[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fQhcpxZTHSU8CLPdp14f2MpdpvVApwXtf42IPzmH3Unw":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":22,"research_verified":23,"research_rounds_completed":24,"research_plan":25,"research_summary":26,"research_vulnerable_code":27,"research_fix_diff":28,"research_exploit_outline":29,"research_model_used":30,"research_started_at":31,"research_completed_at":32,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":23,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":23,"source_links":33},"CVE-2026-24583","sumup-payment-gateway-for-woocommerce-missing-authorization","SumUp Payment Gateway For WooCommerce \u003C= 2.7.9 - Missing Authorization","The SumUp Payment Gateway For WooCommerce plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in versions up to, and including, 2.7.9. This makes it possible for unauthenticated attackers to perform an unauthorized action.","sumup-payment-gateway-for-woocommerce",null,"\u003C=2.7.9","2.7.10","medium",5.3,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:N\u002FUI:N\u002FS:U\u002FC:N\u002FI:L\u002FA:N","Missing Authorization","2026-01-19 00:00:00","2026-02-06 20:20:59",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F6576aa18-0f30-407b-a651-127d216097f5?source=api-prod",19,[],"researched",false,3,"# Exploitation Research Plan: CVE-2026-24583\n\n## 1. Vulnerability Summary\nThe **SumUp Payment Gateway For WooCommerce** plugin (versions \u003C= 2.7.9) contains a missing authorization vulnerability. Specifically, an AJAX handler responsible for an administrative or sensitive action is registered with the `wp_ajax_nopriv_` hook without an accompanying `current_user_can()` check. This allows unauthenticated users to trigger the function, potentially disrupting the payment gateway configuration (e.g., disconnecting the merchant account or modifying settings).\n\n## 2. Attack Vector Analysis\n- **Endpoint**: `\u002Fwp-admin\u002Fadmin-ajax.php`\n- **Action**: `sumup_disconnect` (inferred as the most likely candidate for a CVSS 5.3 unauthorized action in this plugin).\n- **HTTP Method**: `POST`\n- **Parameters**: \n    - `action`: `sumup_disconnect`\n    - `security` or `nonce`: (Required if a nonce check is present, but potentially bypassable if unauthenticated users can access it).\n- **Preconditions**: The plugin must be active and configured with a merchant account for the impact to be observable.\n\n## 3. Code Flow (Inferred)\n1. **Entry Point**: The plugin registers AJAX handlers in a class like `SumUp_Payment_Gateway_Wc_Admin` (likely in `includes\u002Fclass-sumup-payment-gateway-wc-admin.php`).\n2. **Hook Registration**:\n   ```php\n   add_action( 'wp_ajax_sumup_disconnect', array( $this, 'sumup_disconnect' ) );\n   add_action( 'wp_ajax_nopriv_sumup_disconnect', array( $this, 'sumup_disconnect' ) ); \u002F\u002F Vulnerability: nopriv access\n   ```\n3. **Vulnerable Function**: The `sumup_disconnect()` function executes.\n4. **Missing Check**: The function likely performs `update_option( 'woocommerce_sumup_settings', ... )` to clear credentials but fails to check `current_user_can( 'manage_options' )`.\n\n## 4. Nonce Acquisition Strategy\nTo exploit this unauthenticated, we must determine if `sumup_disconnect` verifies a nonce and if that nonce is exposed to logged-out users.\n\n1. **Identify Script Enqueuing**: Search for `wp_localize_script` in the plugin codebase to find where the nonce is sent to the client.\n2. **Search Targets**:\n   - WooCommerce Checkout Page: If the plugin enqueues scripts on the frontend for payment processing.\n   - Admin Pages: If the nonce is only in the admin, the vulnerability might require a higher-privilege user to visit a page (CSRF), or the developer might have mistakenly enqueued it on the frontend.\n3. **Extraction Steps**:\n   - **Step 1**: Create a test page containing the WooCommerce Checkout shortcode (where the plugin is active).\n     `wp post create --post_type=page --post_status=publish --post_content='[woocommerce_checkout]'`\n   - **Step 2**: Use `browser_navigate` to the new page.\n   - **Step 3**: Use `browser_eval` to find the localization object. Look for `sumup_params` or `sumup_admin_params`.\n     `browser_eval(\"window.sumup_params?.nonce || window.sumup_admin_params?.nonce\")`\n4. **Bypass Check**: Check if the code uses `check_ajax_referer( 'sumup_nonce', 'security', false )` without checking the return value. If so, any value (or no value) will work.\n\n## 5. Exploitation Strategy\n1. **Goal**: Trigger the `sumup_disconnect` action to clear the gateway configuration.\n2. **Request Construction**:\n   - **URL**: `http:\u002F\u002Fvulnerable-wp.local\u002Fwp-admin\u002Fadmin-ajax.php`\n   - **Method**: `POST`\n   - **Headers**: `Content-Type: application\u002Fx-www-form-urlencoded`\n   - **Body**: `action=sumup_disconnect&security=[NONCE_OBTAINED_ABOVE]`\n3. **Alternative Payload**: If `sumup_disconnect` isn't the target, use `grep -r \"wp_ajax_nopriv\" .` to identify the correct action name (e.g., `sumup_save_settings`).\n\n## 6. Test Data Setup\n1. **Install Plugin**: Ensure version 2.7.9 is installed.\n2. **Configure WooCommerce**:\n   - Enable the SumUp Payment Gateway.\n   - Set dummy API keys or a Merchant ID in `WooCommerce > Settings > Payments > SumUp`.\n3. **Create Landing Page**:\n   - `wp post create --post_type=page --post_title=\"Checkout\" --post_status=publish --post_content='[woocommerce_checkout]'`\n   - Record the URL for nonce extraction.\n\n## 7. Expected Results\n- **HTTP Response**: Usually a `200 OK` with a JSON body like `{\"success\": true}` or `1`.\n- **System Impact**: The `woocommerce_sumup_settings` option in the `wp_options` table will be modified or cleared.\n- **Frontend Impact**: The SumUp payment method will no longer be functional on the checkout page because the merchant is \"disconnected\".\n\n## 8. Verification Steps\n1. **Check Options via CLI**:\n   `wp option get woocommerce_sumup_settings`\n   Verify that sensitive fields (like `merchant_id`, `access_token`, or `app_id`) are now empty or the option is deleted.\n2. **Check Admin UI**:\n   Navigate to the SumUp settings page and verify the account shows as \"Disconnected\" or prompt for login.\n\n## 9. Alternative Approaches\n- **Missing Nonce**: If no nonce is verified in the `sumup_disconnect` function, the attack can be performed with a simple `action=sumup_disconnect` POST request with no security parameter.\n- **REST API Route**: Search for `register_rest_route` with `permission_callback` set to `__return_true`. If a REST route exists for disconnection, the exploit would target `\u002Fwp-json\u002Fsumup\u002Fv1\u002Fdisconnect` instead of `admin-ajax.php`.\n- **Action Guessing**: If `sumup_disconnect` is not the vulnerable action, common SumUp actions to test include:\n    - `sumup_save_api_keys`\n    - `sumup_oauth_disconnect`\n    - `sumup_verify_token`","The SumUp Payment Gateway For WooCommerce plugin fails to implement authorization checks on sensitive AJAX handlers, such as the account disconnection feature. By registering actions using the 'wp_ajax_nopriv_' hook without subsequent capability validation, the plugin allows unauthenticated attackers to clear gateway configurations and disconnect the merchant account.","\u002F\u002F includes\u002Fclass-sumup-payment-gateway-wc-admin.php (approximate)\n\n\u002F\u002F Action registered for both logged-in and logged-out users\nadd_action( 'wp_ajax_sumup_disconnect', array( $this, 'sumup_disconnect' ) );\nadd_action( 'wp_ajax_nopriv_sumup_disconnect', array( $this, 'sumup_disconnect' ) );\n\n---\n\n\u002F\u002F includes\u002Fclass-sumup-payment-gateway-wc-admin.php (approximate)\n\npublic function sumup_disconnect() {\n    \u002F\u002F The function executes administrative actions without checking current_user_can()\n    $settings = get_option( 'woocommerce_sumup_settings' );\n    $settings['access_token'] = '';\n    $settings['merchant_id'] = '';\n    update_option( 'woocommerce_sumup_settings', $settings );\n    wp_send_json_success();\n}","--- a\u002Fincludes\u002Fclass-sumup-payment-gateway-wc-admin.php\n+++ b\u002Fincludes\u002Fclass-sumup-payment-gateway-wc-admin.php\n@@ -10,1 +10,1 @@\n add_action( 'wp_ajax_sumup_disconnect', array( $this, 'sumup_disconnect' ) );\n-add_action( 'wp_ajax_nopriv_sumup_disconnect', array( $this, 'sumup_disconnect' ) );\n \n public function sumup_disconnect() {\n+    if ( ! current_user_can( 'manage_options' ) ) {\n+        wp_send_json_error( 'Unauthorized', 403 );\n+    }\n+    check_ajax_referer( 'sumup_disconnect_nonce', 'security' );","1. Identify the AJAX action (e.g., 'sumup_disconnect') that the plugin exposes via the 'wp_ajax_nopriv_' hook in the admin controller.\n2. Locate a valid nonce if the plugin verifies one via check_ajax_referer. Nonces for this plugin are often found by inspecting localized JavaScript variables (like 'sumup_params') on the WooCommerce checkout page or login pages.\n3. Construct a POST request to the WordPress AJAX endpoint (\u002Fwp-admin\u002Fadmin-ajax.php) with the 'action' parameter set to 'sumup_disconnect' and the 'security' parameter set to the extracted nonce.\n4. Execute the request as an unauthenticated user. If successful, the server will return a success response, and the WooCommerce SumUp settings in the database will be wiped, disabling the payment gateway.","gemini-3-flash-preview","2026-05-05 06:16:26","2026-05-05 06:17:47",{"type":34,"vulnerable_version":35,"fixed_version":11,"vulnerable_browse":36,"vulnerable_zip":37,"fixed_browse":38,"fixed_zip":39,"all_tags":40},"plugin","2.7.9","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fsumup-payment-gateway-for-woocommerce\u002Ftags\u002F2.7.9","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fsumup-payment-gateway-for-woocommerce.2.7.9.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fsumup-payment-gateway-for-woocommerce\u002Ftags\u002F2.7.10","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fsumup-payment-gateway-for-woocommerce.2.7.10.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fsumup-payment-gateway-for-woocommerce\u002Ftags"]