[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fxVXWyiD-pNLs9iwzX_hI6rf7nL4NYdouCND906duYts":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":9,"severity":11,"cvss_score":12,"cvss_vector":13,"vuln_type":14,"published_date":15,"updated_date":16,"references":17,"days_to_patch":9,"patch_diff_files":19,"patch_trac_url":9,"research_status":20,"research_verified":21,"research_rounds_completed":22,"research_plan":23,"research_summary":24,"research_vulnerable_code":9,"research_fix_diff":9,"research_exploit_outline":25,"research_model_used":26,"research_started_at":27,"research_completed_at":28,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":21,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":21,"source_links":29},"CVE-2025-15635","smart-online-order-for-clover-cross-site-request-forgery-2","Smart Online Order for Clover \u003C= 1.6.0 - Cross-Site Request Forgery","The Smart Online Order for Clover plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.6.0. This is due to missing or incorrect nonce validation on a function. This makes it possible for unauthenticated attackers to perform an unauthorized action via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.","clover-online-orders",null,"\u003C=1.6.0","medium",4.3,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:N\u002FUI:R\u002FS:U\u002FC:N\u002FI:L\u002FA:N","Cross-Site Request Forgery (CSRF)","2026-04-15 00:00:00","2026-04-21 14:47:24",[18],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F9ca8e4ca-0ddf-492a-99c0-158ebdd7f86f?source=api-prod",[],"researched",false,3,"# Exploitation Research Plan: CVE-2025-15635 (Smart Online Order for Clover CSRF)\n\n## 1. Vulnerability Summary\nThe **Smart Online Order for Clover** plugin (up to version 1.6.0) contains a Cross-Site Request Forgery (CSRF) vulnerability. The flaw exists due to missing or inadequate nonce validation (e.g., missing `check_admin_referer` or `check_ajax_referer`) on sensitive state-changing functions. This allows an unauthenticated attacker to perform administrative actions (like changing plugin settings, Merchant IDs, or API credentials) by tricking a logged-in administrator into visiting a malicious link or submitting a forged form.\n\n## 2. Attack Vector Analysis\n*   **Target Endpoint:** Likely `wp-admin\u002Fadmin-post.php` or `wp-admin\u002Fadmin-ajax.php`.\n*   **Vulnerable Hook:** (Inferred) `admin_post_{action}` or `wp_ajax_{action}` related to settings preservation.\n*   **Payload Parameter:** `action` (to trigger the function) plus configuration parameters like `clover_merchant_id`, `clover_api_token`, or general plugin settings.\n*   **Authentication Level:** Unauthenticated (Attacker) triggers the action; victim must be an Authenticated Administrator.\n*   **Preconditions:** The administrator must have an active session and be tricked into interacting with the attacker's page.\n\n## 3. Code Flow (Inferred Trace)\n1.  **Entry Point:** The administrator's browser sends a POST request to `admin-post.php` or `admin-ajax.php`.\n2.  **Hook Registration:** The plugin registers a handler via:\n    `add_action('admin_post_save_moo_settings', 'save_moo_settings_handler');` (Inferred function name).\n3.  **Vulnerable Logic:** Inside the handler (e.g., `save_moo_settings_handler`):\n    -   The code checks `current_user_can('manage_options')`.\n    -   **CRITICAL FAILURE:** The code fails to call `check_admin_referer('action_string', 'nonce_name')`.\n4.  **Sink:** User-supplied input from `$_POST` is passed directly to `update_option()` or `$wpdb->update()`, modifying the plugin's configuration.\n\n## 4. Nonce Acquisition Strategy\nThe vulnerability description explicitly states \"missing or incorrect nonce validation.\" \n*   **Scenario A (Missing):** No nonce is checked. No acquisition is needed. The request will succeed with only the `action` and data parameters.\n*   **Scenario B (Incorrect\u002FGeneric):** If the plugin uses a generic nonce (like `-1` or a leaked nonce), it must be extracted.\n\n**Extraction Steps (if Scenario B):**\n1.  **Identify Script\u002FShortcode:** Find where the plugin enqueues its settings page or frontend order page. Look for `wp_localize_script`.\n2.  **JS Variable:** Look for variables like `window.moo_orders_vars` or `window.clover_settings_params`. (Inferred).\n3.  **Command:** \n    ```javascript\n    \u002F\u002F Example browser_eval to find nonces\n    browser_eval(\"window.moo_vars?.nonce || document.querySelector('#_wpnonce')?.value\")\n    ```\n\n## 5. Exploitation Strategy\nThe goal is to demonstrate that an administrative setting can be changed via an unauthenticated request (simulating a forged request from an admin's browser).\n\n### Step 1: Discover the Sink\nSearch the plugin code for settings-saving logic:\n```bash\ngrep -r \"update_option\" . | grep -v \"test\"\ngrep -r \"admin_post\" .\ngrep -r \"wp_ajax\" .\n```\nFocus on functions that do **not** contain `nonce`.\n\n### Step 2: Formulate the Forged Request\nAssuming a found action `moo_save_settings` and a setting `clover_api_token`:\n\n*   **URL:** `http:\u002F\u002F[target]\u002Fwp-admin\u002Fadmin-post.php` (or `admin-ajax.php`)\n*   **Method:** `POST`\n*   **Content-Type:** `application\u002Fx-www-form-urlencoded`\n*   **Body:** `action=moo_save_settings&clover_api_token=EVIL_TOKEN_123&submit=Save`\n\n### Step 3: Execution\nUse the `http_request` tool while providing the **Admin's cookies** to simulate the CSRF attack.\n\n## 6. Test Data Setup\n1.  **Install Plugin:** Ensure `clover-online-orders` version 1.6.0 is active.\n2.  **Admin User:** Ensure a user with the `administrator` role exists.\n3.  **Initial State:** Set a \"legitimate\" API token or Merchant ID via the plugin UI or WP-CLI:\n    `wp option update moo_clover_api_token \"LEGIT_TOKEN\"` (Inferred option name).\n\n## 7. Expected Results\n*   **HTTP Response:** A `302 Found` (redirect) to the settings page with a `settings-updated=true` parameter, or a `200 OK` for AJAX.\n*   **State Change:** The WordPress database will now reflect the attacker-supplied value for the targeted option.\n\n## 8. Verification Steps\nAfter sending the POST request via `http_request`:\n1.  **Check Database:** Use WP-CLI to verify the change:\n    `wp option get moo_clover_api_token` (Inferred).\n2.  **Confirm Lack of Nonce:** Attempt the same request again but explicitly change the `_wpnonce` parameter to a random string (e.g., `nonce=12345`). If it still succeeds, the nonce check is truly missing or bypassed.\n\n## 9. Alternative Approaches\n*   **Targeting Hooks:** If `admin-post.php` is protected, check for `wp_ajax_nopriv_` hooks that might accidentally perform sensitive updates (this would upgrade the vulnerability from CSRF to Unauthenticated IDOR).\n*   **Open Redirect:** Check if the `_wp_http_referer` or a custom `redirect_to` parameter in the form can be manipulated to redirect the admin to a phishing page after the settings are changed.\n*   **XSS Injection:** Attempt to set an option value to `\u003Cscript>alert(1)\u003C\u002Fscript>`. If the settings page does not escape the output, the CSRF leads to Stored XSS.","The Smart Online Order for Clover plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.6.0. This is due to missing or incorrect nonce validation on administrative functions, allowing attackers to modify plugin settings or API credentials via a forged request.","1. Identify a sensitive administrative action (e.g., saving API credentials or Merchant IDs) handled via wp-admin\u002Fadmin-post.php or wp-admin\u002Fadmin-ajax.php. 2. Create a malicious HTML page containing a form that targets this endpoint with the relevant 'action' and configuration parameters (e.g., clover_api_token=attacker_token). 3. Socially engineer a logged-in administrator into visiting the malicious page. 4. The administrator's browser will automatically send the POST request along with their session cookies. 5. Because the plugin does not verify a cryptographic nonce, the server accepts the request and updates the plugin configuration to the attacker's values.","gemini-3-flash-preview","2026-04-27 14:44:29","2026-04-27 14:44:47",{"type":30,"vulnerable_version":9,"fixed_version":9,"vulnerable_browse":9,"vulnerable_zip":9,"fixed_browse":9,"fixed_zip":9,"all_tags":31},"plugin","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fclover-online-orders\u002Ftags"]