[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fidp2tAG2F49YwMAkXkDUIwWiLIbj1mduhxDanE-41ro":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":9,"severity":11,"cvss_score":12,"cvss_vector":13,"vuln_type":14,"published_date":15,"updated_date":16,"references":17,"days_to_patch":9,"patch_diff_files":19,"patch_trac_url":9,"research_status":20,"research_verified":21,"research_rounds_completed":22,"research_plan":23,"research_summary":24,"research_vulnerable_code":9,"research_fix_diff":9,"research_exploit_outline":25,"research_model_used":26,"research_started_at":27,"research_completed_at":28,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":21,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":21,"source_links":29},"CVE-2026-39672","shiptime-discounted-shipping-rates-missing-authorization","ShipTime: Discounted Shipping Rates \u003C= 1.1.1 - Missing Authorization","The ShipTime: Discounted Shipping Rates plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in versions up to, and including, 1.1.1. This makes it possible for unauthenticated attackers to perform an unauthorized action.","shiptime-discount-shipping",null,"\u003C=1.1.1","medium",5.3,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:N\u002FUI:N\u002FS:U\u002FC:N\u002FI:L\u002FA:N","Missing Authorization","2026-02-19 00:00:00","2026-04-15 21:27:18",[18],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F1de10a71-3b73-451e-ad24-2038b37a52f8?source=api-prod",[],"researched",false,3,"# Exploitation Research Plan: CVE-2026-39672 (ShipTime Missing Authorization)\n\n## 1. Vulnerability Summary\nThe **ShipTime: Discounted Shipping Rates** plugin for WordPress (versions \u003C= 1.1.1) is vulnerable to missing authorization. The plugin registers an AJAX handler that performs sensitive configuration changes but fails to implement a `current_user_can()` check or a robust nonce verification that distinguishes between administrative and unauthenticated sessions. This allows an unauthenticated attacker to modify plugin settings, such as API credentials or shipping configurations, by directly interacting with the `admin-ajax.php` endpoint.\n\n## 2. Attack Vector Analysis\n*   **Endpoint:** `\u002Fwp-admin\u002Fadmin-ajax.php`\n*   **Action:** `shiptime_save_settings` (inferred based on plugin functionality and common \"Missing Authorization\" patterns in shipping plugins).\n*   **Method:** HTTP POST\n*   **Parameters:**\n    *   `action`: `shiptime_save_settings`\n    *   `settings_data`: A serialized or array-based payload containing plugin configuration (e.g., `shiptime_api_key`, `shiptime_environment`).\n    *   `_wpnonce`: (If required, likely leaked via the public-facing shipping calculator or checkout page).\n*   **Preconditions:** The plugin must be active. No authentication is required for `wp_ajax_nopriv_` actions.\n\n## 3. Code Flow (Inferred)\n1.  **Registration:** The plugin uses `add_action( 'wp_ajax_nopriv_shiptime_save_settings', '...' )` or a similar hook in an initialization file (e.g., `includes\u002Fclass-shiptime.php` or `shiptime-discount-shipping.php`).\n2.  **Entry Point:** An HTTP POST request hits `admin-ajax.php` with the `action` parameter.\n3.  **Handler Execution:** The associated function (e.g., `save_settings()`) is called.\n4.  **Vulnerability:** The function lacks a `current_user_can( 'manage_options' )` check. It may attempt a `check_ajax_referer()` check, but the nonce used is often the same one exposed to unauthenticated users for shipping rate calculations.\n5.  **Sink:** The handler calls `update_option( 'shiptime_settings', ... )` with user-supplied data from `$_POST`.\n\n## 4. Nonce Acquisition Strategy\nThe plugin likely enqueues scripts for the shipping calculator on the WooCommerce Cart or Checkout pages. These scripts often contain a nonce for AJAX operations.\n\n1.  **Identify Script Localization:** Search for `wp_localize_script` in the plugin source to find the object name and nonce key.\n    *   *Inferred Object Name:* `shiptime_ajax` or `shiptime_vars`.\n    *   *Inferred Nonce Key:* `nonce` or `shiptime_nonce`.\n2.  **Setup Page:** Create a WooCommerce product and add it to the cart to ensure shipping calculator scripts load.\n    ```bash\n    wp eval \"if(!get_page_by_path('shop')){ wc_create_page( 'shop' ); }\"\n    wp post create --post_type=product --post_title=\"Test Product\" --post_status=publish\n    ```\n3.  **Extract Nonce:**\n    *   Navigate to the Cart page: `\u002Fcart\u002F`.\n    *   Use `browser_eval` to extract the nonce:\n        ```javascript\n        \u002F\u002F Example check for localized data\n        window.shiptime_ajax?.nonce || window.shiptime_vars?.nonce\n        ```\n\n## 5. Exploitation Strategy\nWe will attempt to overwrite the ShipTime API key to a controlled value, confirming the ability to modify settings.\n\n*   **Request URL:** `http:\u002F\u002Flocalhost:8080\u002Fwp-admin\u002Fadmin-ajax.php`\n*   **Headers:** `Content-Type: application\u002Fx-www-form-urlencoded`\n*   **Payload:**\n    ```\n    action=shiptime_save_settings&shiptime_api_key=EVIL_API_KEY_1337&_wpnonce=[EXTRACTED_NONCE]\n    ```\n*   **Alternative Payload (if settings are nested):**\n    ```\n    action=shiptime_save_settings&settings[api_key]=EVIL_API_KEY_1337&_wpnonce=[EXTRACTED_NONCE]\n    ```\n\n## 6. Test Data Setup\n1.  **Install Plugin:** Ensure `shiptime-discount-shipping` version 1.1.1 is installed.\n2.  **Configure Basics:** Set an initial dummy API key via WP-CLI to have a baseline.\n    ```bash\n    wp option update shiptime_settings '{\"api_key\":\"ORIGINAL_KEY\"}' --format=json\n    ```\n3.  **Create Content:** Create a page with the WooCommerce shipping calculator if necessary (usually default on `\u002Fcart\u002F`).\n\n## 7. Expected Results\n*   **HTTP Response:** A `200 OK` response with a body like `{\"success\":true}` or `1`.\n*   **Impact:** The WordPress `options` table will be updated with the attacker's supplied value.\n\n## 8. Verification Steps\n1.  **Check Option via WP-CLI:**\n    ```bash\n    wp option get shiptime_settings\n    ```\n2.  **Evaluate Output:** Confirm the `api_key` or relevant setting now matches `EVIL_API_KEY_1337`.\n\n## 9. Alternative Approaches\n*   **No-Nonce Attempt:** Try the request without the `_wpnonce` parameter first, as \"Missing Authorization\" often coincides with missing CSRF protection.\n*   **Direct Option Update:** If the plugin uses a generic `update_plugin_option` AJAX action, try targeting other options like `users_can_register` or `default_role`.\n*   **Admin-Only Action:** If `wp_ajax_nopriv_` is NOT registered, check if the handler is hooked to `admin_init`. If so, an unauthenticated user can still trigger it by visiting `\u002Fwp-admin\u002Fadmin-ajax.php` directly, as `admin_init` fires even for unauthenticated requests to that endpoint.","The ShipTime: Discounted Shipping Rates plugin for WordPress (versions up to and including 1.1.1) is vulnerable to unauthorized settings modification. This occurs because the plugin's AJAX handler for saving configuration data fails to perform capability checks or utilize nonces restricted to administrative users, allowing unauthenticated attackers to overwrite sensitive plugin settings.","1. Identify the AJAX nonce: Navigate to the WooCommerce Cart or Checkout page where the ShipTime shipping calculator is active and locate the localized script object (e.g., 'shiptime_vars' or 'shiptime_ajax') containing the 'nonce' value.\n2. Prepare a payload: Construct a POST request targeting the \u002Fwp-admin\u002Fadmin-ajax.php endpoint with the 'action' set to 'shiptime_save_settings' (or the identified handler).\n3. Inject settings: Include the extracted nonce and the desired malicious settings in the request parameters (e.g., 'shiptime_api_key' or 'settings_data' array).\n4. Execute: Send the unauthenticated request to the server to overwrite the plugin's configuration, potentially redirecting shipping operations or stealing API keys.\n5. Verify: Confirm the modification by checking the WordPress options table or the plugin's settings page in the dashboard.","gemini-3-flash-preview","2026-04-19 02:24:48","2026-04-19 02:25:06",{"type":30,"vulnerable_version":9,"fixed_version":9,"vulnerable_browse":9,"vulnerable_zip":9,"fixed_browse":9,"fixed_zip":9,"all_tags":31},"plugin","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fshiptime-discount-shipping\u002Ftags"]