[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$f9kbH1DK3LQPIuWe0QTrqr4aRRA7zkX6VERPDYxwvq4Q":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":9,"severity":11,"cvss_score":12,"cvss_vector":13,"vuln_type":14,"published_date":15,"updated_date":16,"references":17,"days_to_patch":9,"patch_diff_files":19,"patch_trac_url":9,"research_status":20,"research_verified":21,"research_rounds_completed":22,"research_plan":23,"research_summary":24,"research_vulnerable_code":9,"research_fix_diff":9,"research_exploit_outline":25,"research_model_used":26,"research_started_at":27,"research_completed_at":28,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":21,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":21,"source_links":29},"CVE-2026-39701","shopwp-missing-authorization","ShopWP \u003C= 5.2.4 - Missing Authorization","The ShopWP plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in versions up to, and including, 5.2.4. This makes it possible for unauthenticated attackers to perform an unauthorized action.","wpshopify",null,"\u003C=5.2.4","medium",5.3,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:N\u002FUI:N\u002FS:U\u002FC:N\u002FI:L\u002FA:N","Missing Authorization","2026-03-01 00:00:00","2026-04-15 21:32:26",[18],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F06d58e94-225e-43ca-823b-60d921a2dd8d?source=api-prod",[],"researched",false,3,"# Exploitation Research Plan: CVE-2026-39701 (ShopWP Missing Authorization)\n\n## 1. Vulnerability Summary\nThe **ShopWP** (slug: `wpshopify`) plugin for WordPress (versions \u003C= 5.2.4) contains a missing authorization vulnerability. This issue arises because specific AJAX or REST API handlers fail to perform capability checks (e.g., `current_user_can('manage_options')`) before executing sensitive actions. This allows unauthenticated attackers to trigger functionality that should be restricted to administrators, such as syncing product data from Shopify, clearing plugin caches, or modifying plugin settings.\n\n## 2. Attack Vector Analysis\n*   **Endpoint:** `\u002Fwp-admin\u002Fadmin-ajax.php` (for AJAX) or `\u002Fwp-json\u002Fwpshopify\u002Fv1\u002F...` (for REST).\n*   **Vulnerable Action:** `wps_sync_products` or `wps_clear_cache` (inferred; agent must verify via grep).\n*   **HTTP Parameter:** `action=wps_sync_products` (AJAX) or a POST request to a REST route.\n*   **Authentication:** Unauthenticated (leveraging `wp_ajax_nopriv_` hooks or poorly secured REST routes).\n*   **Preconditions:** The plugin must be active. Some actions may require a valid nonce if `check_ajax_referer` is used without a capability check.\n\n## 3. Code Flow\n1.  **Entry Point:** The plugin registers a handler via `add_action('wp_ajax_nopriv_[ACTION_NAME]', ...)` or `register_rest_route`.\n2.  **Hook Registration:** Look in `includes\u002Fclass-ajax.php` or `includes\u002Fclass-rest-api.php` for the registration.\n3.  **Missing Check:** The handler function is called. It may call `check_ajax_referer()` (verifying the nonce) but fails to call `current_user_can()`.\n4.  **Sink:** The function proceeds to execute a sensitive operation, such as:\n    *   `ShopWP\\Sync\\Product_Sync::start()`\n    *   `delete_transient()` or `wp_cache_flush()`\n    *   `update_option('wpshopify_settings', ...)`\n\n## 4. Nonce Acquisition Strategy\nIf the vulnerable endpoint requires a nonce, follow these steps to retrieve it unauthenticated:\n\n1.  **Identify Shortcode:** ShopWP typically enqueues its scripts when the `[wps_products]` shortcode is present.\n2.  **Create Trigger Page:** Use WP-CLI to create a public page containing the shortcode:\n    ```bash\n    wp post create --post_type=page --post_title=\"Shop\" --post_status=publish --post_content='[wps_products]'\n    ```\n3.  **Navigate and Extract:**\n    *   Navigate to the newly created page using `browser_navigate`.\n    *   Use `browser_eval` to extract the nonce from the global JavaScript object localized by ShopWP.\n    *   **Target Variable:** Look for `window.wpshopify_vars` or `window.shopwp`.\n    *   **Example Command:** `browser_eval(\"window.wpshopify_vars?.nonce\")` or `browser_eval(\"window.shopwp?.settings?.nonce\")`.\n4.  **Verify Action String:** In the source code, check the second argument of `check_ajax_referer( 'action_string', 'nonce_key' )`. The extracted nonce must match this action string.\n\n## 5. Exploitation Strategy\nOnce the action and (if necessary) the nonce are identified:\n\n1.  **Identify Target Action:** Grep for `wp_ajax_nopriv_` in the plugin directory to find the specific vulnerable action. Let's assume it is `wps_sync_data`.\n2.  **Construct Payload:**\n    *   **Method:** POST\n    *   **URL:** `http:\u002F\u002F[TARGET]\u002Fwp-admin\u002Fadmin-ajax.php`\n    *   **Content-Type:** `application\u002Fx-www-form-urlencoded`\n    *   **Body:** `action=wps_sync_data&nonce=[EXTRACTED_NONCE]&other_params=...`\n3.  **Execute Request:** Use the `http_request` tool to send the payload.\n4.  **Verify Action:** Observe the response. A successful trigger of a sync or cache clear usually returns a JSON success message (e.g., `{\"success\": true}`).\n\n## 6. Test Data Setup\n1.  Install and activate ShopWP \u003C= 5.2.4.\n2.  (Optional) Configure a dummy Shopify API key if the vulnerable function requires a connection to proceed.\n3.  Create the nonce-triggering page:\n    ```bash\n    wp post create --post_type=page --post_status=publish --post_content='[wps_products]'\n    ```\n\n## 7. Expected Results\n*   **Response Code:** 200 OK.\n*   **Response Body:** JSON containing `{\"success\":true}` or evidence of the action (e.g., \"Sync started\").\n*   **Side Effects:** The site's product data is modified, transients are deleted, or settings are changed.\n\n## 8. Verification Steps\nAfter sending the exploit request, verify the impact using WP-CLI:\n\n*   **If Sync Triggered:** Check for newly created or updated posts in the `wps_products` custom post type:\n    ```bash\n    wp post list --post_type=wps_products\n    ```\n*   **If Cache Cleared:** Check if specific transients associated with ShopWP have been removed:\n    ```bash\n    wp transient get [TRANSIENT_NAME]\n    ```\n*   **If Settings Modified:** Check the option value:\n    ```bash\n    wp option get wpshopify_settings\n    ```\n\n## 9. Alternative Approaches\n*   **REST API:** If the AJAX endpoint is secure, check the REST API routes. Grep for `register_rest_route` and look for `permission_callback` values like `__return_true` or functions that only return `true` without checking `current_user_can`.\n*   **Different Nonce Actions:** If the nonce for the specific action isn't found, check if the plugin uses a generic nonce (action `-1`) elsewhere that can be repurposed.\n*   **Subscriber Access:** If unauthenticated access is blocked, test if a user with `Subscriber` role can access the `wp_ajax_` (authenticated) version of the hook, as \"Missing Authorization\" often allows any logged-in user to execute admin actions.","The ShopWP plugin for WordPress (versions \u003C= 5.2.4) fails to perform adequate authorization checks on its AJAX and REST API handlers. This allows unauthenticated attackers to trigger sensitive administrative functionality, such as syncing product data from Shopify or clearing internal caches, by exploiting endpoints that lack capability checks.","To exploit this vulnerability, an attacker first identifies a public page on the target site that loads the ShopWP frontend scripts (typically a page containing a plugin shortcode like [wps_products]). From the page source, the attacker extracts a valid nonce from the global JavaScript variables (e.g., window.wpshopify_vars.nonce). With this nonce, the attacker sends a POST request to the \u002Fwp-admin\u002Fadmin-ajax.php endpoint with an 'action' parameter corresponding to a vulnerable hook registered via wp_ajax_nopriv_ (such as wps_sync_products). Since the handler for this action lacks a current_user_can() check, the server executes the sensitive function regardless of the attacker's authentication status.","gemini-3-flash-preview","2026-04-18 22:16:27","2026-04-18 22:16:50",{"type":30,"vulnerable_version":9,"fixed_version":9,"vulnerable_browse":9,"vulnerable_zip":9,"fixed_browse":9,"fixed_zip":9,"all_tags":31},"plugin","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fwpshopify\u002Ftags"]