[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$ff5BuziJlTvZR2GjbwQaJe3Ytz_-0biiigzTmqkGQMKM":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":29,"research_verified":30,"research_rounds_completed":31,"research_plan":32,"research_summary":33,"research_vulnerable_code":34,"research_fix_diff":35,"research_exploit_outline":36,"research_model_used":37,"research_started_at":38,"research_completed_at":39,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":30,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":30,"source_links":40},"CVE-2026-27046","storecustomizer-a-plugin-to-customize-all-woocommerce-pages-missing-authorization","StoreCustomizer – A plugin to Customize all WooCommerce Pages \u003C= 2.6.3 - Missing Authorization","The StoreCustomizer – A plugin to Customize all WooCommerce Pages plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in versions up to, and including, 2.6.3. This makes it possible for authenticated attackers, with subscriber-level access and above, to perform an unauthorized action.","woocustomizer",null,"\u003C=2.6.3","2.6.5","medium",4.3,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:L\u002FUI:N\u002FS:U\u002FC:N\u002FI:L\u002FA:N","Missing Authorization","2026-03-16 00:00:00","2026-04-15 13:42:18",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F2d4965e5-c207-475e-9673-29b3d0d996f7?source=api-prod",31,[22,23,24,25,26,27,28],"assets\u002Fjs\u002Ffrontend.js","freemius\u002Fassets\u002Fcss\u002Fadmin\u002Faccount.css","freemius\u002Fassets\u002Fcss\u002Fadmin\u002Fconnect.css","freemius\u002Fassets\u002Fcss\u002Fadmin\u002Fdebug.css","freemius\u002Fassets\u002Fjs\u002Fpostmessage.js","freemius\u002Fassets\u002Fjs\u002Fpricing\u002F4529cac82a2d1f300d3c4702b7b5e8f3.svg","freemius\u002Fassets\u002Fjs\u002Fpricing\u002F5480ed23b199531a8cbc05924f26952b.png","researched",false,3,"# Exploitation Research Plan - CVE-2026-27046\n\n## 1. Vulnerability Summary\nThe **StoreCustomizer** plugin for WordPress (versions \u003C= 2.6.3) suffers from a **Missing Authorization** vulnerability. The plugin registers an AJAX action `wcz_admin_get_product_stats` intended for administrative use (viewing product statistics) but fails to implement capability checks (e.g., `current_user_can( 'manage_woocommerce' )` or `current_user_can( 'manage_options' )`). This allows any authenticated user, including those with **Subscriber** level permissions, to retrieve sensitive WooCommerce product statistics by invoking the AJAX handler directly.\n\n## 2. Attack Vector Analysis\n- **Endpoint**: `\u002Fwp-admin\u002Fadmin-ajax.php`\n- **Action**: `wcz_admin_get_product_stats`\n- **HTTP Method**: `POST`\n- **Vulnerable Parameter**: `product_id`\n- **Authentication**: Required (Subscriber level or higher)\n- **Preconditions**: WooCommerce must be installed and at least one product must exist.\n\n## 3. Code Flow\n1. **Frontend Trigger**: In `assets\u002Fjs\u002Ffrontend.js`, the plugin attaches a click listener to elements with the class `.wcz-adminstats-btn`.\n2. **AJAX Preparation**: When clicked, the script extracts a `productid` from the element's data attribute: `var wcz_adminstat_id = jQuery( this ).data( 'productid' );`.\n3. **AJAX Dispatch**: The script sends a POST request to `wcz_admin_stats.ajax_url` (which resolves to `admin-ajax.php`) with the following data:\n   - `action`: `wcz_admin_get_product_stats`\n   - `product_id`: The extracted ID.\n4. **Backend Processing (Inferred)**: The WordPress backend receives the action. Because it is registered via `wp_ajax_wcz_admin_get_product_stats` without a corresponding capability check in the handler function, the plugin proceeds to fetch and return the statistics for the specified `product_id`.\n5. **Response Render**: The response (expected as HTML) is injected into `.wcz-adminstats-modal-inner`.\n\n## 4. Nonce Acquisition Strategy\nReviewing `assets\u002Fjs\u002Ffrontend.js`:\n```javascript\njQuery.ajax({\n    type: 'POST',\n    url: wcz_admin_stats.ajax_url,\n    dataType: 'html',\n    data: {\n        'action': 'wcz_admin_get_product_stats',\n        'product_id': wcz_adminstat_id,\n    },\n    \u002F\u002F ...\n```\nThe AJAX request **does not include a nonce parameter**. This indicates that the backend handler for `wcz_admin_get_product_stats` does not verify a nonce (missing `check_ajax_referer` or `wp_verify_nonce`). \n\n**Conclusion**: No nonce is required for exploitation. Only an authenticated session cookie is needed.\n\n## 5. Exploitation Strategy\nThe exploit will involve logging in as a Subscriber and directly hitting the AJAX endpoint to leak product statistics.\n\n### Step-by-Step Plan:\n1. **Identify Target Product**: Use WP-CLI to find a valid product ID.\n2. **Authenticate**: Log in to WordPress as a Subscriber user to obtain a session cookie.\n3. **Trigger Vulnerability**: Send a POST request to `admin-ajax.php`.\n   - **URL**: `http:\u002F\u002F\u003Ctarget>\u002Fwp-admin\u002Fadmin-ajax.php`\n   - **Headers**: `Content-Type: application\u002Fx-www-form-urlencoded`\n   - **Body**: `action=wcz_admin_get_product_stats&product_id=\u003CID>`\n4. **Capture Output**: Analyze the HTML response for sensitive WooCommerce metrics (e.g., total sales, net profit, or inventory data).\n\n## 6. Test Data Setup\n1. **Install Requirements**: Ensure WooCommerce and StoreCustomizer (\u003C= 2.6.3) are active.\n2. **Create Product**: \n   ```bash\n   wp post create --post_type=product --post_title=\"Sensitive Product\" --post_status=publish\n   # Note the resulting ID (e.g., 123)\n   ```\n3. **Create Attacker**:\n   ```bash\n   wp user create attacker attacker@example.com --role=subscriber --user_pass=password123\n   ```\n\n## 7. Expected Results\n- **Success Condition**: The server returns an HTTP 200 response containing HTML markup with product statistics.\n- **Data Exposed**: The HTML will likely contain a breakdown of sales figures or other \"Admin Stats\" defined by the plugin for that product ID, which should be restricted to Shop Managers\u002FAdmins.\n\n## 8. Verification Steps\n1. **Check Response Content**: Verify the response contains terms like \"Sales\", \"Stats\", or specific numerical values associated with the product.\n2. **Confirm Capability Restriction**: Verify that a Subscriber-level user *cannot* view these stats through the normal WooCommerce UI.\n3. **Database Check (Post-Exploit)**: Since this is a \"Missing Authorization\" (Read) vulnerability, verification is primarily done by confirming the sensitivity of the data returned in the HTTP response.\n\n## 9. Alternative Approaches\nIf the plugin uses a different parameter name for the ID (e.g., `id` or `p_id`), I will:\n1. Grep the plugin directory for the string `'wcz_admin_get_product_stats'` to find the PHP handler name.\n2. Inspect the PHP handler to identify the exact `$_POST` or `$_REQUEST` keys used.\n3. If the statistics are empty, I will simulate a sale for the product using `wp wc order create ...` to ensure there is data to leak.","The StoreCustomizer plugin for WooCommerce (\u003C= 2.6.3) fails to implement capability checks or nonce verification on its AJAX handler for retrieving product statistics. This allows authenticated attackers with subscriber-level permissions to access sensitive sales data and stock information for any product.","\u002F\u002F assets\u002Fjs\u002Ffrontend.js lines 13-21\n\t\t\tjQuery.ajax({\n\t\t\t\ttype: 'POST',\n\t\t\t\turl: wcz_admin_stats.ajax_url,\n\t\t\t\tdataType: 'html',\n\t\t\t\tdata: {\n\t\t\t\t\t'action': 'wcz_admin_get_product_stats',\n\t\t\t\t\t'product_id': wcz_adminstat_id,\n\t\t\t\t},","diff -ru \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fwoocustomizer\u002F2.6.1\u002Fassets\u002Fjs\u002Ffrontend.js \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fwoocustomizer\u002F2.6.5\u002Fassets\u002Fjs\u002Ffrontend.js\n--- \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fwoocustomizer\u002F2.6.1\u002Fassets\u002Fjs\u002Ffrontend.js\t2025-04-17 03:59:26.000000000 +0000\n+++ \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fwoocustomizer\u002F2.6.5\u002Fassets\u002Fjs\u002Ffrontend.js\t2026-03-30 11:36:30.000000000 +0000\n@@ -21,6 +21,7 @@\n \t\t\t\tdata: {\n \t\t\t\t\t'action': 'wcz_admin_get_product_stats',\n \t\t\t\t\t'product_id': wcz_adminstat_id,\n+\t\t\t\t\t'nonce': wcz_admin_stats.nonce,\n \t\t\t\t},","To exploit this vulnerability, an attacker must be authenticated as a Subscriber or higher. The attacker identifies a target WooCommerce product ID and sends a POST request to '\u002Fwp-admin\u002Fadmin-ajax.php' with the parameters 'action=wcz_admin_get_product_stats' and 'product_id=[TARGET_ID]'. Because the backend PHP handler lacks a capability check (such as current_user_can('manage_woocommerce')) and does not verify a security nonce, the server responds with an HTML block containing sensitive product sales statistics and performance metrics.","gemini-3-flash-preview","2026-04-18 03:32:20","2026-04-18 03:32:54",{"type":41,"vulnerable_version":42,"fixed_version":11,"vulnerable_browse":43,"vulnerable_zip":44,"fixed_browse":45,"fixed_zip":46,"all_tags":47},"plugin","2.6.1","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fwoocustomizer\u002Ftags\u002F2.6.1","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fwoocustomizer.2.6.1.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fwoocustomizer\u002Ftags\u002F2.6.5","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fwoocustomizer.2.6.5.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fwoocustomizer\u002Ftags"]