WP-Safety
CVE-2026-27046

StoreCustomizer – A plugin to Customize all WooCommerce Pages <= 2.6.3 - Missing Authorization

mediumMissing Authorization
4.3
CVSS Score
4.3
CVSS Score
medium
Severity
2.6.5
Patched in
31d
Time to patch

Description

The StoreCustomizer – A plugin to Customize all WooCommerce Pages plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in versions up to, and including, 2.6.3. This makes it possible for authenticated attackers, with subscriber-level access and above, to perform an unauthorized action.

CVSS Vector Breakdown

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
None
Confidentiality
Low
Integrity
None
Availability

Technical Details

Affected versions<=2.6.3
PublishedMarch 16, 2026
Last updatedApril 15, 2026
Affected pluginwoocustomizer

What Changed in the Fix

Changes introduced in v2.6.5

Loading patch diff...

Source Code

WordPress.org SVN
Vulnerable v2.6.1
Browse source Download .zip
Patched v2.6.5
Browse source Download .zip
Research Plan
Unverified

# Exploitation Research Plan - CVE-2026-27046 ## 1. Vulnerability Summary The **StoreCustomizer** plugin for WordPress (versions <= 2.6.3) suffers from a **Missing Authorization** vulnerability. The plugin registers an AJAX action `wcz_admin_get_product_stats` intended for administrative use (viewi…

Show full research plan

Exploitation Research Plan - CVE-2026-27046

1. Vulnerability Summary

The StoreCustomizer plugin for WordPress (versions <= 2.6.3) suffers from a Missing Authorization vulnerability. The plugin registers an AJAX action wcz_admin_get_product_stats intended for administrative use (viewing product statistics) but fails to implement capability checks (e.g., current_user_can( 'manage_woocommerce' ) or current_user_can( 'manage_options' )). This allows any authenticated user, including those with Subscriber level permissions, to retrieve sensitive WooCommerce product statistics by invoking the AJAX handler directly.

2. Attack Vector Analysis

  • Endpoint: /wp-admin/admin-ajax.php
  • Action: wcz_admin_get_product_stats
  • HTTP Method: POST
  • Vulnerable Parameter: product_id
  • Authentication: Required (Subscriber level or higher)
  • Preconditions: WooCommerce must be installed and at least one product must exist.

3. Code Flow

  1. Frontend Trigger: In assets/js/frontend.js, the plugin attaches a click listener to elements with the class .wcz-adminstats-btn.
  2. AJAX Preparation: When clicked, the script extracts a productid from the element's data attribute: var wcz_adminstat_id = jQuery( this ).data( 'productid' );.
  3. AJAX Dispatch: The script sends a POST request to wcz_admin_stats.ajax_url (which resolves to admin-ajax.php) with the following data:
    • action: wcz_admin_get_product_stats
    • product_id: The extracted ID.
  4. Backend Processing (Inferred): The WordPress backend receives the action. Because it is registered via wp_ajax_wcz_admin_get_product_stats without a corresponding capability check in the handler function, the plugin proceeds to fetch and return the statistics for the specified product_id.
  5. Response Render: The response (expected as HTML) is injected into .wcz-adminstats-modal-inner.

4. Nonce Acquisition Strategy

Reviewing assets/js/frontend.js:

jQuery.ajax({
    type: 'POST',
    url: wcz_admin_stats.ajax_url,
    dataType: 'html',
    data: {
        'action': 'wcz_admin_get_product_stats',
        'product_id': wcz_adminstat_id,
    },
    // ...

The AJAX request does not include a nonce parameter. This indicates that the backend handler for wcz_admin_get_product_stats does not verify a nonce (missing check_ajax_referer or wp_verify_nonce).

Conclusion: No nonce is required for exploitation. Only an authenticated session cookie is needed.

5. Exploitation Strategy

The exploit will involve logging in as a Subscriber and directly hitting the AJAX endpoint to leak product statistics.

Step-by-Step Plan:

  1. Identify Target Product: Use WP-CLI to find a valid product ID.
  2. Authenticate: Log in to WordPress as a Subscriber user to obtain a session cookie.
  3. Trigger Vulnerability: Send a POST request to admin-ajax.php.
    • URL: http://<target>/wp-admin/admin-ajax.php
    • Headers: Content-Type: application/x-www-form-urlencoded
    • Body: action=wcz_admin_get_product_stats&product_id=<ID>
  4. Capture Output: Analyze the HTML response for sensitive WooCommerce metrics (e.g., total sales, net profit, or inventory data).

6. Test Data Setup

  1. Install Requirements: Ensure WooCommerce and StoreCustomizer (<= 2.6.3) are active.
  2. Create Product: 
    wp post create --post_type=product --post_title="Sensitive Product" --post_status=publish
# Note the resulting ID (e.g., 123)
  3. Create Attacker:
    wp user create attacker attacker@example.com --role=subscriber --user_pass=password123

7. Expected Results

  • Success Condition: The server returns an HTTP 200 response containing HTML markup with product statistics.
  • Data Exposed: The HTML will likely contain a breakdown of sales figures or other "Admin Stats" defined by the plugin for that product ID, which should be restricted to Shop Managers/Admins.

8. Verification Steps

  1. Check Response Content: Verify the response contains terms like "Sales", "Stats", or specific numerical values associated with the product.
  2. Confirm Capability Restriction: Verify that a Subscriber-level user cannot view these stats through the normal WooCommerce UI.
  3. Database Check (Post-Exploit): Since this is a "Missing Authorization" (Read) vulnerability, verification is primarily done by confirming the sensitivity of the data returned in the HTTP response.

9. Alternative Approaches

If the plugin uses a different parameter name for the ID (e.g., id or p_id), I will:

  1. Grep the plugin directory for the string 'wcz_admin_get_product_stats' to find the PHP handler name.
  2. Inspect the PHP handler to identify the exact $_POST or $_REQUEST keys used.
  3. If the statistics are empty, I will simulate a sale for the product using wp wc order create ... to ensure there is data to leak.
Research Findings
Static analysis — not yet PoC-verified

Summary

The StoreCustomizer plugin for WooCommerce (<= 2.6.3) fails to implement capability checks or nonce verification on its AJAX handler for retrieving product statistics. This allows authenticated attackers with subscriber-level permissions to access sensitive sales data and stock information for any product.

Vulnerable Code

// assets/js/frontend.js lines 13-21
			jQuery.ajax({
				type: 'POST',
				url: wcz_admin_stats.ajax_url,
				dataType: 'html',
				data: {
					'action': 'wcz_admin_get_product_stats',
					'product_id': wcz_adminstat_id,
				},

Security Fix

diff -ru /home/deploy/wp-safety.org/data/plugin-versions/woocustomizer/2.6.1/assets/js/frontend.js /home/deploy/wp-safety.org/data/plugin-versions/woocustomizer/2.6.5/assets/js/frontend.js
--- /home/deploy/wp-safety.org/data/plugin-versions/woocustomizer/2.6.1/assets/js/frontend.js	2025-04-17 03:59:26.000000000 +0000
+++ /home/deploy/wp-safety.org/data/plugin-versions/woocustomizer/2.6.5/assets/js/frontend.js	2026-03-30 11:36:30.000000000 +0000
@@ -21,6 +21,7 @@
 				data: {
 					'action': 'wcz_admin_get_product_stats',
 					'product_id': wcz_adminstat_id,
+					'nonce': wcz_admin_stats.nonce,
 				},

Exploit Outline

To exploit this vulnerability, an attacker must be authenticated as a Subscriber or higher. The attacker identifies a target WooCommerce product ID and sends a POST request to '/wp-admin/admin-ajax.php' with the parameters 'action=wcz_admin_get_product_stats' and 'product_id=[TARGET_ID]'. Because the backend PHP handler lacks a capability check (such as current_user_can('manage_woocommerce')) and does not verify a security nonce, the server responds with an HTML block containing sensitive product sales statistics and performance metrics.

References
https://www.wordfence.com/threat-intel/vulnerabilities/id/2d4965e5-c207-475e-9673-29b3d0d996f7?source=api-prod

Check if your site is affected.

Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.

Run free audit Browse CVE database