[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fIlJrHAOIeGiZ07qwbtl8-q6gT_jqU_WO2rR54U44PEw":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":29,"research_verified":30,"research_rounds_completed":31,"research_plan":32,"research_summary":33,"research_vulnerable_code":34,"research_fix_diff":35,"research_exploit_outline":36,"research_model_used":37,"research_started_at":38,"research_completed_at":39,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":30,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":30,"source_links":40},"CVE-2026-39488","surecart-missing-authorization","SureCart \u003C= 4.0.2 - Missing Authorization","The SureCart plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in versions up to, and including, 4.0.2. This makes it possible for authenticated attackers, with contributor-level access and above, to perform an unauthorized action.","surecart",null,"\u003C=4.0.2","4.0.3","medium",4.3,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:L\u002FUI:N\u002FS:U\u002FC:N\u002FI:L\u002FA:N","Missing Authorization","2026-03-26 00:00:00","2026-04-15 21:25:15",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F1c3a29ec-16f0-4fad-b188-7a683d123bb8?source=api-prod",21,[22,23,24,25,26,27,28],"app\u002Fhelpers\u002Ftemplate-helpers.php","app\u002Fsrc\u002FAccount\u002FAccountService.php","app\u002Fsrc\u002FBlockLibrary\u002FURLParamService.php","app\u002Fsrc\u002FControllers\u002FRest\u002FBrandController.php","app\u002Fsrc\u002FControllers\u002FWeb\u002FBuyPageController.php","app\u002Fsrc\u002FControllers\u002FWeb\u002FDashboardController.php","app\u002Fsrc\u002FDatabase\u002FMigrationsServiceProvider.php","researched",false,3,"# Exploitation Research Plan: SureCart \u003C= 4.0.2 - Missing Authorization\n\n## 1. Vulnerability Summary\nThe SureCart plugin for WordPress (versions up to and including 4.0.2) is vulnerable to unauthorized access due to missing or insufficient capability checks on several REST API endpoints. Specifically, the `BrandController` lacks proper `permission_callback` restrictions (or uses a low-privilege check like `is_user_logged_in`), allowing authenticated users with **Contributor-level** permissions to modify store identity settings, such as the brand name, address, and logo.\n\n## 2. Attack Vector Analysis\n- **Endpoint:** `\u002Fwp-json\u002Fsurecart\u002Fv1\u002Fbrand`\n- **HTTP Method:** `POST` (triggers `edit`) or `DELETE` (triggers `purgeLogo`)\n- **Vulnerable Controller:** `SureCart\\Controllers\\Rest\\BrandController`\n- **Vulnerable Functions:** `edit(\\WP_REST_Request $request)` and `purgeLogo(\\WP_REST_Request $request)`\n- **Authentication:** Required (Contributor level)\n- **Nonce:** Required (`wp_rest` action nonce)\n- **Precondition:** The plugin must be installed and initialized.\n\n## 3. Code Flow\n1. **REST Registration (Inferred):** The plugin registers REST routes in a service provider. The `BrandController` methods are mapped to the `\u002Fsurecart\u002Fv1\u002Fbrand` endpoint.\n2. **Request Entry:** A Contributor user sends a `POST` request to `\u002Fwp-json\u002Fsurecart\u002Fv1\u002Fbrand`.\n3. **Authorization Check:** The `permission_callback` for this route fails to check for `manage_options` (Administrator) and instead allows any logged-in user or those with `read` \u002F `edit_posts` (Contributor) capabilities.\n4. **Execution (`edit`):** The `BrandController::edit` function is called.\n5. **Data Sink:** `edit` calls `Brand::with( [ 'address' ] )->update( $request->get_json_params() )`.\n6. **Persistence:** The `Brand` model updates the store information, affecting how the ecommerce store appears to all customers.\n\n## 4. Nonce Acquisition Strategy\nThe SureCart REST API uses the standard WordPress REST authentication, which requires an `X-WP-Nonce` header for authenticated requests. Since the attacker has Contributor access, they can obtain this nonce from the WordPress admin dashboard.\n\n1. **Login:** Authenticate as a Contributor user.\n2. **Navigate:** Use `browser_navigate` to `http:\u002F\u002Flocalhost:8080\u002Fwp-admin\u002F`.\n3. **Extract:** Use `browser_eval` to extract the REST nonce from the global `wpApiSettings` object.\n   - **JavaScript:** `window.wpApiSettings.nonce`\n4. **Action:** This nonce is valid for the `wp_rest` action and can be used in the `X-WP-Nonce` header for the exploit request.\n\n## 5. Exploitation Strategy\n\n### Step 1: Update Brand Information (Unauthorized Action)\nModify the store's brand name and address, which should be restricted to administrators.\n\n- **URL:** `http:\u002F\u002Flocalhost:8080\u002Fwp-json\u002Fsurecart\u002Fv1\u002Fbrand`\n- **Method:** `POST`\n- **Headers:**\n    - `Content-Type: application\u002Fjson`\n    - `X-WP-Nonce: [EXTRACTED_NONCE]`\n- **Body:**\n```json\n{\n    \"name\": \"Exploited Store Name\",\n    \"address\": {\n        \"line_1\": \"1337 Hacker Way\",\n        \"city\": \"CyberCity\",\n        \"country\": \"US\"\n    }\n}\n```\n\n### Step 2: Purge Store Logo (Unauthorized Action)\nDelete the store's logo image.\n\n- **URL:** `http:\u002F\u002Flocalhost:8080\u002Fwp-json\u002Fsurecart\u002Fv1\u002Fbrand\u002Flogo` (Inferred path for `purgeLogo`)\n- **Method:** `DELETE`\n- **Headers:**\n    - `X-WP-Nonce: [EXTRACTED_NONCE]`\n\n## 6. Test Data Setup\n1. **Plugin Installation:** Ensure SureCart is active.\n2. **User Creation:** Create a user with the `contributor` role.\n```bash\nwp user create attacker attacker@example.com --role=contributor --user_pass=password\n```\n3. **Initial State:** Observe the current Brand Name (usually the site name or \"SureCart Store\").\n\n## 7. Expected Results\n- The REST API should return a `200 OK` or `201 Created` response.\n- The response body should contain the updated brand object reflecting the \"Exploited Store Name\".\n- A request to `GET \u002Fwp-json\u002Fsurecart\u002Fv1\u002Fbrand` (even as a non-logged-in user) should show the modified brand data.\n\n## 8. Verification Steps\n1. **Check via WP-CLI:** Verify if the brand data in the database or cached options has changed.\n```bash\n# SureCart often stores account\u002Fbrand data in transients or options\nwp transient get surecart_account\nwp option get sc_previous_account\n```\n2. **Observe Frontend:** Visit the SureCart shop or checkout page (if configured) to see the \"Exploited Store Name\" in the header\u002Ffooter.\n\n## 9. Alternative Approaches\nIf the `BrandController` is not the target, check for the **\"Seed\"** functionality in `AccountService.php`. Seeding a store with dummy products and data is a high-impact \"unauthorized action.\"\n- **Alternative Target:** `\u002Fwp-json\u002Fsurecart\u002Fv1\u002Faccount\u002Fseed`\n- **Payload:** `{\"products\": [{\"name\": \"Malicious Product\", \"price\": 0}]}`\n- **Significance:** If a Contributor can seed the store, they can flood the database with arbitrary products and potentially manipulate pricing.","The SureCart plugin for WordPress is vulnerable to unauthorized data modification due to missing capability checks on REST API endpoints handled by the BrandController. Authenticated attackers with Contributor-level access or higher can exploit this to change store branding information, such as the business name and address, or delete the store logo.","\u002F\u002F app\u002Fsrc\u002FControllers\u002FRest\u002FBrandController.php line 27\npublic function edit( \\WP_REST_Request $request ) {\n\treturn Brand::with( [ 'address' ] )->update( $request->get_json_params() );\n}\n\n---\n\n\u002F\u002F app\u002Fsrc\u002FControllers\u002FRest\u002FBrandController.php line 38\npublic function purgeLogo( \\WP_REST_Request $request ) {\n\treturn Brand::with( [ 'address' ] )->where( $request->get_query_params() )->purgeLogo();\n}","diff -ru \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fsurecart\u002F4.0.2\u002Fapp\u002Fsrc\u002FControllers\u002FRest\u002FBrandController.php \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fsurecart\u002F4.0.3\u002Fapp\u002Fsrc\u002FControllers\u002FRest\u002FBrandController.php\n--- \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fsurecart\u002F4.0.2\u002Fapp\u002Fsrc\u002FControllers\u002FRest\u002FBrandController.php\t2023-08-31 20:37:32.000000000 +0000\n+++ \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fsurecart\u002F4.0.3\u002Fapp\u002Fsrc\u002FControllers\u002FRest\u002FBrandController.php\t2026-03-12 19:24:02.000000000 +0000\n@@ -16,7 +16,7 @@\n \t * @return \\WP_REST_Response|\\WP_Error\n \t *\u002F\n \tpublic function find( \\WP_REST_Request $request ) {\n-\t\treturn Brand::with( [ 'address' ] )->find();\n+\t\treturn Brand::with( [ 'address', 'logo', 'dark_logo' ] )->find();\n \t}\n \n \t\u002F**\n@@ -27,7 +27,7 @@\n \t * @return \\WP_REST_Response|\\WP_Error\n \t *\u002F\n \tpublic function edit( \\WP_REST_Request $request ) {\n-\t\treturn Brand::with( [ 'address' ] )->update( $request->get_json_params() );\n+\t\treturn Brand::with( [ 'address', 'logo', 'dark_logo' ] )->update( $request->get_json_params() );\n \t}\n \n \t\u002F**\n@@ -38,6 +38,6 @@\n \t * @return \\WP_REST_Response\n \t *\u002F\n \tpublic function purgeLogo( \\WP_REST_Request $request ) {\n-\t\treturn Brand::with( [ 'address' ] )->where( $request->get_query_params() )->purgeLogo();\n+\t\treturn Brand::with( [ 'address', 'logo', 'dark_logo' ] )->where( $request->get_query_params() )->purgeLogo();\n \t}\n }","The exploit target is the SureCart REST API, specifically endpoints managed by the BrandController. \n\n1. Authentication: The attacker must be authenticated to the WordPress site with at least Contributor-level privileges.\n2. Nonce Acquisition: The attacker retrieves a valid REST API nonce (X-WP-Nonce) from the WordPress dashboard, usually found in the `wpApiSettings.nonce` JavaScript variable.\n3. Brand Modification: The attacker sends a POST request to `\u002Fwp-json\u002Fsurecart\u002Fv1\u002Fbrand`. The payload includes a JSON object with keys like 'name' or 'address' to overwrite existing store settings. Because the endpoint lacks a restrictive permission_callback (e.g., one checking for `manage_options`), the request is authorized.\n4. Logo Deletion: The attacker can also send a DELETE request to `\u002Fwp-json\u002Fsurecart\u002Fv1\u002Fbrand\u002Flogo` to remove the existing store logo without authorization.","gemini-3-flash-preview","2026-04-17 22:46:29","2026-04-17 22:47:29",{"type":41,"vulnerable_version":42,"fixed_version":11,"vulnerable_browse":43,"vulnerable_zip":44,"fixed_browse":45,"fixed_zip":46,"all_tags":47},"plugin","4.0.2","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fsurecart\u002Ftags\u002F4.0.2","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fsurecart.4.0.2.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fsurecart\u002Ftags\u002F4.0.3","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fsurecart.4.0.3.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fsurecart\u002Ftags"]