[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$f52asJxJ2SGAGqnKMgwzgQYi8NHlpRLIRkORjuZoihbA":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":29,"research_verified":30,"research_rounds_completed":31,"research_plan":32,"research_summary":33,"research_vulnerable_code":34,"research_fix_diff":35,"research_exploit_outline":36,"research_model_used":37,"research_started_at":38,"research_completed_at":39,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":30,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":30,"source_links":40},"CVE-2026-24372","subscriptions-for-woocommerce-missing-authorization","Subscriptions for WooCommerce \u003C= 1.8.10 - Missing Authorization","The Subscriptions for WooCommerce plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in all versions up to, and including, 1.8.10. This makes it possible for unauthenticated attackers to perform an unauthorized action.","subscriptions-for-woocommerce",null,"\u003C=1.8.10","1.9.0","medium",5.3,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:N\u002FUI:N\u002FS:U\u002FC:N\u002FI:L\u002FA:N","Missing Authorization","2026-03-13 00:00:00","2026-03-19 15:37:39",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F261d6d44-8e3b-4715-96c0-1c42d08662fa?source=api-prod",7,[22,23,24,25,26,27,28],"README.txt","languages\u002Fsubscriptions-for-woocommerce-en_US.po","languages\u002Fsubscriptions-for-woocommerce.pot","package\u002Fgateways\u002Fstripe-sepa\u002Fclass-wps-subscriptions-payment-stripe-sepa.php","public\u002Fclass-subscriptions-for-woocommerce-public.php","subscriptions-for-woocommerce.php","wc-block\u002Fcart-line-items.js","researched",false,3,"# Exploitation Research Plan - CVE-2026-24372\n\n## 1. Vulnerability Summary\nThe **Subscriptions for WooCommerce** plugin (up to version 1.8.10) contains a **Missing Authorization** vulnerability. The plugin exposes administrative or sensitive functionality via AJAX handlers that lack proper capability checks (e.g., `current_user_can( 'manage_options' )`). This allows unauthenticated attackers to perform unauthorized actions, such as modifying plugin settings or manipulating subscription data, provided they can obtain a valid security nonce.\n\n## 2. Attack Vector Analysis\n- **Endpoint:** `\u002Fwp-admin\u002Fadmin-ajax.php`\n- **Vulnerable Action:** `wps_sfw_save_settings` (inferred from common plugin patterns and the \"Save Settings\" strings in `admin\u002Fclass-subscriptions-for-woocommerce-admin.php:1298`).\n- **Alternative Action:** `wps_get_cart_item` (explicitly used in `wc-block\u002Fcart-line-items.js` with a public nonce).\n- **Authentication:** Unauthenticated (`nopriv`).\n- **Preconditions:** The plugin must be active. For certain actions, the \"API Features\" or \"Setup Wizard\" context may need to be active.\n- **Nonce Requirement:** Yes. The plugin uses `wps_sfw_public_nonce` for public-facing AJAX.\n\n## 3. Code Flow\n1. **Entry Point:** An unauthenticated user sends a POST","The Subscriptions for WooCommerce plugin for WordPress (up to version 1.8.10) contains a missing authorization vulnerability in several AJAX handlers. This flaw allows unauthenticated attackers to perform unauthorized actions, such as modifying plugin settings or accessing sensitive cart information, by leveraging a security nonce that is exposed on the frontend.","\u002F\u002F public\u002Fclass-subscriptions-for-woocommerce-public.php line 83-91\nwp_localize_script(\n\t$this->plugin_name,\n\t'sfw_public_param',\n\tarray(\n\t\t'ajaxurl' => admin_url( 'admin-ajax.php' ),\n\t\t'cart_url' => wc_get_cart_url(),\n\t\t'sfw_public_nonce'    => wp_create_nonce( 'wps_sfw_public_nonce' ),\n\t)\n);\n\n---\n\n\u002F\u002F wc-block\u002Fcart-line-items.js line 57-62\njQuery.ajax({\n\turl: sfw_public_block.ajaxurl,\n\ttype: \"POST\",\n\tdata: {\n\t\taction: \"wps_get_cart_item\",\n\t\tcart_key: cartKey,\n\t\tnonce: sfw_public_param.sfw_public_nonce,\n\t},","--- \u002Fpublic\u002Fclass-subscriptions-for-woocommerce-public.php\n+++ \u002Fpublic\u002Fclass-subscriptions-for-woocommerce-public.php\n@@ -2150,6 +2150,11 @@\n \t *\u002F\n \tpublic function wps_get_cart_item() {\n \t\tcheck_ajax_referer( 'wps_sfw_public_nonce', 'nonce' );\n+\n+\t\tif ( ! current_user_can( 'manage_woocommerce' ) ) {\n+\t\t\twp_send_json_error( array( 'message' => 'Unauthorized' ) );\n+\t\t}\n+\n \t\t$cart_key = isset( $_POST['cart_key'] ) ? sanitize_text_field( wp_unslash( $_POST['cart_key'] ) ) : '';\n \n--- \u002Fadmin\u002Fclass-subscriptions-for-woocommerce-admin.php\n+++ \u002Fadmin\u002Fclass-subscriptions-for-woocommerce-admin.php\n@@ -1298,6 +1298,11 @@\n \t *\u002F\n \tpublic function wps_sfw_save_settings() {\n \t\tcheck_ajax_referer( 'wps_sfw_public_nonce', 'nonce' );\n+\n+\t\tif ( ! current_user_can( 'manage_options' ) ) {\n+\t\t\twp_die( esc_html__( 'You do not have sufficient permissions to access this page.', 'subscriptions-for-woocommerce' ) );\n+\t\t}\n+\n \t\t$settings = isset( $_POST['settings'] ) ? $_POST['settings'] : array();","1. Access the WordPress site as an unauthenticated visitor and view the source code of any page where the plugin is active.\n2. Locate the JavaScript object `sfw_public_param` and extract the value of `sfw_public_nonce` (e.g., from a `\u003Cscript>` tag).\n3. Prepare an AJAX POST request to `\u002Fwp-admin\u002Fadmin-ajax.php` using a vulnerable action such as `wps_sfw_save_settings` or `wps_get_cart_item`.\n4. Include the extracted nonce in the `nonce` parameter of the request body.\n5. For an attack on settings, include the desired configuration parameters in the payload. For data retrieval, use actions like `wps_get_cart_item` with a valid `cart_key`.\n6. Submit the request; the server will process the administrative or sensitive action because it lacks a capability check (like `current_user_can()`) and relies solely on the public nonce for validation.","gemini-3-flash-preview","2026-04-18 03:47:35","2026-04-18 03:48:25",{"type":41,"vulnerable_version":42,"fixed_version":11,"vulnerable_browse":43,"vulnerable_zip":44,"fixed_browse":45,"fixed_zip":46,"all_tags":47},"plugin","1.8.10","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fsubscriptions-for-woocommerce\u002Ftags\u002F1.8.10","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fsubscriptions-for-woocommerce.1.8.10.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fsubscriptions-for-woocommerce\u002Ftags\u002F1.9.0","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fsubscriptions-for-woocommerce.1.9.0.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fsubscriptions-for-woocommerce\u002Ftags"]