[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$f3qS6vVaYkk43jccjsRmO94jGNM-HDvZcrb6QcF1KFq8":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":30,"research_verified":31,"research_rounds_completed":32,"research_plan":33,"research_summary":34,"research_vulnerable_code":35,"research_fix_diff":36,"research_exploit_outline":37,"research_model_used":38,"research_started_at":39,"research_completed_at":40,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":31,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":31,"source_links":41},"CVE-2026-42745","smart-online-order-for-clover-missing-authorization-3","Smart Online Order for Clover \u003C= 1.6.0 - Missing Authorization","The Smart Online Order for Clover plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in all versions up to, and including, 1.6.0. This makes it possible for unauthenticated attackers to perform an unauthorized action.","clover-online-orders",null,"\u003C=1.6.0","1.6.1","medium",5.3,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:N\u002FUI:N\u002FS:U\u002FC:N\u002FI:L\u002FA:N","Missing Authorization","2026-05-28 00:00:00","2026-06-02 11:23:00",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F94fd4626-6ff9-449b-8894-f974c8c5ace0?source=api-prod",5,[22,23,24,25,26,27,28,29],"admin\u002Fcss\u002Fmoo-OnlineOrders-admin.css","admin\u002Fcss\u002Fmoo-dashboard.css","admin\u002Fincludes\u002Fclass-moo-coupons-list.php","admin\u002Fincludes\u002Fclass-moo-orders-list.php","admin\u002Fincludes\u002Fclass-moo-products-list.php","admin\u002Fjs\u002Fmoo-OnlineOrders-admin.js","admin\u002Fmoo-OnlineOrders-admin.php","includes\u002Fmoo-OnlineOrders-Restapi.php","researched",false,3,"# Exploitation Research Plan: CVE-2026-42745 (Smart Online Order for Clover)\n\n## 1. Vulnerability Summary\nThe **Smart Online Order for Clover** plugin for WordPress (versions \u003C= 1.6.0) is vulnerable to **Missing Authorization**. Several REST API endpoints and administrative functions lack proper capability checks (`current_user_can`). Specifically, the plugin's REST API, defined in `includes\u002Fmoo-OnlineOrders-Restapi.php`, registers multiple routes with `permission_callback` set to `__return_true`, making them accessible to unauthenticated attackers. This allows unauthorized modification of product visibility, stock status, and potentially plugin settings.\n\n## 2. Attack Vector Analysis\n- **Endpoint**: `\u002Fwp-json\u002Fmoo-clover\u002Fv1\u002Fsync\u002Fupdate_item` (inferred from `SyncRoutes` registration) or `admin-ajax.php`.\n- **Primary Target**: Product status modification (Hiding items, marking as Out of Stock).\n- **Authentication**: None (Unauthenticated).\n- **Preconditions**: The plugin must be active and connected to a Clover merchant account (to have items in the database).\n- **Payload**: JSON or POST parameters containing item UUIDs and the desired status.\n\n## 3. Code Flow\n1. **Entry Point**: A request is made to the REST API namespace `moo-clover\u002Fv1`.\n2. **Registration**: In `includes\u002Fmoo-OnlineOrders-Restapi.php`, routes are","The Smart Online Order for Clover plugin for WordPress (up to 1.6.0) is vulnerable to unauthorized access because it fails to implement capability checks on several REST API endpoints. This allows unauthenticated attackers to perform unauthorized actions, such as modifying product visibility, synchronization settings, and stock status, by accessing endpoints where the permission callback is incorrectly set to always return true.","\u002F\u002F includes\u002Fmoo-OnlineOrders-Restapi.php\n\n    public function register_routes() {\n\n        \u002F\u002Fregister v2 routes\n\n        $this->syncRoutes->register_routes();\n        $this->dashRoutes->register_routes();\n        $this->customersRoutes->register_routes();\n        $this->checkoutRoutes->register_routes();\n\n        \u002F\u002Fget categories route\n        register_rest_route( $this->namespace, '\u002Fcategories', array(\n            array(\n                'methods'   => 'GET',\n                'callback'  => array( $this, 'getCategories' ),\n                'permission_callback' => '__return_true'\n            )\n        ) );\n\n        \u002F\u002Fget items per category route\n        register_rest_route( $this->namespace, '\u002Fcategories\u002F(?P\u003Ccat_id>[a-zA-Z0-9-]+)\u002Fitems', array(\n            array(\n                'methods'   => 'GET',\n                'callback'  => array( $this, 'getItemsPerCategory' ),\n                'permission_callback' => '__return_true'\n            )\n        ) );","--- includes\u002Fmoo-OnlineOrders-Restapi.php\n+++ includes\u002Fmoo-OnlineOrders-Restapi.php\n@@ -194,7 +194,7 @@\n             array(\n                 'methods'   => 'GET',\n                 'callback'  => array( $this, 'getCategories' ),\n-                'permission_callback' => '__return_true'\n+                'permission_callback' => function() { return current_user_can( 'manage_options' ); }\n             )\n         ) );\n \n@@ -203,7 +203,7 @@\n             array(\n                 'methods'   => 'GET',\n                 'callback'  => array( $this, 'getItemsPerCategory' ),\n-                'permission_callback' => '__return_true'\n+                'permission_callback' => function() { return current_user_can( 'manage_options' ); }\n             )\n         ) );","An unauthenticated attacker can target sensitive REST API endpoints under the '\u002Fwp-json\u002Fmoo-clover\u002Fv1\u002F' namespace. By identifying endpoints registered within classes like SyncRoutes or DashboardRoutes (e.g., '\u002Fsync\u002Fupdate_item'), an attacker can send a POST request containing specific item UUIDs and desired status values. Because these endpoints use '__return_true' for their permission_callback, the plugin processes the request without verifying the sender's identity or permissions, allowing for unauthorized modifications to product visibility and store settings.","gemini-3-flash-preview","2026-06-04 16:21:42","2026-06-04 16:23:24",{"type":42,"vulnerable_version":43,"fixed_version":11,"vulnerable_browse":44,"vulnerable_zip":45,"fixed_browse":46,"fixed_zip":47,"all_tags":48},"plugin","1.6.0","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fclover-online-orders\u002Ftags\u002F1.6.0","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fclover-online-orders.1.6.0.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fclover-online-orders\u002Ftags\u002F1.6.1","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fclover-online-orders.1.6.1.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fclover-online-orders\u002Ftags"]