[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$f953XyS-a4XZw2D1sFxroP-BnyuPFhsa6-uAyMx31h4o":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":30,"research_verified":31,"research_rounds_completed":32,"research_plan":33,"research_summary":9,"research_vulnerable_code":9,"research_fix_diff":9,"research_exploit_outline":9,"research_model_used":34,"research_started_at":35,"research_completed_at":36,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":31,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":31,"source_links":37},"CVE-2026-42654","wallet-system-for-woocommerce-digital-wallet-buy-now-pay-later-bnpl-instant-cashback-referral-program-partial-subscripti","Wallet System for WooCommerce – Digital Wallet, Buy Now Pay Later (BNPL), Instant Cashback, Referral program, Partial & Subscription Payments \u003C= 2.7.5 - Missing Authorization","The Wallet System for WooCommerce – Digital Wallet, Buy Now Pay Later (BNPL), Instant Cashback, Referral program, Partial & Subscription Payments plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in all versions up to, and including, 2.7.5. This makes it possible for authenticated attackers, with Subscriber-level access and above, to perform an unauthorized action.","wallet-system-for-woocommerce",null,"\u003C=2.7.5","2.7.6","medium",4.3,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:L\u002FUI:N\u002FS:U\u002FC:N\u002FI:L\u002FA:N","Missing Authorization","2026-04-29 00:00:00","2026-05-04 14:07:44",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F3a49f5f8-eec3-4b43-a007-329a7c1c6840?source=api-prod",6,[22,23,24,25,26,27,28,29],"README.txt","admin\u002Fclass-wallet-system-for-woocommerce-admin.php","admin\u002Fjs\u002Fwps-wsfw-wallet-card-notices.js","common\u002Fclass-wallet-system-for-woocommerce-common.php","includes\u002Fclass-wallet-system-for-woocommerce.php","languages\u002Fwallet-system-for-woocommerce-en_US.po","languages\u002Fwallet-system-for-woocommerce.pot","wallet-system-for-woocommerce.php","researched",false,3,"This research plan targets a **Missing Authorization** vulnerability in the **Wallet System for WooCommerce** plugin (\u003C= 2.7.5). The vulnerability allows authenticated users with Subscriber-level access to perform unauthorized actions, specifically dismissing administrative notices site-wide due to a missing capability check in an AJAX handler.\n\n### 1. Vulnerability Summary\n*   **ID**: CVE-2026-42654\n*   **Vulnerability Type**: Missing Authorization (CWE-862)\n*   **Vulnerable Function**: `wps_wsfw_dismiss_notice_banner` (Action) \u002F Associated AJAX handler.\n*   **Affected Code**: The AJAX registration for `wps_wsfw_dismiss_notice_banner` is likely handled in `includes\u002Fclass-wallet-system-ajaxhandler.php` or `admin\u002Fclass-wallet-system-for-woocommerce-admin.php`.\n*   **Reason**: The plugin registers an AJAX action for authenticated users but only verifies a nonce (`wp_rest`) without checking if the user has administrative capabilities (e.g., `manage_options`). Since the script and nonce are enqueued for all users accessing the dashboard (including Subscribers), any logged-in user can trigger the action.\n\n### 2. Attack Vector Analysis\n*   **Endpoint**: `\u002Fwp-admin\u002Fadmin-ajax.php`\n*   **Action**: `wps_wsfw_dismiss_notice_banner`\n*   **HTTP Method**: POST\n*   **Authentication**: Required (Subscriber level or higher)\n*   **Payload Parameters**:\n    *   `action`: `wps_wsfw_dismiss_notice_banner`\n    *   `wps_nonce`: A valid `wp_rest` nonce (localized for the current user).\n*   **Preconditions**: The plugin must be active. A Subscriber user must be created.\n\n### 3. Code Flow\n1.  **Enqueuing**: The method `wsfw_admin_enqueue_scripts` in `admin\u002Fclass-wallet-system-for-woocommerce-admin.php` registers and enqueues the script `admin-notice`.\n2.  **Localization**: Inside `wsfw_admin_enqueue_scripts`, the plugin localizes the object `wps_wsfw_branner_notice`, which contains a nonce generated via `wp_create_nonce( 'wp_rest' )`.\n3.  **Client-Side**: The file `admin\u002Fjs\u002Fwps-wsfw-wallet-card-notices.js` attaches a click listener to `#dismiss-banner`. When clicked, it sends a POST request to `admin-ajax.php` with the `wps_nonce`.\n4.  **Server-Side Handler**: The handler for `wps_wsfw_dismiss_notice_banner` (likely in `class-wallet-system-ajaxhandler.php`) checks the nonce using `wp_verify_nonce` but fails to check `current_user_can( 'manage_options' )`.\n5.  **Sink**: The handler typically updates a global option (e.g., `wps_wsfw_notice_dismissed`) or user meta, affecting the display of notices for all administrators.\n\n### 4. Nonce Acquisition Strategy\nThe nonce is user-bound and action-bound to `wp_rest`. It is exposed to any logged-in user who can access the WordPress admin area (Subscribers can access `\u002Fwp-admin\u002Fprofile.php`).\n\n1.  **Login**: Authenticate as a Subscriber.\n2.  **Navigate**: Use `browser_navigate` to go to `http:\u002F\u002Flocalhost:8888\u002Fwp-admin\u002Fprofile.php`.\n3.  **Extract**: Use `browser_eval` to extract the localized nonce from the global JavaScript object.\n    *   **JavaScript Variable**: `window.wps_wsfw_branner_notice`\n    *   **Key**: `wps_wsfw_nonce`\n    *   **Command**: `browser_eval(\"window.wps_wsfw_branner_notice.wps_wsfw_nonce\")`\n\n### 5. Exploitation Strategy\n1.  **Step 1: Setup**: Ensure the plugin is active and a Subscriber user exists.\n2.  **Step 2: Obtain Nonce**: Log in as a Subscriber and extract the `wps_wsfw_nonce` from the profile page.\n3.  **Step 3: Execute Unauthorized Action**: Send a POST request to `admin-ajax.php` to dismiss the admin notice.\n\n**Request Details**:\n```http\nPOST \u002Fwp-admin\u002Fadmin-ajax.php HTTP\u002F1.1\nHost: localhost:8888\nContent-Type: application\u002Fx-www-form-urlencoded\nCookie: [Subscriber Cookies]\n\naction=wps_wsfw_dismiss_notice_banner&wps_nonce=[EXTRACTED_NONCE]\n```\n\n### 6. Test Data Setup\n1.  **Install Plugin**: Ensure version 2.7.5 is installed.\n2.  **Create User**:\n    ```bash\n    wp user create attacker attacker@example.com --role=subscriber --user_pass=password\n    ```\n3.  **Verify Initial State**: Check if the dismissal option is NOT set (or set to 'no').\n    ```bash\n    wp option get wps_wsfw_notice_dismissed\n    ```\n\n### 7. Expected Results\n*   **Response**: The server should return a `1`, `success`, or a JSON response indicating the notice has been dismissed.\n*   **Integrity Impact**: The administrative notice (banner) will no longer appear for any user, including administrators, because the underlying option has been modified by a low-privileged user.\n\n### 8. Verification Steps\n1.  **Check Option**: After the request, verify that the option used to track notice dismissal has been updated.\n    ```bash\n    wp option get wps_wsfw_notice_dismissed\n    ```\n    *(Note: If the option name is different, use `wp option list --search=\"wps_wsfw\"` to find the correct flag).*\n2.  **Login as Admin**: Log in as an administrator and navigate to the dashboard. Observe that the Wallet System notice banner is gone.\n\n### 9. Alternative Approaches\nIf `wps_wsfw_dismiss_notice_banner` is not the specific \"unauthorized action\" intended by the CVSS 4.3 rating, look for other AJAX actions registered in `includes\u002Fclass-wallet-system-ajaxhandler.php` (if accessible) or via `grep`:\n\n```bash\ngrep -r \"wp_ajax_\" . | grep -v \"nopriv\"\n```\n\nCommon vulnerable candidates in this plugin include:\n*   `wps_wsfw_update_user_wallet`: If this lacks a capability check, a Subscriber could modify their own (or others') wallet balances.\n*   `wps_wsfw_wallet_recharge_action`: Unauthorized wallet recharges.\n\nHowever, the presence of the localized `wp_rest` nonce in `admin-notice` strongly confirms `wps_wsfw_dismiss_notice_banner` as the primary intended attack vector for this vulnerability ID.","gemini-3-flash-preview","2026-05-04 18:04:53","2026-05-04 18:05:43",{"type":38,"vulnerable_version":39,"fixed_version":11,"vulnerable_browse":40,"vulnerable_zip":41,"fixed_browse":42,"fixed_zip":43,"all_tags":44},"plugin","2.7.5","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fwallet-system-for-woocommerce\u002Ftags\u002F2.7.5","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fwallet-system-for-woocommerce.2.7.5.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fwallet-system-for-woocommerce\u002Ftags\u002F2.7.6","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fwallet-system-for-woocommerce.2.7.6.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fwallet-system-for-woocommerce\u002Ftags"]