[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fD_-NT-wZINAyQUCEFpg8fruh1Mmjin6bHsTvbTD2hj0":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":22,"research_verified":23,"research_rounds_completed":24,"research_plan":25,"research_summary":9,"research_vulnerable_code":9,"research_fix_diff":9,"research_exploit_outline":9,"research_model_used":26,"research_started_at":27,"research_completed_at":28,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":23,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":23,"source_links":29},"CVE-2025-68834","sync-master-sheet-product-sync-with-google-sheet-for-woocommerce-missing-authorization","Sync Master Sheet – Product Sync with Google Sheet for WooCommerce \u003C= 1.1.3 - Missing Authorization","The Sync Master Sheet – Product Sync with Google Sheet for WooCommerce plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in all versions up to, and including, 1.1.3. This makes it possible for unauthenticated attackers to perform an unauthorized action.","product-sync-master-sheet",null,"\u003C=1.1.3","1.1.4","medium",5.3,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:N\u002FUI:N\u002FS:U\u002FC:N\u002FI:L\u002FA:N","Missing Authorization","2026-02-04 00:00:00","2026-02-09 21:36:16",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002Fe821dc5b-7ff6-426f-9c38-8dea960bae0d?source=api-prod",6,[],"researched",false,3,"# Exploitation Research Plan: CVE-2025-68834 (Sync Master Sheet)\n\n## 1. Vulnerability Summary\nThe **Sync Master Sheet – Product Sync with Google Sheet for WooCommerce** plugin (\u003C= 1.1.3) contains a missing authorization vulnerability. Specifically, it registers one or more AJAX handlers using the `wp_ajax_nopriv_` hook, which allows unauthenticated access. These handlers perform sensitive actions (such as triggering product synchronization or potentially updating plugin settings) without verifying the user's capabilities via `current_user_can()` or adequately validating a nonce for session-bound security.\n\n## 2. Attack Vector Analysis\n- **Endpoint:** `http:\u002F\u002F\u003Ctarget>\u002Fwp-admin\u002Fadmin-ajax.php`\n- **Vulnerable Action:** Likely `psms_sync_products` or `psms_save_settings` (inferred from plugin functionality).\n- **HTTP Method:** `POST`\n- **Payload Parameters:**\n  - `action`: The vulnerable AJAX action (e.g., `psms_sync_products`).\n  - `nonce`: (If required) A token retrieved from the frontend.\n  - Potential data parameters: `sheet_id`, `sync_type`, or configuration keys.\n- **Preconditions:** The plugin must be active. Some sync actions may require a valid Google Sheet ID to be configured, or the attacker may provide one in the request if the handler allows settings updates.\n\n## 3. Code Flow (Inferred)\n1. **Entry Point:** The plugin registers AJAX hooks in the constructor of its main class or an admin class (e.g., `includes\u002Fclass-product-sync-master-sheet-admin.php` or `admin\u002Fclass-psms-admin.php`).\n   - Hook: `add_action( 'wp_ajax_nopriv_psms_sync_products', array( $this, 'psms_sync_products_callback' ) );`\n2. **Callback Execution:** The `psms_sync_products_callback` function is invoked.\n3. **Missing Check:** The function fails to call `if ( ! current_user_can( 'manage_options' ) ) { wp_die(); }`.\n4. **Action Sink:** The function proceeds to trigger `Psms_Sync_Handler::start_sync()` or similar logic, leading to unauthorized modification of the site's product database based on remote Google Sheet data.\n\n## 4. Nonce Acquisition Strategy\nIf the handler uses `check_ajax_referer` or `wp_verify_nonce`, the nonce is likely exposed via `wp_localize_script`.\n\n1. **Identify Script Localization:** Search the codebase for `wp_localize_script`. Look for a variable name like `psms_ajax_obj` or `psms_vars`.\n2. **Determine Page Trigger:** Identify which page\u002Fshortcode enqueues this script. It is likely the main WooCommerce shop page or a specific product page.\n3. **Creation of Test Page:**\n   ```bash\n   # Check for shortcodes\n   grep -r \"add_shortcode\" .\n   # If a shortcode like [psms_sync_button] exists:\n   wp post create --post_type=page --post_status=publish --post_title=\"Sync Test\" --post_content='[psms_sync_button]'\n   ```\n4. **Extraction:**\n   - Navigate to the page using `browser_navigate`.\n   - Execute: `browser_eval(\"window.psms_ajax_obj?.nonce\")` (Verify variable name in source).\n\n## 5. Exploitation Strategy\n\n### Step 1: Discover the exact AJAX action\nSince source files are not provided, the agent must first identify the vulnerable hook.\n```bash\ngrep -rn \"wp_ajax_nopriv_\" wp-content\u002Fplugins\u002Fproduct-sync-master-sheet\u002F\n```\n\n### Step 2: Analyze the callback\nExamine the callback function for the identified action. Check for `current_user_can` and identify required parameters.\n```bash\n# Example if the action is psms_sync_products\ngrep -r \"function psms_sync_products\" wp-content\u002Fplugins\u002Fproduct-sync-master-sheet\u002F\n```\n\n### Step 3: Craft the Exploit Request\nAssuming the action is `psms_sync_products` and it triggers a sync:\n\n**HTTP Request:**\n- **URL:** `http:\u002F\u002Flocalhost:8080\u002Fwp-admin\u002Fadmin-ajax.php`\n- **Method:** `POST`\n- **Headers:** `Content-Type: application\u002Fx-www-form-urlencoded`\n- **Body:** `action=psms_sync_products&nonce=\u003CEXTRACTED_NONCE>&any_other_param=value`\n\n### Step 4: Unauthorized Settings Modification (If applicable)\nIf a handler like `psms_save_settings` is exposed:\n**Body:** `action=psms_save_settings&nonce=\u003CNONCE>&psms_google_sheet_id=MALICIOUS_SHEET_ID`\n\n## 6. Test Data Setup\n1. **Install Plugin:** Ensure `product-sync-master-sheet` version 1.1.3 is installed.\n2. **WooCommerce Setup:** Ensure WooCommerce is installed and active, as the plugin depends on it.\n3. **Configuration:** (Optional) Add a dummy Google Sheet ID in the plugin settings via WP-CLI to simulate a configured environment:\n   ```bash\n   wp option update psms_settings '{\"sheet_id\":\"1A2B3C4D5E\", \"sync_enabled\":\"yes\"}' --format=json\n   ```\n\n## 7. Expected Results\n- **Success Response:** The server returns a `200 OK` with a JSON body such as `{\"success\":true, \"data\":\"Sync started\"}` or `{\"status\":\"updated\"}`.\n- **Action Taken:** The plugin initiates a network request to Google APIs (observable in logs) or modifies WooCommerce product data. If settings are the target, the `psms_settings` option in the database will be changed.\n\n## 8. Verification Steps\nAfter sending the HTTP request, use WP-CLI to verify the state:\n1. **Check Options:**\n   ```bash\n   wp option get psms_settings\n   ```\n2. **Check Sync Logs (if any):**\n   ```bash\n   wp post list --post_type=product --orderby=post_modified --posts_per_page=5\n   ```\n   (Verify if products were updated at the timestamp of the exploit).\n\n## 9. Alternative Approaches\nIf no `wp_ajax_nopriv_` hooks are found, check for:\n- **REST API Routes:** `grep -r \"register_rest_route\"` and look for routes missing the `permission_callback` or using `__return_true`.\n- **`admin_init` Hooks:** Search for code running on `admin_init` without `is_admin()` or capability checks. `admin-ajax.php` triggers `admin_init` even for unauthenticated users.\n- **Generic Nonces:** If `check_ajax_referer( 'psms_nonce', ... )` is used, check if the `psms_nonce` is leaked on the frontend for all visitors.","gemini-3-flash-preview","2026-04-27 15:58:15","2026-04-27 16:00:14",{"type":30,"vulnerable_version":31,"fixed_version":11,"vulnerable_browse":32,"vulnerable_zip":33,"fixed_browse":34,"fixed_zip":35,"all_tags":36},"plugin","1.1.3","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fproduct-sync-master-sheet\u002Ftags\u002F1.1.3","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fproduct-sync-master-sheet.1.1.3.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fproduct-sync-master-sheet\u002Ftags\u002F1.1.4","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fproduct-sync-master-sheet.1.1.4.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fproduct-sync-master-sheet\u002Ftags"]