via WP-CLI to have a baseline.
    wp option update shiptime_settings '{"api_key":"ORIGINAL_KEY"}' --format=json
  3. Create Content: Create a page with the WooCommerce shipping calculator if necessary (usually default on /cart/).

7. Expected Results

  • HTTP Response: A 200 OK response with a body like {"success":true} or 1.
  • Impact: The WordPress options table will be updated with the attacker's supplied value.

8. Verification Steps

  1. Check Option via WP-CLI:
    wp option get shiptime_settings
  2. Evaluate Output: Confirm the api_key or relevant setting now matches EVIL_API_KEY_1337.

9. Alternative Approaches

  • No-Nonce Attempt: Try the request without the _wpnonce parameter first, as "Missing Authorization" often coincides with missing CSRF protection.
  • Direct Option Update: If the plugin uses a generic update_plugin_option AJAX action, try targeting other options like users_can_register or default_role.
  • Admin-Only Action: If wp_ajax_nopriv_ is NOT registered, check if the handler is hooked to admin_init. If so, an unauthenticated user can still trigger it by visiting /wp-admin/admin-ajax.php directly, as admin_init fires even for unauthenticated requests to that endpoint.
Research Findings
Static analysis — not yet PoC-verified

Summary

The ShipTime: Discounted Shipping Rates plugin for WordPress (versions up to and including 1.1.1) is vulnerable to unauthorized settings modification. This occurs because the plugin's AJAX handler for saving configuration data fails to perform capability checks or utilize nonces restricted to administrative users, allowing unauthenticated attackers to overwrite sensitive plugin settings.

Exploit Outline

1. Identify the AJAX nonce: Navigate to the WooCommerce Cart or Checkout page where the ShipTime shipping calculator is active and locate the localized script object (e.g., 'shiptime_vars' or 'shiptime_ajax') containing the 'nonce' value. 2. Prepare a payload: Construct a POST request targeting the /wp-admin/admin-ajax.php endpoint with the 'action' set to 'shiptime_save_settings' (or the identified handler). 3. Inject settings: Include the extracted nonce and the desired malicious settings in the request parameters (e.g., 'shiptime_api_key' or 'settings_data' array). 4. Execute: Send the unauthenticated request to the server to overwrite the plugin's configuration, potentially redirecting shipping operations or stealing API keys. 5. Verify: Confirm the modification by checking the WordPress options table or the plugin's settings page in the dashboard.

References
https://www.wordfence.com/threat-intel/vulnerabilities/id/1de10a71-3b73-451e-ad24-2038b37a52f8?source=api-prod

Check if your site is affected.

Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.

Run free audit Browse CVE database