[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$f9HMa41OtIZ1k5liYZghFdWM7UjVsF4c7pGVyB8aTZ4s":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":28,"research_verified":29,"research_rounds_completed":30,"research_plan":31,"research_summary":32,"research_vulnerable_code":33,"research_fix_diff":34,"research_exploit_outline":35,"research_model_used":36,"research_started_at":37,"research_completed_at":38,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":29,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":29,"source_links":39},"CVE-2026-42776","sunshine-photo-cart-client-photo-gallery-photo-proofing-for-photographers-missing-authorization","Sunshine Photo Cart – Client Photo Gallery & Photo Proofing for Photographers \u003C= 3.6.7 - Missing Authorization","The Sunshine Photo Cart – Client Photo Gallery & Photo Proofing for Photographers plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in versions up to, and including, 3.6.7. This makes it possible for authenticated attackers, with subscriber-level access and above, to perform an unauthorized action.","sunshine-photo-cart",null,"\u003C=3.6.7","3.6.8","medium",4.3,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:L\u002FUI:N\u002FS:U\u002FC:N\u002FI:L\u002FA:N","Missing Authorization","2026-05-26 00:00:00","2026-05-26 19:46:32",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002Ff9c0c44f-13bb-4e09-9edf-59be12d508a8?source=api-prod",1,[22,23,24,25,26,27],"assets\u002Fjs\u002Fstripe-processing.js","includes\u002Fadmin\u002Faddons.php","includes\u002Fadmin\u002Fclass-admin.php","includes\u002Fadmin\u002Fdashboard.php","includes\u002Fadmin\u002Fsunshine-gallery.php","includes\u002Fadmin\u002Fsunshine-order.php","researched",false,3,"This research plan outlines the technical steps to exploit a missing authorization vulnerability in Sunshine Photo Cart \u003C= 3.6.7.\n\n## 1. Vulnerability Summary\nThe **Sunshine Photo Cart** plugin for WordPress registers several AJAX handlers intended for administrative use using the `wp_ajax_` hook. In versions up to 3.6.7, specifically within the `SPC_Dashboard_Widget` class and likely the `SPC_Admin_Order` and `Sunshine_Admin` classes, these handlers lack proper capability checks (e.g., `current_user_can('manage_options')`). \n\nThis oversight allows any authenticated user, including those with **Subscriber** level permissions, to perform unauthorized actions such as viewing sensitive financial sales data or potentially modifying order and gallery metadata.\n\n## 2. Attack Vector Analysis\n*   **Endpoint:** `\u002Fwp-admin\u002Fadmin-ajax.php`\n*   **Method:** POST\n*   **Authentication:** Subscriber-level account or higher.\n*   **Vulnerable Actions:**\n    *   `sunshine_dashboard_calculate_stats`: Discloses sales totals (Confidentiality).\n    *   `sunshine_order_save_notes`: Modifies order notes (Integrity - inferred from `sunshine-order.php`).\n    *   `sunshine_post_sort`: Reorders posts\u002Fgalleries (Integrity - inferred from `class-admin.php`).\n*   **Preconditions:** At least one order must exist in the system for the stats disclosure to be meaningful","The Sunshine Photo Cart plugin for WordPress is vulnerable to unauthorized access and data disclosure due to missing capability checks and nonce verification on several AJAX handlers and administrative functions. Authenticated attackers with subscriber-level permissions or higher can view sensitive financial sales data, reorder galleries\u002Fproducts, and potentially perform unauthorized gallery imports.","\u002F\u002F includes\u002Fadmin\u002Fdashboard.php line 109\n\tfunction calculate_stats() {\n\t\tglobal $wpdb;\n\n\t\t$data = get_transient( 'sunshine-dashboard-sales' );\n\n\t\tif ( empty( $data ) ) {\n---\n\u002F\u002F includes\u002Fadmin\u002Fclass-admin.php line 703\n\tpublic function term_sort() {\n\t\t$categories = sanitize_text_field( $_POST['categories'] );\n\t\t$categories = str_replace( 'tag-', '', $categories );\n\t\t$categories = explode( ',', $categories );\n\t\t$i          = 1;\n\n\t\tforeach ( $categories as $category_id ) {\n\t\t\tupdate_term_meta( $category_id, 'order', $i );\n\t\t\t$i++;\n\t\t}\n\t}\n\n\tpublic function post_sort() {\n\t\t$posts = sanitize_text_field( $_POST['posts'] );\n\t\t$posts = str_replace( 'post-', '', $posts );\n\t\t$posts = explode( ',', $posts );\n\t\t$i     = 1;\n\t\tforeach ( $posts as $post_id ) {\n\t\t\twp_update_post(\n\t\t\t\tarray(\n\t\t\t\t\t'ID'         => $post_id,\n\t\t\t\t\t'menu_order' => $i,\n\t\t\t\t)\n\t\t\t);\n\t\t\t$i++;\n\t\t}\n\t}\n---\n\u002F\u002F includes\u002Fadmin\u002Fclass-admin.php line 981\n\tpublic function show_post_debug() {\n\n\t\tif ( isset( $_GET['sunshine_debug'] ) && isset( $_GET['post'] ) ) {\n\t\t\t$meta = get_post_meta( intval( $_GET['post'] ) );\n\t\t\techo '\u003C!-- SUNSHINE DEBUG META -->';\n\t\t\tsunshine_dump_var( $meta );\n---\n\u002F\u002F includes\u002Fadmin\u002Fsunshine-gallery.php line 1703\nfunction sunshine_ajax_gallery_import_list() {\n\tif ( ! current_user_can( 'upload_files' ) ) {\n\t\twp_send_json_error(\n\t\t\tarray(\n\t\t\t\t'message' => __( 'You do not have permission to import images.', 'sunshine-photo-cart' ),\n\t\t\t)\n\t\t);\n\t}","diff -ru \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fsunshine-photo-cart\u002F3.6.7\u002Fincludes\u002Fadmin\u002Fclass-admin.php \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fsunshine-photo-cart\u002F3.6.8\u002Fincludes\u002Fadmin\u002Fclass-admin.php\n--- \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fsunshine-photo-cart\u002F3.6.7\u002Fincludes\u002Fadmin\u002Fclass-admin.php\t2026-04-27 18:42:56.000000000 +0000\n+++ \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fsunshine-photo-cart\u002F3.6.8\u002Fincludes\u002Fadmin\u002Fclass-admin.php\t2026-05-07 14:48:00.000000000 +0000\n@@ -701,23 +710,53 @@\n \t}\n \n \tpublic function term_sort() {\n-\t\t$categories = sanitize_text_field( $_POST['categories'] );\n+\t\tcheck_ajax_referer( 'sunshine_sort', 'security' );\n+\n+\t\tif ( ! current_user_can( 'sunshine_manage_options' ) ) {\n+\t\t\twp_send_json_error();\n+\t\t}\n+\n+\t\t$allowed_taxonomies = array( 'sunshine-product-category', 'sunshine-product-option' );\n+\n+\t\t$categories = isset( $_POST['categories'] ) ? sanitize_text_field( wp_unslash( $_POST['categories'] ) ) : '';\n \t\t$categories = str_replace( 'tag-', '', $categories );\n \t\t$categories = explode( ',', $categories );\n \t\t$i          = 1;\n \n \t\tforeach ( $categories as $category_id ) {\n+\t\t\t$category_id = absint( $category_id );\n+\t\t\tif ( ! $category_id ) {\n+\t\t\t\tcontinue;\n+\t\t\t}\n+\t\t\t$term = get_term( $category_id );\n+\t\t\tif ( ! $term || is_wp_error( $term ) || ! in_array( $term->taxonomy, $allowed_taxonomies, true ) ) {\n+\t\t\t\tcontinue;\n+\t\t\t}\n \t\t\tupdate_term_meta( $category_id, 'order', $i );\n \t\t\t$i++;\n \t\t}\n+\n+\t\twp_send_json_success();\n \t}\n \n \tpublic function post_sort() {\n-\t\t$posts = sanitize_text_field( $_POST['posts'] );\n+\t\tcheck_ajax_referer( 'sunshine_sort', 'security' );\n+\n+\t\tif ( ! current_user_can( 'sunshine_manage_options' ) ) {\n+\t\t\twp_send_json_error();\n+\t\t}\n+\n+\t\t$allowed_post_types = array( 'sunshine-product', 'sunshine-gallery' );\n+\n+\t\t$posts = isset( $_POST['posts'] ) ? sanitize_text_field( wp_unslash( $_POST['posts'] ) ) : '';\n \t\t$posts = str_replace( 'post-', '', $posts );\n \t\t$posts = explode( ',', $posts );\n \t\t$i     = 1;\n \t\tforeach ( $posts as $post_id ) {\n+\t\t\t$post_id = absint( $post_id );\n+\t\t\tif ( ! $post_id || ! in_array( get_post_type( $post_id ), $allowed_post_types, true ) ) {\n+\t\t\t\tcontinue;\n+\t\t\t}\n \t\t\twp_update_post(\n \t\t\t\tarray(\n \t\t\t\t\t'ID'         => $post_id,\n@@ -726,6 +765,8 @@\n \t\t\t);\n \t\t\t$i++;\n \t\t}\n+\n+\t\twp_send_json_success();\n \t}\n \ndiff -ru \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fsunshine-photo-cart\u002F3.6.7\u002Fincludes\u002Fadmin\u002Fdashboard.php \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fsunshine-photo-cart\u002F3.6.8\u002Fincludes\u002Fadmin\u002Fdashboard.php\n--- \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fsunshine-photo-cart\u002F3.6.7\u002Fincludes\u002Fadmin\u002Fdashboard.php\t2026-04-27 18:42:56.000000000 +0000\n+++ \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fsunshine-photo-cart\u002F3.6.8\u002Fincludes\u002Fadmin\u002Fdashboard.php\t2026-05-07 14:48:00.000000000 +0000\n@@ -109,6 +110,12 @@\n \tfunction calculate_stats() {\n \t\tglobal $wpdb;\n \n+\t\tcheck_ajax_referer( 'sunshine_dashboard', 'security' );\n+\n+\t\tif ( ! current_user_can( 'sunshine_manage_options' ) ) {\n+\t\t\twp_send_json_error();\n+\t\t}\n+\n \t\t$data = get_transient( 'sunshine-dashboard-sales' );\n \n \t\tif ( empty( $data ) ) {","To exploit this vulnerability, an attacker first authenticates as a Subscriber (or any other user role). They then send POST requests to the `\u002Fwp-admin\u002Fadmin-ajax.php` endpoint. To disclose sales data, the attacker sets the `action` parameter to `sunshine_dashboard_calculate_stats`. Because version 3.6.7 fails to check user capabilities or nonces for this action, the server will calculate and return financial statistics (current month, last month, and lifetime sales totals) in the JSON response. Similar unauthorized actions can be performed by targeting other vulnerable actions like `sunshine_post_sort` (to modify the order of galleries) or by accessing administrative URLs with the `sunshine_debug` parameter to leak metadata.","gemini-3-flash-preview","2026-06-04 20:59:29","2026-06-04 21:00:43",{"type":40,"vulnerable_version":41,"fixed_version":11,"vulnerable_browse":42,"vulnerable_zip":43,"fixed_browse":44,"fixed_zip":45,"all_tags":46},"plugin","3.6.7","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fsunshine-photo-cart\u002Ftags\u002F3.6.7","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fsunshine-photo-cart.3.6.7.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fsunshine-photo-cart\u002Ftags\u002F3.6.8","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fsunshine-photo-cart.3.6.8.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fsunshine-photo-cart\u002Ftags"]