[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$f-n4P2gafqmJDGJCtf4iWP-OBSc4O5qQoj6jwVy9WXyA":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":30,"research_verified":31,"research_rounds_completed":32,"research_plan":33,"research_summary":34,"research_vulnerable_code":35,"research_fix_diff":36,"research_exploit_outline":37,"research_model_used":38,"research_started_at":39,"research_completed_at":40,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":31,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":31,"source_links":41},"CVE-2026-42738","smart-online-order-for-clover-unauthenticated-stored-cross-site-scripting","Smart Online Order for Clover \u003C= 1.6.0 - Unauthenticated Stored Cross-Site Scripting","The Smart Online Order for Clover plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 1.6.0 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.","clover-online-orders",null,"\u003C=1.6.0","1.6.1","high",7.2,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:N\u002FUI:N\u002FS:C\u002FC:L\u002FI:L\u002FA:N","Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')","2026-05-27 00:00:00","2026-06-01 16:08:05",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F1d46033d-27aa-4d92-aa41-3547a3d17aff?source=api-prod",6,[22,23,24,25,26,27,28,29],"admin\u002Fcss\u002Fmoo-OnlineOrders-admin.css","admin\u002Fcss\u002Fmoo-dashboard.css","admin\u002Fincludes\u002Fclass-moo-coupons-list.php","admin\u002Fincludes\u002Fclass-moo-orders-list.php","admin\u002Fincludes\u002Fclass-moo-products-list.php","admin\u002Fjs\u002Fmoo-OnlineOrders-admin.js","admin\u002Fmoo-OnlineOrders-admin.php","includes\u002Fmoo-OnlineOrders-Restapi.php","researched",false,3,"# Exploitation Research Plan - CVE-2026-42738\n\n## 1. Vulnerability Summary\nThe **Smart Online Order for Clover** plugin (versions \u003C= 1.6.0) is vulnerable to **Unauthenticated Stored Cross-Site Scripting (XSS)**. The vulnerability exists because the plugin registers unauthenticated REST API endpoints that accept user-supplied data (such as customer names during checkout or item data during synchronization) and subsequently displays this data in the WordPress admin dashboard without proper sanitization or output escaping.\n\nThe primary sinks are found in the `WP_List_Table` implementations used to display orders and products, where data is output using `stripslashes()` instead of escaping functions like `esc_html()`.\n\n## 2. Attack Vector Analysis\n*   **Target Endpoint**: WordPress REST API.\n*   **Namespace**: `moo-clover\u002Fv1` (defined in `includes\u002Fmoo-OnlineOrders-Restapi.php`).\n*   **Vulnerable Routes (Inferred)**: \n    *   `POST \u002Fwp-json\u002Fmoo-clover\u002Fv1\u002Fcheckout\u002Fplace_order` (handled by `CheckoutRoutes`).\n    *   `POST \u002Fwp-json\u002Fmoo-clover\u002Fv1\u002Fsync\u002Fitems` (handled by `SyncRoutes`).\n*   **Vulnerable Parameter**: `customer_name`, `first_name`, `last_name`, or `soo_name`.\n*   **Authentication**: None. The `Moo_OnlineOrders_Restapi::register_routes` function uses `'permission_callback' => '__return_true'` for these routes.\n\n## 3. Code Flow\n1.  **Input**: An unauthenticated attacker sends a POST request to `\u002Fwp-json\u002Fmoo-clover\u002Fv1\u002Fcheckout\u002Fplace_order`.\n2.  **Processing**: The `CheckoutRoutes` class (instantiated in `Moo_OnlineOrders_Restapi::__construct`) processes the request and stores the order details (including the malicious `customer_name`) via the `Moo_OnlineOrders_Model` or by sending it to the Smart Online Order API.\n3.  **Storage**: The payload is stored in the database (either locally in `wp_moo_orders` or cached via the SooApi).\n4.  **Admin Access**: An administrator navigates to the \"Orders\" page in the dashboard: `wp-admin\u002Fadmin.php?page=moo_orders`.\n5.  **Data Retrieval**: `Orders_List_Moo::prepare_items()` calls `self::get_items()`, which fetches the malicious data via `$api->getOrdersByPage()` (see `admin\u002Fincludes\u002Fclass-moo-orders-list.php`).\n6.  **Output Sink**: The `Orders_List_Moo::column_default()` method processes the `customer_name` column:\n    ```php\n    case 'customer_name':\n        if (isset($item[$column_name]))\n            return stripslashes((string)$item[$column_name]); \u002F\u002F XSS SINK\n    ```\n7.  **Execution**: The unescaped script executes in the administrator's browser.\n\n## 4. Nonce Acquisition Strategy\nThe REST API endpoints for this plugin explicitly bypass authentication and nonce checks by returning `true` in the `permission_callback`. \n\n*   **File**: `includes\u002Fmoo-OnlineOrders-Restapi.php`\n*   **Logic**:\n    ```php\n    register_rest_route( $this->namespace, '\u002Fcart', array(\n        array(\n            'methods'   => 'POST',\n            'callback'  => array( $this, 'addItemToCart' ),\n            'permission_callback' => '__return_true' \u002F\u002F No nonce required\n        )\n    ) );\n    ```\nAs such, no nonce is required for the initial injection.\n\n## 5. Exploitation Strategy\nThe goal is to inject a script into the \"Customer Name\" field via the checkout REST API.\n\n### Step 1: Discover the exact route\nSince the full content of `CheckoutRoutes.php` is not provided, we first verify the registered routes.\n1. Use `http_request` to GET `http:\u002F\u002Flocalhost:8080\u002Fwp-json\u002Fmoo-clover\u002Fv1`.\n2. Locate the route related to \"checkout\" or \"place order\".\n\n### Step 2: Inject the Payload\nSend a POST request to the identified checkout endpoint.\n\n*   **URL**: `http:\u002F\u002Flocalhost:8080\u002Fwp-json\u002Fmoo-clover\u002Fv1\u002Fcheckout\u002Fplace_order` (inferred)\n*   **Method**: `POST`\n*   **Headers**: `Content-Type: application\u002Fjson`\n*   **Body**:\n    ```json\n    {\n        \"first_name\": \"John\",\n        \"last_name\": \"Doe\u003Cscript>alert(document.domain)\u003C\u002Fscript>\",\n        \"email\": \"attacker@example.com\",\n        \"phone\": \"1234567890\",\n        \"order_type\": \"pickup\",\n        \"items\": []\n    }\n    ```\n\n### Step 3: Trigger the XSS\n1. Log into the WordPress admin panel as an administrator.\n2. Navigate to `http:\u002F\u002Flocalhost:8080\u002Fwp-admin\u002Fadmin.php?page=moo_orders`.\n3. The alert box should trigger when the \"Orders\" table renders.\n\n## 6. Test Data Setup\n1.  **Plugin Configuration**: The plugin must be active. Some features may require an \"API Key\" to be set in `Clover Orders > Settings`. If the REST API checks for a connected store, use `wp option update moo_settings '{\"api_key\":\"mock_key\",\"merchant_id\":\"mock_id\"}' --format=json`.\n2.  **Page Setup**: No shortcodes are strictly necessary for the REST API attack, but visiting the homepage ensures the REST API namespace is initialized.\n\n## 7. Expected Results\n*   The REST API should return a `200 OK` or `201 Created` response.\n*   Upon visiting the admin Orders page, the HTML source for the order row should contain:\n    `\u003Ctd>John Doe\u003Cscript>alert(document.domain)\u003C\u002Fscript>\u003C\u002Ftd>`\n*   A browser alert showing the domain name should appear.\n\n## 8. Verification Steps\nAfter sending the HTTP request, verify the storage using WP-CLI:\n```bash\n# If stored in local orders table\nwp db query \"SELECT customer_name FROM wp_moo_orders ORDER BY id DESC LIMIT 1;\"\n\n# If synced to items table (for SyncRoutes variant)\nwp db query \"SELECT soo_name FROM wp_moo_item WHERE soo_name LIKE '%\u003Cscript>%';\"\n```\n\n## 9. Alternative Approaches\nIf `place_order` is not the correct endpoint, target the synchronization mechanism:\n*   **Endpoint**: `POST \u002Fwp-json\u002Fmoo-clover\u002Fv1\u002Fsync\u002Fitems`\n*   **Payload**: Set the `name` or `soo_name` of an item to the XSS payload.\n*   **Trigger**: View the items list at `wp-admin\u002Fadmin.php?page=moo_items`.\n*   **Code Sink**: `Products_List_Moo::column_soo_name()` which uses `stripslashes((string)$itemName)` (see `admin\u002Fincludes\u002Fclass-moo-products-list.php`).","The Smart Online Order for Clover plugin for WordPress is vulnerable to unauthenticated stored Cross-Site Scripting due to insufficient output escaping in the administrative dashboard and lack of authentication on REST API endpoints. An attacker can inject malicious scripts via checkout or synchronization API calls, which then execute in the browser of an administrator viewing order or product lists.","\u002F\u002F admin\u002Fincludes\u002Fclass-moo-orders-list.php:121\npublic function column_default( $item, $column_name ) {\n    switch ( $column_name ) {\n        case 'order_number':\n        case 'customer_name':\n        case 'order_type_label':\n        case 'status':\n        case 'amount':\n        case 'created_at_hf':\n        case 'source':\n            if (isset($item[$column_name]))\n                return stripslashes((string)$item[$column_name]);\n            return '';\n\n---\n\n\u002F\u002F admin\u002Fincludes\u002Fclass-moo-products-list.php:231\nfunction column_soo_name( $item ) {\n    \u002F\u002F ...\n    if(!empty($item[ \"soo_name\" ])){\n        $itemName = $item['soo_name'];\n    } else {\n        if(!empty($item[ \"alternate_name\" ])){\n            $itemName = $item['name'] . \" (alternate name : \".$item[ \"alternate_name\" ].\")\";\n        } else {\n            $itemName = $item['name'];\n        }\n    }\n\n    $title = '\u003Cdiv class=\"mooItemNameSection\" id=\"item-name-section-for-'.$item['uuid'].'\">';\n    $title .= '\u003Cdiv class=\"moo-item-name\">\u003Cstrong>' . stripslashes((string)$itemName) . '\u003C\u002Fstrong>\u003C\u002Fdiv>\u003Cimg onclick=\"moo_editItemName(event,\\''.$item['uuid'].'\\')\" style=\"margin-left: 10px;cursor: pointer\" src=\"'.$this->editIcon.'\" alt=\"placeholder\" sizes=\"(max-width: 150px) 100vw, 150px\" id=\"moo-edit-item-name-\".esc_attr($item['uuid']).\"'>\";\n\n---\n\n\u002F\u002F includes\u002Fmoo-OnlineOrders-Restapi.php:185\nregister_rest_route( $this->namespace, '\u002Fcart', array(\n    array(\n        'methods'   => 'POST',\n        'callback'  => array( $this, 'addItemToCart' ),\n        'permission_callback' => '__return_true'\n    )\n) );","--- a\u002Fadmin\u002Fincludes\u002Fclass-moo-orders-list.php\n+++ b\u002Fadmin\u002Fincludes\u002Fclass-moo-orders-list.php\n@@ -131,7 +131,7 @@\n             case 'created_at_hf':\n             case 'source':\n                 if (isset($item[$column_name]))\n-                    return stripslashes((string)$item[$column_name]);\n+                    return esc_html(stripslashes((string)$item[$column_name]));\n                 return '';\n             default:\n                 return print_r( $item, true );\n--- a\u002Fadmin\u002Fincludes\u002Fclass-moo-products-list.php\n+++ b\u002Fadmin\u002Fincludes\u002Fclass-moo-products-list.php\n@@ -253,7 +253,7 @@\n         }\n \n         $title = '\u003Cdiv class=\"mooItemNameSection\" id=\"item-name-section-for-'.$item['uuid'].'\">';\n-        $title .= '\u003Cdiv class=\"moo-item-name\">\u003Cstrong>' . stripslashes((string)$itemName) . '\u003C\u002Fstrong>\u003C\u002Fdiv>\u003Cimg onclick=\"moo_editItemName(event,\\''.$item['uuid'].'\\')\" style=\"margin-left: 10px;cursor: pointer\" src=\"'.$this->editIcon.'\" alt=\"placeholder\" sizes=\"(max-width: 150px) 100vw, 150px\" id=\"moo-edit-item-name-\".esc_attr($item['uuid']).\"'>\";\n+        $title .= '\u003Cdiv class=\"moo-item-name\">\u003Cstrong>' . esc_html(stripslashes((string)$itemName)) . '\u003C\u002Fstrong>\u003C\u002Fdiv>\u003Cimg onclick=\"moo_editItemName(event,\\''.$item['uuid'].'\\')\" style=\"margin-left: 10px;cursor: pointer\" src=\"'.$this->editIcon.'\" alt=\"placeholder\" sizes=\"(max-width: 150px) 100vw, 150px\" id=\"moo-edit-item-name-\".esc_attr($item['uuid']).\"'>\";\n         $title .= '\u003C\u002Fdiv>';","The exploit targets the plugin's unauthenticated REST API endpoints, specifically those under the `moo-clover\u002Fv1` namespace. An attacker sends a POST request to a route such as `\u002Fwp-json\u002Fmoo-clover\u002Fv1\u002Fcheckout\u002Fplace_order` (or similar endpoints in `CheckoutRoutes` or `SyncRoutes`) without any authentication or nonces. The payload includes a malicious script within parameters like `last_name`, `customer_name`, or `first_name`. Because the REST API returns `true` for its `permission_callback`, the request is processed and the payload is stored. When an administrator later logs into the WordPress dashboard and views the Orders page (`wp-admin\u002Fadmin.php?page=moo_orders`) or Products page, the plugin retrieves the stored data and outputs it using `stripslashes()` without `esc_html()`, causing the script to execute in the administrator's browser session.","gemini-3-flash-preview","2026-06-04 17:50:04","2026-06-04 17:51:35",{"type":42,"vulnerable_version":43,"fixed_version":11,"vulnerable_browse":44,"vulnerable_zip":45,"fixed_browse":46,"fixed_zip":47,"all_tags":48},"plugin","1.6.0","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fclover-online-orders\u002Ftags\u002F1.6.0","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fclover-online-orders.1.6.0.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fclover-online-orders\u002Ftags\u002F1.6.1","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fclover-online-orders.1.6.1.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fclover-online-orders\u002Ftags"]