[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$f_wkmNc9JNzWzRcwZX9FIkj5u5W05uq_80TlrgehhcKs":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":30,"research_verified":31,"research_rounds_completed":32,"research_plan":33,"research_summary":9,"research_vulnerable_code":9,"research_fix_diff":9,"research_exploit_outline":9,"research_model_used":34,"research_started_at":35,"research_completed_at":36,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":31,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":31,"source_links":37},"CVE-2026-54841","vitepos-point-of-sale-pos-for-woocommerce-unauthenticated-information-exposure","Vitepos – Point of Sale (POS) for WooCommerce \u003C= 3.4.2 - Unauthenticated Information Exposure","The Vitepos – Point of Sale (POS) for WooCommerce plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 3.4.2. This makes it possible for unauthenticated attackers to extract sensitive user or configuration data.","vitepos-lite",null,"\u003C=3.4.2","3.4.3","medium",5.3,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:N\u002FUI:N\u002FS:U\u002FC:L\u002FI:N\u002FA:N","Exposure of Sensitive Information to an Unauthorized Actor","2026-06-18 00:00:00","2026-06-25 13:49:00",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F84e269dd-05bd-4671-802d-b21e4987b3f0?source=api-prod",8,[22,23,24,25,26,27,28,29],"assets-global\u002Fscript.js","assets-global\u002Fstyle.css","assets\u002Fcss\u002Fadmin-style.css","assets\u002Fjs\u002Fadmin-script.js","assets\u002Floading.svg","assets\u002Flogo3.svg","assets\u002Fstyle.css","dci\u002Fassets\u002Fcss\u002Fdci.css","researched",false,3,"This plan targets **CVE-2026-54841**, an Unauthenticated Information Exposure vulnerability in the **Vitepos – Point of Sale (POS) for WooCommerce** plugin (\u003C= 3.4.2).\n\n### 1. Vulnerability Summary\nThe Vitepos plugin fails to implement proper authorization checks on several of its REST API endpoints used for POS initialization. Specifically, endpoints intended to provide data to the POS login screen (such as the list of outlets, users, and general configuration) are registered with a `permission_callback` that either defaults to `__return_true` or is absent, allowing any unauthenticated user to query sensitive store and user data.\n\n### 2. Attack Vector Analysis\n*   **Endpoint:** WordPress REST API.\n*   **Target Routes (Inferred based on Vitepos architecture):**\n    *   `\u002Fwp-json\u002Fvitepos\u002Fv1\u002Fget-init-data` (Primary target for full info exposure)\n    *   `\u002Fwp-json\u002Fvitepos\u002Fv1\u002Fget-settings`\n*   **Method:** `GET` (or `POST` in some configurations).\n*   **Authentication:** None required (Unauthenticated).\n*   **Preconditions:** The plugin must be active. No specific POS configuration is required to expose the default initialization data.\n\n### 3. Code Flow\n1.  **Route Registration:** The plugin registers REST routes during the `rest_api_init` hook.\n2.  **Missing Authorization:** In the vulnerable version, the registration for `get-init-data` lacks a strict permission check (e.g., `current_user_can( 'manage_woocommerce' )`).\n3.  **Data Compilation:** The handler function (typically in a class like `VitePos_API`) fetches:\n    *   `get_users()`: Returns user details for the POS login selection.\n    *   `get_outlets()`: Returns store locations and addresses.\n    *   `get_settings()`: Returns WooCommerce and POS specific configuration.\n4.  **Information Leak:** The compiled data is returned as a JSON object to any requester.\n\n### 4. Nonce Acquisition Strategy\nWhile the vulnerability is \"unauthenticated,\" WordPress REST API requests usually require a `wp_rest` nonce if a session is present. However, for a purely unauthenticated attack (no cookies), the REST API often allows access to public routes without a nonce. \n\nIf the endpoint requires a nonce even for unauthenticated users (to prevent direct scraping), we will extract it from the POS login page:\n\n1.  **Shortcode Identification:** Vitepos typically uses the shortcode `[vitepos]` or a dedicated page created at install (usually slug `\u002Fpos`).\n2.  **Environment Setup:** Create a page containing the POS shortcode to ensure scripts are enqueued.\n3.  **Variable Extraction:** The plugin localizes data into a JavaScript object. Based on `assets\u002Fjs\u002Fadmin-script.js`, the global object is likely `vitepos_lite_obj`.\n4.  **Action:** Use `browser_eval` to extract the nonce:\n    *   `browser_eval(\"window.vitepos_lite_obj?.nonce\")`\n\n### 5. Exploitation Strategy\nWe will attempt to access the initialization data via the REST API.\n\n**Step 1: Discover Active Vitepos Routes**\nQuery the REST API index to confirm the exact route name for the current version.\n*   **Request:** `GET \u002Fwp-json\u002Fvitepos\u002Fv1`\n*   **Tool:** `http_request`\n\n**Step 2: Extract Sensitive Data**\nAttempt to access the `get-init-data` endpoint.\n*   **Request:** `GET \u002Fwp-json\u002Fvitepos\u002Fv1\u002Fget-init-data`\n*   **Headers:** `Content-Type: application\u002Fjson`\n*   **Expected Response:** A JSON object containing `users`, `settings`, and `outlets`.\n\n**Step 3: Alternative Route (Settings)**\nIf `get-init-data` is restricted, attempt the settings endpoint.\n*   **Request:** `GET \u002Fwp-json\u002Fvitepos\u002Fv1\u002Fget-settings`\n\n### 6. Test Data Setup\nTo verify information exposure, we need a \"victim\" environment with data to leak:\n1.  **Users:** Create a few users with different roles (e.g., `cashier`, `customer`).\n    *   `wp user create cashier_test cashier@example.com --role=author`\n2.  **Plugin Setup:** Ensure Vitepos is active.\n3.  **Page Creation:** Create the POS page to verify if nonces are needed.\n    *   `wp post create --post_type=page --post_title=\"POS\" --post_status=publish --post_content='[vitepos]' --post_name='pos'`\n\n### 7. Expected Results\nA successful exploit will return a `200 OK` response with a JSON body containing:\n*   **User Data:** Usernames, IDs, and potentially emails of staff members.\n*   **Store Info:** Outlet names, addresses, and phone numbers.\n*   **Config:** Internal plugin settings that may reveal WooCommerce configuration details.\n\n### 8. Verification Steps\nAfter the HTTP request, verify the data matches the database:\n1.  Compare the leaked usernames\u002Femails with the output of:\n    *   `wp user list --fields=user_login,user_email`\n2.  Check if any \"secret\" or internal settings leaked match the options table:\n    *   `wp option get vitepos_lite_settings` (inferred option name)\n\n### 9. Alternative Approaches\nIf the REST API is disabled or blocked by a security plugin, check for an equivalent AJAX action:\n*   **Action:** `vitepos_get_init_data` or `vps_get_init_data`\n*   **Request:** `GET \u002Fwp-admin\u002Fadmin-ajax.php?action=vitepos_get_init_data`\n*   Note: This would also require a nonce, likely found in the `vitepos_lite_obj` on the `\u002Fpos` page.","gemini-3-flash-preview","2026-06-25 21:22:23","2026-06-25 21:23:04",{"type":38,"vulnerable_version":39,"fixed_version":11,"vulnerable_browse":40,"vulnerable_zip":41,"fixed_browse":42,"fixed_zip":43,"all_tags":44},"plugin","3.4.2","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fvitepos-lite\u002Ftags\u002F3.4.2","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fvitepos-lite.3.4.2.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fvitepos-lite\u002Ftags\u002F3.4.3","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fvitepos-lite.3.4.3.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fvitepos-lite\u002Ftags"]