[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fr1YD9SeKeTvQAD0NOAvwY3BfB4FKGMjEPdcCEBh_t2g":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":29,"research_verified":30,"research_rounds_completed":31,"research_plan":32,"research_summary":33,"research_vulnerable_code":34,"research_fix_diff":35,"research_exploit_outline":36,"research_model_used":37,"research_started_at":38,"research_completed_at":39,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":30,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":30,"source_links":40},"CVE-2026-54802","sms-alert-sms-otp-for-woocommerce-order-notifications-abandoned-cart-recovery-missing-authorization","SMS Alert – SMS & OTP for WooCommerce, Order Notifications & Abandoned Cart Recovery \u003C= 3.9.3 - Missing Authorization","The SMS Alert – SMS & OTP for WooCommerce, Order Notifications & Abandoned Cart Recovery plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in all versions up to, and including, 3.9.3. This makes it possible for unauthenticated attackers to perform an unauthorized action.","sms-alert",null,"\u003C=3.9.3","3.9.4","medium",5.3,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:N\u002FUI:N\u002FS:U\u002FC:N\u002FI:L\u002FA:N","Missing Authorization","2026-06-16 00:00:00","2026-06-25 14:23:10",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F17f4d448-d9d8-4bee-b216-42f9b77c30be?source=api-prod",10,[22,23,24,25,26,27,28],"SMSAlert-wc-order-sms.php","handler\u002Fforms\u002Fwoocommerce\u002Fwc-checkout.php","helper\u002Fconstants.php","js\u002Fadmin.js","js\u002Fotp-sms.min.js","js\u002Fphone-number-validate.js","readme.txt","researched",false,3,"# Exploitation Research Plan: CVE-2026-54802 (SMS Alert - Missing Authorization)\n\n## 1. Vulnerability Summary\nThe **SMS Alert – SMS & OTP for WooCommerce** plugin (versions \u003C= 3.9.3) is vulnerable to **Missing Authorization**. The plugin registers a handler (likely on `admin_init` or `init`) that processes various administrative actions via an `option` HTTP parameter. Because this handler lacks a `current_user_can()` capability check, unauthenticated attackers can trigger sensitive actions—such as logging the site out of the SMS Alert service or triggering customer data synchronization—by simply sending a crafted request to the WordPress administrative entry points.\n\n## 2. Attack Vector Analysis\n- **Vulnerable Endpoints:** \n    - `\u002Fwp-admin\u002Fadmin-post.php` (Targeted because `admin_init` fires here without requiring authentication).\n    - `\u002Fwp-admin\u002Fadmin-ajax.php`\n- **Payload Parameter:** `option` (GET or POST).\n- **Vulnerable Actions (Values for `option`):**\n    - `smsalert-woocommerce-logout`: Clears plugin gateway settings, effectively disabling SMS\u002FOTP functionality.\n    - `smsalert-group-sync`: Triggers a synchronization process for user groups.\n    - `smsalert-woocommerce-creategroup`: Attempts to create a new group in the SMS Alert service.\n- **Authentication Level:** Unauthenticated (Privileges Required: None).\n- **Preconditions:** The plugin must be active.\n\n## 3. Code Flow\n1.  The plugin's main class `smsalert_WC_Order_SMS` is instantiated.\n2.  During initialization, a callback is registered to a hook that executes early in the WordPress lifecycle (most likely `admin_init` as seen in typical patterns for this plugin's `option` routing).\n3.  The handler checks for the presence of `$_GET['option']` or `$_POST['option']`.\n4.  In `js\u002Fadmin.js`, the `logout()` and `verifyUser()` functions demonstrate that the plugin expects to handle actions like `smsalert-woocommerce-logout` and `smsalert-woocommerce-senderlist` via `admin.php`.\n5.  **The Flaw:** The server-side logic associated with these `option` values performs state-changing operations (like `delete_option('smsalert_gateway')`) before verifying if the user has the `manage_options` capability.\n\n## 4. Nonce Acquisition Strategy\nWhile the client-side `js\u002Fadmin.js` passes a nonce (`smsalert.nonce`), the vulnerability description \"Missing Authorization\" and the CVSS vector `PR:N` suggest that:\n1.  The nonce check is either entirely missing on the server-side for these specific `option` actions, OR\n2.  The nonce is validated using a weak check (e.g., `wp_verify_nonce($nonce, -1)`), which can be satisfied by an unauthenticated nonce.\n\n**Strategy:**\nFirst, attempt the exploit without a nonce. If the response indicates a failure, the nonce can be retrieved as follows:\n1.  **Check Public Exposure:** Search the homepage for localized scripts.\n2.  **JS Variable:** `smsalert.nonce`.\n3.  **Extraction:**\n    - Use `browser_navigate` to the homepage.\n    - Use `browser_eval(\"window.smsalert?.nonce\")` to extract the token.\n\n## 5. Exploitation Strategy\nWe will target the `smsalert-woocommerce-logout` action to demonstrate an unauthorized state change.\n\n### Step-by-Step Plan:\n1.  **Preparation:** Verify current plugin settings using WP-CLI.\n2.  **Execution:** Send an unauthenticated request to `admin-post.php` with the malicious `option`.\n3.  **Verification:** Check if the plugin settings have been wiped.\n\n### Payload (Unauthenticated Logout):\n- **Method:** `GET`\n- **URL:** `http:\u002F\u002F[target]\u002Fwp-admin\u002Fadmin-post.php?option=smsalert-woocommerce-logout`\n- **Expected Result:** The plugin should process the request and delete the `smsalert_gateway` option from the database.\n\n## 6. Test Data Setup\n1.  Ensure WooCommerce and SMS Alert are installed and active.\n2.  Configure a mock API key in the plugin settings so that `smsalert_gateway` is populated.\n    - `wp option update smsalert_gateway '{\"smsalert_api\":\"DUMMY_KEY\",\"smsalert_password\":\"DUMMY_PASSWORD\"}'`\n\n## 7. Expected Results\n- **Success:** The HTTP request returns a 200 or 302 status.\n- **Impact:** The `smsalert_gateway` option is removed or modified in the WordPress database, disabling the plugin's core functionality.\n\n## 8. Verification Steps\nAfter sending the HTTP request, verify the modification via WP-CLI:\n```bash\n# Check if the gateway option was deleted\nwp option get smsalert_gateway\n```\nIf the command returns \"Error: Could not find the option with key 'smsalert_gateway'\", the exploit was successful.\n\n## 9. Alternative Approaches\nIf `admin-post.php` is blocked or fails, target the sync functionality:\n- **Request:** `GET \u002Fwp-admin\u002Fadmin-post.php?option=smsalert-group-sync&grp_name=pwned`\n- **Verification:** Check for outbound requests or logs indicating a sync attempt was made unauthenticated.\n\nIf the logout action requires a nonce but doesn't check capabilities, use the `browser_eval` method described in Section 4 to obtain the nonce from the admin dashboard (if leaked) or any page where it is localized.","The SMS Alert plugin for WordPress is vulnerable to unauthorized access due to a lack of capability checks and nonce validation on its request handling logic. Unauthenticated attackers can exploit this by sending requests with specific 'option' parameters to administrative endpoints, allowing them to perform actions such as retrieving sensitive order information or resetting plugin settings.","\u002F\u002F handler\u002Fforms\u002Fwoocommerce\u002Fwc-checkout.php line 2251\n        $order_id = isset($_REQUEST['order_id']) ? sanitize_text_field(wp_unslash($_REQUEST['order_id'])) : '';\n        $option   = isset($_REQUEST['option']) ? sanitize_text_field(wp_unslash($_REQUEST['option'])) : '';\n\t\t\n\n        if (! empty($option) && ( 'fetch-order-variable' === sanitize_text_field($option) ) && ! empty($order_id) ) {\n            $tokens = array();","diff -ru \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fsms-alert\u002F3.9.3\u002Fhandler\u002Fforms\u002Fwoocommerce\u002Fwc-checkout.php \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fsms-alert\u002F3.9.4\u002Fhandler\u002Fforms\u002Fwoocommerce\u002Fwc-checkout.php\n--- \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fsms-alert\u002F3.9.3\u002Fhandler\u002Fforms\u002Fwoocommerce\u002Fwc-checkout.php\t2026-03-20 02:49:30.000000000 +0000\n+++ \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fsms-alert\u002F3.9.4\u002Fhandler\u002Fforms\u002Fwoocommerce\u002Fwc-checkout.php\t2026-04-15 02:22:48.000000000 +0000\n@@ -2251,8 +2251,7 @@\n         $order_id = isset($_REQUEST['order_id']) ? sanitize_text_field(wp_unslash($_REQUEST['order_id'])) : '';\n         $option   = isset($_REQUEST['option']) ? sanitize_text_field(wp_unslash($_REQUEST['option'])) : '';\n \t\t\n-\n-        if (! empty($option) && ( 'fetch-order-variable' === sanitize_text_field($option) ) && ! empty($order_id) ) {\n+        if (! empty($option) && ( 'fetch-order-variable' === sanitize_text_field($option) ) && ! empty($order_id) && current_user_can('manage_options') && wp_verify_nonce( $_REQUEST['sa_var_wp_nonce'], 'sa_var_wp_nonce' ) ) {\n             $tokens = array();\n \n             global $woocommerce, $post;","The vulnerability is exploited by sending an unauthenticated HTTP GET or POST request to the WordPress administrative backend (typically \u002Fwp-admin\u002Fadmin-post.php or \u002Fwp-admin\u002Fadmin.php). The attacker provides an 'option' parameter set to a sensitive action name (such as 'fetch-order-variable' or 'smsalert-woocommerce-logout'). Since the plugin's initialization hook processes these options without verifying the user's administrative privileges or checking for a valid security nonce, the requested action is executed. For the 'fetch-order-variable' action, providing an 'order_id' allows the attacker to retrieve customer and order details.","gemini-3-flash-preview","2026-06-25 23:31:28","2026-06-25 23:33:06",{"type":41,"vulnerable_version":42,"fixed_version":11,"vulnerable_browse":43,"vulnerable_zip":44,"fixed_browse":45,"fixed_zip":46,"all_tags":47},"plugin","3.9.3","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fsms-alert\u002Ftags\u002F3.9.3","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fsms-alert.3.9.3.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fsms-alert\u002Ftags\u002F3.9.4","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fsms-alert.3.9.4.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fsms-alert\u002Ftags"]