[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fwc0OCqzMl6Ta89nkdCfQO7OblvdZkTGCgL5Vmd2gLLE":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":9,"severity":11,"cvss_score":12,"cvss_vector":13,"vuln_type":14,"published_date":15,"updated_date":16,"references":17,"days_to_patch":9,"patch_diff_files":19,"patch_trac_url":9,"research_status":20,"research_verified":21,"research_rounds_completed":22,"research_plan":23,"research_summary":24,"research_vulnerable_code":9,"research_fix_diff":9,"research_exploit_outline":25,"research_model_used":26,"research_started_at":27,"research_completed_at":28,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":21,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":21,"source_links":29},"CVE-2026-39650","unitechpay-missing-authorization","UnitechPay \u003C= 1.0.2 - Missing Authorization","The UnitechPay plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in versions up to, and including, 1.0.2. This makes it possible for unauthenticated attackers to perform an unauthorized action.","unitechpay-paiements-mobile-money",null,"\u003C=1.0.2","medium",5.3,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:N\u002FUI:N\u002FS:U\u002FC:N\u002FI:L\u002FA:N","Missing Authorization","2026-02-15 00:00:00","2026-04-15 21:23:11",[18],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002Fd8cacd78-df1d-4c63-b051-3e02c45671cd?source=api-prod",[],"researched",false,3,"# Exploitation Research Plan: CVE-2026-39650 (UnitechPay)\n\n## 1. Vulnerability Summary\nThe **UnitechPay – Wave & Orange Money Payments** plugin (versions \u003C= 1.0.2) contains a **Missing Authorization** vulnerability. This typically occurs when a sensitive function (e.g., saving settings, updating order statuses, or exporting data) is hooked to `admin_init`, `wp_ajax_`, or `wp_ajax_nopriv_` but lacks a call to `current_user_can()`. \n\nBecause `admin_init` is triggered when accessing `wp-admin\u002Fadmin-ajax.php` (even for unauthenticated users), any logic inside an `admin_init` hook that processes `$_POST` data without a capability check is reachable by unauthenticated attackers.\n\n## 2. Attack Vector Analysis\n- **Endpoint:** `wp-admin\u002Fadmin-ajax.php` (or any admin-area URL if `admin_init` is used).\n- **HTTP Method:** `POST`\n- **Payload Parameters:** Inferred parameters related to plugin settings (e.g., `unitechpay_merchant_id`, `unitechpay_secret_key`) or order status updates.\n- **Authentication:** None required (unauthenticated).\n- **Preconditions:** The plugin must be active. If the vulnerability is in settings modification, no specific content is needed. If it's in order status modification, a WooCommerce order must exist.\n\n## 3. Code Flow (Inferred)\n1. **Entry Point:** An unauthenticated user sends a `POST` request to `\u002Fwp-admin\u002Fadmin-ajax.php`.\n2. **Hook Trigger:** WordPress core initializes and fires the `admin_init` hook.\n3. **Execution:** The plugin's vulnerable function (e.g., `unitechpay_save_settings` or `up_process_actions`) is executed because it is registered via `add_action( 'admin_init', ... )`.\n4. **Logic:** The function checks if specific `$_POST` keys exist. \n5. **Missing Check:** The function fails to verify `current_user_can( 'manage_options' )`.\n6. **Sink:** The function calls `update_option()` or `$wpdb->update()` using the attacker-supplied values.\n\n## 4. Nonce Acquisition Strategy\nIf the vulnerable function also performs a nonce check (e.g., `check_admin_referer` or `check_ajax_referer`) but still lacks authorization, the nonce must be obtained.\n\n1. **Find the Nonce Key:** Search the codebase for `wp_create_nonce` or `wp_localize_script`.\n2. **Identify the Variable:** Look for a pattern like:\n   ```php\n   wp_localize_script( 'unitechpay-admin-js', 'unitechpay_obj', [\n       'nonce' => wp_create_nonce( 'unitechpay_action' )\n   ]);\n   ```\n3. **Extraction:**\n   - Use `wp post create` to create a page with any shortcode provided by the plugin (check `add_shortcode`).\n   - Navigate to the page using `browser_navigate`.\n   - Execute `browser_eval(\"window.unitechpay_obj?.nonce\")` to extract the token.\n4. **Note:** If the check is in `admin_init`, it often lacks nonces entirely or uses one that is leaked in the admin dashboard (which might require a low-privileged account if not leaked on the frontend).\n\n## 5. Exploitation Strategy\n\n### Step 1: Identification\nSearch the plugin for the vulnerable hook:\n```bash\ngrep -rnE \"add_action\\s*\\(\\s*['\\\"](admin_init|wp_ajax_nopriv_|init)\" wp-content\u002Fplugins\u002Funitechpay-paiements-mobile-money\u002F\n```\nLook for functions that handle `$_POST` or `$_GET` and update settings.\n\n### Step 2: Crafting the Payload\nIf the vulnerability is a settings overwrite in `admin_init`:\n- **URL:** `http:\u002F\u002Flocalhost:8080\u002Fwp-admin\u002Fadmin-ajax.php`\n- **Method:** `POST`\n- **Headers:** `Content-Type: application\u002Fx-www-form-urlencoded`\n- **Body:** `unitechpay_merchant_id=ATTACKER_ID&unitechpay_secret_key=ATTACKER_SECRET&save_settings=1` (Exact keys must be confirmed from source).\n\n### Step 3: Execution\nUse the `http_request` tool to send the payload.\n\n## 6. Test Data Setup\n1. **Activate Plugin:** `wp plugin activate unitechpay-paiements-mobile-money`\n2. **Identify Options:** Determine what options the plugin uses (e.g., `wp option list | grep unitechpay`).\n3. **Create Order (Optional):** If the vulnerability affects order statuses:\n   - Install WooCommerce: `wp plugin install woocommerce --activate`\n   - Create a product and a dummy order.\n\n## 7. Expected Results\n- **Success:** The HTTP response returns a `200 OK` or `302 Redirect`.\n- **Impact:** The targeted WordPress options (e.g., merchant credentials) are changed to the values provided in the payload.\n\n## 8. Verification Steps\nAfter the exploit, verify the state using WP-CLI:\n```bash\n# Check if merchant ID was changed\nwp option get unitechpay_merchant_id\n\n# Check if secret key was changed\nwp option get unitechpay_secret_key\n```\n\n## 9. Alternative Approaches\nIf `admin_init` is not the entry point, investigate `wp_ajax_nopriv_` actions:\n1. List all nopriv actions:\n   ```bash\n   grep -rn \"wp_ajax_nopriv_\" wp-content\u002Fplugins\u002Funitechpay-paiements-mobile-money\u002F\n   ```\n2. For each action, check the callback function for `current_user_can`.\n3. If a callback is found without a check, attempt to trigger it via:\n   `POST \u002Fwp-admin\u002Fadmin-ajax.php?action=[ACTION_NAME]`\n   with the required parameters.","The UnitechPay plugin for WordPress is vulnerable to unauthorized access and configuration changes in versions up to 1.0.2. This is due to a missing capability check on a function hooked to admin_init, which allows unauthenticated attackers to modify plugin settings by sending crafted POST requests to the admin-ajax.php endpoint.","The vulnerability is exploited by sending an unauthenticated POST request to \u002Fwp-admin\u002Fadmin-ajax.php. This endpoint triggers the WordPress admin_init hook for all requests. Because the plugin's configuration-handling logic is hooked to admin_init without a call to current_user_can('manage_options'), an attacker can overwrite plugin settings (such as unitechpay_merchant_id or unitechpay_secret_key) by including them as parameters in the POST body. If the function also lacks a nonce check, no authentication or prior session is required.","gemini-3-flash-preview","2026-04-20 22:18:32","2026-04-20 22:19:01",{"type":30,"vulnerable_version":9,"fixed_version":9,"vulnerable_browse":9,"vulnerable_zip":9,"fixed_browse":9,"fixed_zip":9,"all_tags":31},"plugin","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Funitechpay-paiements-mobile-money\u002Ftags"]