[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fhC4sWEVr_V6Xg_l5Dj32U05ol15akYQDZY4mYmmzFiQ":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":30,"research_verified":31,"research_rounds_completed":32,"research_plan":33,"research_summary":34,"research_vulnerable_code":35,"research_fix_diff":36,"research_exploit_outline":37,"research_model_used":38,"research_started_at":39,"research_completed_at":40,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":31,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":31,"source_links":41},"CVE-2026-49110","upsell-funnel-builder-for-woocommerce-create-upsells-cross-sells-order-bumps-frequently-bought-and-popups-missing-author","Upsell Funnel Builder for WooCommerce – Create Upsells, Cross-Sells, Order Bumps, Frequently Bought, and Popups. \u003C= 3.1.4 - Missing Authorization","The Upsell Funnel Builder for WooCommerce – Create Upsells, Cross-Sells, Order Bumps, Frequently Bought, and Popups. plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in all versions up to, and including, 3.1.4. This makes it possible for unauthenticated attackers to perform an unauthorized action.","upsell-order-bump-offer-for-woocommerce",null,"\u003C=3.1.4","3.1.5","medium",5.3,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:N\u002FUI:N\u002FS:U\u002FC:N\u002FI:L\u002FA:N","Missing Authorization","2026-06-04 00:00:00","2026-06-10 17:56:40",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F77d66c35-7606-4ba0-a070-4a26eba0fa36?source=api-prod",7,[22,23,24,25,26,27,28,29],"includes\u002Fclass-upsell-order-bump-offer-for-woocommerce.php","languages\u002Fupsell-order-bump-offer-for-woocommerce-en_US.po","languages\u002Fupsell-order-bump-offer-for-woocommerce.pot","public\u002Fclass-upsell-order-bump-offer-for-woocommerce-public.php","public\u002Fjs\u002Fwps_ubo_lite_fbt.js","public\u002Fjs\u002Fwps_ubo_lite_public_cart_script.js","readme.txt","upsell-order-bump-offer-for-woocommerce.php","researched",false,3,"# Exploitation Research Plan - CVE-2026-49110\n\n## 1. Vulnerability Summary\n**Vulnerability Name:** Unauthenticated Price Manipulation \u002F Unauthorized Cart Action\n**CVE ID:** CVE-2026-49110\n**Affected Plugin:** Upsell Funnel Builder for WooCommerce (slug: `upsell-order-bump-offer-for-woocommerce`)\n**Affected Versions:** \u003C= 3.1.4\n**Vulnerability Type:** Missing Authorization\n**Description:** The plugin registers several AJAX actions that lack proper capability checks and nonce verification. Specifically, the \"Frequently Bought Together\" (FBT) functionality allows unauthenticated users to trigger the `add_to_cart_fbt_product` action. Because the server trusts client-provided price parameters (e.g., `wps_discount_price`) without verifying them against the database or requiring administrative privileges, an attacker can add products to their cart at arbitrary prices.\n\n## 2. Attack Vector Analysis\n- **Endpoint:** `\u002Fwp-admin\u002Fadmin-ajax.php`\n- **Action:** `add_to_cart_fbt_product` (and potentially `add_cart_discount_offer_in_cart`)\n- **Method:** POST\n- **Authentication:** Unauthenticated (`nopriv` AJAX hook)\n- **Vulnerable Parameters:** \n    - `wps_product_id`: Array of product IDs to add to cart.\n    - `wps_discount_price`: The arbitrary price value to be applied to the products.\n    - `wps_main_prod_id`: The ID of the trigger product.\n\n## 3. Code Flow\n1. **Registration:** The plugin initializes `Upsell_Order_Bump_Offer_For_Woocommerce_Public`.\n2. **Hooking:** Inside the public class, the action `wp_ajax_nopriv_add_to_cart_fbt_product` is hooked to a handler function (e.g., `wps_ubo_add_to_cart_fbt_product`).\n3. **JS Invocation:** In `public\u002Fjs\u002Fwps_ubo_lite_fbt.js`, the AJAX request is defined. Note that at line 17, the nonce is explicitly commented out: `\u002F\u002F nonce: wps_ubo_lite_public_fbt.auth_nonce`.\n4. **Processing:** The PHP handler (located in `public\u002Fclass-upsell-order-bump-offer-for-woocommerce-public.php`) receives the POST data.\n5. **Sink:** The handler likely calls `WC()->cart->add_to_cart()` or a similar function, passing the `wps_discount_price` directly into the cart item data without validating if the current user is authorized to receive that specific discount or if the discount value is legitimate.\n\n## 4. Nonce Acquisition Strategy\nBased on `public\u002Fjs\u002Fwps_ubo_lite_fbt.js`, the nonce check for the FBT action appears to be entirely disabled or missing in version 3.1.4.\n\nIf a nonce is required by the server-side handler despite being commented out in the JS:\n1. **Shortcode Identification:** Identify a page containing the FBT offer. The plugin uses the shortcode `[wps_bump_offer_shortcode]` or displays offers automatically on product pages.\n2. **Page Creation:** Create a test environment page: `wp post create --post_type=page --post_status=publish --post_content='[wps_bump_offer_shortcode]'`\n3. **Extraction:**\n   - Navigate to the page.\n   - Use `browser_eval` to check the localization object: `window.wps_ubo_lite_public_fbt?.auth_nonce`.\n   - The localized variable is registered in `public\u002Fclass-upsell-order-bump-offer-for-woocommerce-public.php` via `wp_localize_script`.\n\n## 5. Exploitation Strategy\nThe goal is to add a high-value product to the cart for a nominal price (e.g., $0.01).\n\n**Step-by-Step Methodology:**\n1. **Discovery:** Identify a valid product ID (`wps_product_id`).\n2. **Request Formulation:** Send a POST request to the AJAX endpoint.\n   - **URL:** `http:\u002F\u002Fexample.com\u002Fwp-admin\u002Fadmin-ajax.php`\n   - **Content-Type:** `application\u002Fx-www-form-urlencoded`\n   - **Body:**\n     ```text\n     action=add_to_cart_fbt_product&wps_product_id[]=ID_OF_EXPENSIVE_PRODUCT&wps_discount_price=0.01&wps_main_prod_id=ID_OF_ANY_PRODUCT\n     ```\n3. **Verification:** Observe the response. A success response (`{\"success\": true}` or similar) suggests the product was added.\n\n## 6. Test Data Setup\n1. **WooCommerce Installation:** Ensure WooCommerce is active.\n2. **Product Creation:**\n   ```bash\n   wp post create --post_type=product --post_title=\"Expensive Item\" --post_status=publish\n   wp post create --post_type=product --post_title=\"Trigger Item\" --post_status=publish\n   # Note the IDs of both products\n   ```\n3. **Plugin Config:** Ensure \"Frequently Bought Together\" is enabled in the plugin settings.\n\n## 7. Expected Results\n- **HTTP Response:** A JSON object indicating success.\n- **Cart State:** The cart should now contain the \"Expensive Item\" with a unit price of $0.01.\n- **Access Control Bypass:** The operation succeeds without any session cookies or Authorization headers.\n\n## 8. Verification Steps\n1. **Check Cart via Browser:** Navigate to `example.com\u002Fcart` and verify the product price.\n2. **Check Cart via CLI:** \n   Since cart data is session-based, browser verification is preferred. However, one can check the WooCommerce logs or the `wp_woocommerce_sessions` table in the database if the session ID is known.\n   ```bash\n   wp db query \"SELECT * FROM wp_woocommerce_sessions WHERE session_key = 'YOUR_SESSION_ID'\"\n   ```\n\n## 9. Alternative Approaches\nIf `add_to_cart_fbt_product` is patched or restricted:\n- **Investigate `add_cart_discount_offer_in_cart`:** This action (seen in `public\u002Fjs\u002Fwps_ubo_lite_public_cart_script.js`) also takes a price parameter `wps_cart_offer_product_price`.\n- **Payload:**\n  ```text\n  action=add_cart_discount_offer_in_cart&parent_product_id=ID&wps_cart_offer_product_id_value=ID&wps_cart_offer_product_price=0.01&wps_cart_offer_quantity_value=1\n  ```\n- **Nonce Requirement:** This action uses `wps_ubo_lite_public_cart.auth_nonce`. If this is required, extract it from the cart page source using `browser_eval(\"wps_ubo_lite_public_cart.auth_nonce\")`.","The plugin is vulnerable to unauthorized price manipulation due to missing authorization and nonce checks on its AJAX handlers for adding 'Frequently Bought Together' products and cart offers. Unauthenticated attackers can exploit this to add any product to their cart at an arbitrary price by supplying a custom price parameter in the request.","\u002F\u002F public\u002Fjs\u002Fwps_ubo_lite_fbt.js\njQuery.ajax(\n    {\n        type: 'post',\n        dataType: 'json',\n        url: wps_ubo_lite_public_fbt.ajaxurl,\n        data: {\n            \u002F\u002F nonce: wps_ubo_lite_public_fbt.auth_nonce,\n            action: 'add_to_cart_fbt_product',\n            wps_product_id : wps_all_product_id,\n            wps_discount_price: wps_fbt_discount_price,\n            wps_main_prod_id : wps_main_prod_id,\n        },\n        success: function (msg) {\n            alert( 'Product Added!!' );\n        }\n    }\n);\n\n---\n\n\u002F\u002F public\u002Fjs\u002Fwps_ubo_lite_public_cart_script.js\njQuery.ajax(\n    {\n        type: 'post',\n        dataType: 'json',\n        url: wps_ubo_lite_public_cart.ajaxurl,\n        data: {\n            nonce: wps_ubo_lite_public_cart.auth_nonce,\n            action: 'add_cart_discount_offer_in_cart',\n            parent_product_id: parent_product_id,\n            child_product_id: child_variation_id,\n            wps_cart_offer_quantity_value: wps_cart_offer_quantity_value,\n            wps_cart_offer_product_id_value: wps_cart_offer_product_id_value,\n            wps_cart_offer_product_price: wps_cart_offer_product_price\n        },\n        success: function (msg) {\n            $( document.body ).trigger( 'added_to_cart', {} );\n            $( document.body ).trigger( 'update_checkout' );\n        }\n    }\n);","--- \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fupsell-order-bump-offer-for-woocommerce\u002F3.1.4\u002Fincludes\u002Fclass-upsell-order-bump-offer-for-woocommerce.php\n+++ \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fupsell-order-bump-offer-for-woocommerce\u002F3.1.5\u002Fincludes\u002Fclass-upsell-order-bump-offer-for-woocommerce.php\n@@ -78,7 +78,7 @@\n \t\tif ( defined( 'UPSELL_ORDER_BUMP_OFFER_FOR_WOOCOMMERCE_VERSION' ) ) {\n \t\t\t$this->version = UPSELL_ORDER_BUMP_OFFER_FOR_WOOCOMMERCE_VERSION;\n \t\t} else {\n-\t\t\t$this->version = '3.1.4';\n+\t\t\t$this->version = '3.1.5';\n \t\t}\n \t\t$this->plugin_name = 'upsell-order-bump-offer-for-woocommerce';\n\n--- \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fupsell-order-bump-offer-for-woocommerce\u002F3.1.4\u002Flanguages\u002Fupsell-order-bump-offer-for-woocommerce-en_US.po\n+++ \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fupsell-order-bump-offer-for-woocommerce\u002F3.1.5\u002Flanguages\u002Fupsell-order-bump-offer-for-woocommerce-en_US.po\n+#: public\u002Fclass-upsell-order-bump-offer-for-woocommerce-public.php:2563\n+msgid \"Invalid cart offer request.\"\n+msgstr \"\"\n+\n+#: public\u002Fclass-upsell-order-bump-offer-for-woocommerce-public.php:2577\n+msgid \"Invalid cart offer product.\"\n+msgstr \"\"\n+\n+#: public\u002Fclass-upsell-order-bump-offer-for-woocommerce-public.php:2748\n+msgid \"Invalid frequently bought together request.\"\n+msgstr \"\"","The exploit targets the AJAX endpoint \u002Fwp-admin\u002Fadmin-ajax.php using the add_to_cart_fbt_product action. An unauthenticated attacker can identify a high-value product ID (wps_product_id) and construct a POST request that includes an arbitrary price value in the wps_discount_price parameter. Because the plugin's server-side handler for this unauthenticated action does not verify the integrity of the price against the database or require an administrative nonce, the specified product is added to the attacker's WooCommerce cart at the manipulated price, allowing them to checkout at a significant discount.","gemini-3-flash-preview","2026-06-26 05:12:08","2026-06-26 05:13:20",{"type":42,"vulnerable_version":43,"fixed_version":11,"vulnerable_browse":44,"vulnerable_zip":45,"fixed_browse":46,"fixed_zip":47,"all_tags":48},"plugin","3.1.4","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fupsell-order-bump-offer-for-woocommerce\u002Ftags\u002F3.1.4","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fupsell-order-bump-offer-for-woocommerce.3.1.4.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fupsell-order-bump-offer-for-woocommerce\u002Ftags\u002F3.1.5","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fupsell-order-bump-offer-for-woocommerce.3.1.5.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fupsell-order-bump-offer-for-woocommerce\u002Ftags"]