[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fgPCdccII5rHUtDDSdw31DXHLY_Gpdo4RSr95n_uix24":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":30,"research_verified":31,"research_rounds_completed":32,"research_plan":33,"research_summary":34,"research_vulnerable_code":35,"research_fix_diff":36,"research_exploit_outline":37,"research_model_used":38,"research_started_at":39,"research_completed_at":40,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":31,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":31,"source_links":41},"CVE-2026-24554","subscription-recurring-payment-for-woocommerce-cross-site-request-forgery","Subscription & Recurring Payment for WooCommerce \u003C= 1.9.1 - Cross-Site Request Forgery","The Subscription & Recurring Payment for WooCommerce plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.9.1. This is due to missing or incorrect nonce validation on a function. This makes it possible for unauthenticated attackers to perform an unauthorized action via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.","subscription",null,"\u003C=1.9.1","1.9.2","medium",4.3,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:N\u002FUI:R\u002FS:U\u002FC:N\u002FI:L\u002FA:N","Cross-Site Request Forgery (CSRF)","2026-05-25 00:00:00","2026-05-26 19:12:09",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F1a033ffd-bcff-4803-812b-abfc6d5135e5?source=api-prod",2,[22,23,24,25,26,27,28,29],"assets\u002Fjs\u002Fadmin.js","assets\u002Fjs\u002Finstaller.js","changelog.txt","includes\u002FAdmin\u002FIntegrations.php","includes\u002FAdmin\u002FLinks.php","includes\u002FAdmin\u002FMenu.php","includes\u002FAdmin\u002FSettings.php","includes\u002FAdmin\u002FSettingsHelper.php","researched",false,3,"# Exploitation Research Plan: CVE-2026-24554 (CSRF in Subscription & Recurring Payment for WooCommerce)\n\n## 1. Vulnerability Summary\nThe **Subscription & Recurring Payment for WooCommerce** plugin (versions \u003C= 1.9.1) contains multiple Cross-Site Request Forgery (CSRF) vulnerabilities. The primary flaw resides in the lack of (or incorrect) nonce validation in the AJAX handler for bulk subscription actions and potentially in the plugin installer endpoints. This allows an unauthenticated attacker to trick a logged-in administrator into performing destructive actions, such as permanently deleting subscriptions or modifying plugin states, by visiting a malicious link or form.\n\n## 2. Attack Vector Analysis\n- **Vulnerable AJAX Action:** `wp_subscription_bulk_action`\n- **Vulnerable Installer Actions:** `install_woocommerce_plugin` and `wps_subscription_activate_woocommerce_plugin`\n- **Endpoint:** `\u002Fwp-admin\u002Fadmin-ajax.php`\n- **Required Authentication:** Admin-level (triggered via the victim's session).\n- **HTTP Method:** `POST`\n- **Preconditions:**\n    - The victim must be a logged-in administrator.\n    - At least one subscription must exist on the site for the bulk action exploit.\n\n## 3. Code Flow\n1. **Entry Point:** The plugin registers AJAX handlers in `includes\u002FAdmin\u002FMenu.php` and (likely) an installer file:\n   ```php\n   \u002F\u002F includes\u002FAdmin\u002FMenu.php\n   add_action( 'wp_ajax_wp_subscription_bulk_action', array( $this, 'handle_bulk_action_ajax' ) );\n   ```\n2. **AJAX Call (JS side):** In `assets\u002Fjs\u002Fadmin.js`, the `handleBulkAction` function sends a POST request:\n   ```javascript\n   jQuery.ajax({\n     url: wp_subscription_ajax.ajaxurl,\n     type: \"POST\",\n     data: {\n       action: \"wp_subscription_bulk_action\",\n       bulk_action: action, \u002F\u002F e.g., \"delete\"\n       subscription_ids: subscriptionIds,\n       nonce: wp_subscription_ajax.nonce,\n     },\n     \u002F\u002F ...\n   });\n   ```\n3. **Vulnerable Sink:** The PHP function `handle_bulk_action_ajax` (referenced in `Menu.php`) processes the `bulk_action` (delete, trash, etc.) for the provided `subscription_ids`. The vulnerability exists because this function either omits `check_ajax_referer` entirely or performs an \"incorrect\" check (e.g., checking for a parameter that doesn't exist or failing to terminate execution on failure).\n\n## 4. Nonce Acquisition Strategy\nThe vulnerability is CSRF. If the handler **completely lacks** a nonce check, no acquisition is required. However, the description mentions \"incorrect\" validation. If the check is conditional (e.g., `if (isset($_POST['nonce'])) { wp_verify_nonce(...) }`), the exploit simply omits the nonce.\n\nIf a nonce **is required** but can be leaked (e.g., to an unauthenticated user):\n1. **Identify Script Loading:** The `sdevs_subscription_admin` script (and its localized nonce) is enqueued on the `wp-subscription` admin page.\n2. **Page Creation:** Create a page that might trigger the plugin logic (though these are admin-only scripts, sometimes they leak into the frontend via shared helpers).\n3. **Extraction:**\n   - Use `browser_navigate` to the Admin Subscription list: `\u002Fwp-admin\u002Fadmin.php?page=wp-subscription`.\n   - Use `browser_eval` to extract the nonce: `window.wp_subscription_ajax?.nonce`.\n   - **Note:** For standard CSRF PoCs, we demonstrate that the action executes **without** a valid nonce to prove the vulnerability.\n\n## 5. Exploitation Strategy\n### Scenario: Bulk Deletion of Subscriptions\n1. **Target Action:** `wp_subscription_bulk_action`\n2. **Action Parameter:** `bulk_action=delete`\n3. **Payload Formulation:**\n   ```\n   action=wp_subscription_bulk_action\n   bulk_action=delete\n   subscription_ids[]=1\n   subscription_ids[]=2\n   ```\n4. **Execution:** Use the `http_request` tool to simulate the admin's browser performing the POST request without a nonce (or with an invalid one).\n\n### HTTP Request Payload (via `http_request`)\n- **URL:** `http:\u002F\u002F[target-ip]\u002Fwp-admin\u002Fadmin-ajax.php`\n- **Method:** `POST`\n- **Headers:** `Content-Type: application\u002Fx-www-form-urlencoded`\n- **Body:** `action=wp_subscription_bulk_action&bulk_action=delete&subscription_ids[]=1`\n\n## 6. Test Data Setup\n1. **Create Subscriptions:** Since subscriptions are often Custom Post Types or custom table entries, the easiest way is to use the plugin's UI to create a test subscription or use WP-CLI if the post type is known.\n   - *Assumption:* Subscriptions are stored as post type `subscrpt_order` (based on internal naming).\n   - `wp post create --post_type=subscrpt_order --post_status=publish --post_title=\"Test Subscription\"`\n2. **Identify IDs:** Get the ID of the created subscription:\n   - `wp post list --post_type=subscrpt_order`\n\n## 7. Expected Results\n- **Response:** The AJAX handler should return a JSON success message: `{\"success\":true,\"data\":{\"message\":\"...\"}}`.\n- **Side Effect:** The subscription with the specified ID should be permanently removed from the database.\n\n## 8. Verification Steps\n1. **Post-Exploit Check:** Attempt to retrieve the subscription via WP-CLI:\n   - `wp post get [ID]`\n2. **Success Criteria:** If the command returns \"Could not find the post,\" the deletion via CSRF was successful.\n3. **Database Check:**\n   - `wp db query \"SELECT count(*) FROM wp_posts WHERE post_type='subscrpt_order'\"` (Count should decrease).\n\n## 9. Alternative Approaches\n### Installer CSRF\nIf bulk actions are protected, target the installer endpoints found in `assets\u002Fjs\u002Finstaller.js`:\n- **Action:** `install_woocommerce_plugin`\n- **Body:** `action=install_woocommerce_plugin&install_plugin=woocommerce`\n- **Action:** `wps_subscription_activate_woocommerce_plugin`\n- **Body:** `action=wps_subscription_activate_woocommerce_plugin&activate_plugin=woocommerce`\nVerify if these actions can be triggered by an admin session without a nonce, which could be used to disrupt the site or force-install specific plugins.","The Subscription & Recurring Payment for WooCommerce plugin is vulnerable to Cross-Site Request Forgery (CSRF) because it lacks nonce validation on several AJAX endpoints, specifically those handling bulk subscription actions and plugin installation. This allows unauthenticated attackers to trick a logged-in administrator into performing unauthorized actions, such as deleting subscriptions or installing\u002Factivating the WooCommerce plugin, by visiting a malicious link or submitting a forged form.","\u002F\u002F includes\u002FAdmin\u002FMenu.php line 18\nadd_action( 'wp_ajax_wp_subscription_bulk_action', array( $this, 'handle_bulk_action_ajax' ) );\n\n---\n\n\u002F\u002F assets\u002Fjs\u002Finstaller.js lines 15-19\n    $.ajax({\n      type: \"POST\",\n      url: sdevs_installer_helper_obj.ajax_url,\n      data: {\n        install_plugin: \"woocommerce\",\n        action: \"install_woocommerce_plugin\",\n      },\n\n---\n\n\u002F\u002F assets\u002Fjs\u002Finstaller.js lines 35-39\n    $.ajax({\n      type: \"POST\",\n      url: sdevs_installer_helper_obj.ajax_url,\n      data: {\n        activate_plugin: \"woocommerce\",\n        action: \"wps_subscription_activate_woocommerce_plugin\",\n      },","diff -ru \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fsubscription\u002F1.9.1\u002Fassets\u002Fjs\u002Fadmin.js \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fsubscription\u002F1.9.2\u002Fassets\u002Fjs\u002Fadmin.js\n--- \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fsubscription\u002F1.9.1\u002Fassets\u002Fjs\u002Fadmin.js\t2025-09-18 07:07:42.000000000 +0000\n+++ \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fsubscription\u002F1.9.2\u002Fassets\u002Fjs\u002Fadmin.js\t2026-03-30 08:58:52.000000000 +0000\n@@ -131,7 +131,7 @@\n       url: wp_subscription_ajax.ajaxurl,\n       type: \"POST\",\n       data: {\n-        action: \"wp_subscription_bulk_action\",\n+        action: \"subscrpt_bulk_action\",\n         bulk_action: action,\n         subscription_ids: subscriptionIds,\n         nonce: wp_subscription_ajax.nonce,\ndiff -ru \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fsubscription\u002F1.9.1\u002Fassets\u002Fjs\u002Finstaller.js \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fsubscription\u002F1.9.2\u002Fassets\u002Fjs\u002Finstaller.js\n--- \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fsubscription\u002F1.9.1\u002Fassets\u002Fjs\u002Finstaller.js\t2025-09-18 07:07:42.000000000 +0000\n+++ \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fsubscription\u002F1.9.2\u002Fassets\u002Fjs\u002Finstaller.js\t2026-03-30 08:58:52.000000000 +0000\n@@ -15,7 +15,7 @@\n       url: sdevs_installer_helper_obj.ajax_url,\n       data: {\n         install_plugin: \"woocommerce\",\n-        action: \"install_woocommerce_plugin\",\n+        action: \"subscrpt_install_woocommerce_plugin\",\n       },\n       beforeSend: function () {\n         $(\".sdevs-loading-icon\").show();\n@@ -35,7 +35,7 @@\n       url: sdevs_installer_helper_obj.ajax_url,\n       data: {\n         activate_plugin: \"woocommerce\",\n-        action: \"wps_subscription_activate_woocommerce_plugin\",\n+        action: \"subscrpt_activate_woocommerce_plugin\",\n       },\n       beforeSend: function () {\n         $(\".sdevs-loading-icon\").show();\ndiff -ru \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fsubscription\u002F1.9.1\u002Fincludes\u002FAdmin\u002FMenu.php \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fsubscription\u002F1.9.2\u002Fincludes\u002FAdmin\u002FMenu.php\n--- \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fsubscription\u002F1.9.1\u002Fincludes\u002FAdmin\u002FMenu.php\t2026-03-09 08:29:14.000000000 +0000\n+++ \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fsubscription\u002F1.9.2\u002Fincludes\u002FAdmin\u002FMenu.php\t2026-03-30 08:58:52.000000000 +0000\n@@ -15,7 +15,7 @@\n \tpublic function __construct() {\n \t\tadd_action( 'admin_menu', array( $this, 'create_admin_menu' ) );\n \t\tadd_action( 'admin_enqueue_scripts', array( $this, 'enqueue_admin_assets' ) );\n-\t\tadd_action( 'wp_ajax_wp_subscription_bulk_action', array( $this, 'handle_bulk_action_ajax' ) );\n+\t\tadd_action( 'wp_ajax_subscrpt_bulk_action', array( $this, 'handle_bulk_action_ajax' ) );\n \t}\n \n \t\u002F**\n@@ -43,7 +43,7 @@\n \t\t\t'sdevs_subscription_admin',\n \t\t\t'wp_subscription_ajax',\n \t\t\tarray(\n-\t\t\t\t'nonce'   => wp_create_nonce( 'wp_subscription_bulk_action_nonce' ),\n+\t\t\t\t'nonce'   => wp_create_nonce( 'subscrpt_bulk_action_nonce' ),\n \t\t\t\t'ajaxurl' => admin_url( 'admin-ajax.php' ),\n \t\t\t)\n \t\t);","1. Identify the target site's AJAX endpoint at `\u002Fwp-admin\u002Fadmin-ajax.php`.\n2. Construct a malicious HTML page containing a hidden form or a JavaScript snippet that automatically sends a POST request to this endpoint.\n3. For bulk actions, the payload should include `action=wp_subscription_bulk_action`, `bulk_action=delete`, and a list of subscription IDs in the `subscription_ids[]` parameter.\n4. For installer actions, the payload should include `action=install_woocommerce_plugin` or `action=wps_subscription_activate_woocommerce_plugin`.\n5. Trick an authenticated administrator into clicking a link to the malicious page while they have an active session on the WordPress dashboard.\n6. The browser will automatically submit the request with the administrator's cookies, and because the server-side AJAX handler fails to properly validate a unique nonce, the action (e.g., deleting all subscriptions) will be executed.","gemini-3-flash-preview","2026-06-04 21:15:15","2026-06-04 21:16:39",{"type":42,"vulnerable_version":43,"fixed_version":11,"vulnerable_browse":44,"vulnerable_zip":45,"fixed_browse":46,"fixed_zip":47,"all_tags":48},"plugin","1.9.1","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fsubscription\u002Ftags\u002F1.9.1","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fsubscription.1.9.1.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fsubscription\u002Ftags\u002F1.9.2","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fsubscription.1.9.2.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fsubscription\u002Ftags"]