[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fmy3ft9XXj6u6bMGkCojF2HVtMKFz9ZCQ8AUCzlVthbc":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":27,"research_verified":28,"research_rounds_completed":29,"research_plan":30,"research_summary":9,"research_vulnerable_code":9,"research_fix_diff":9,"research_exploit_outline":9,"research_model_used":31,"research_started_at":32,"research_completed_at":33,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":28,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":28,"source_links":34},"CVE-2026-27541","wholesale-suite-authenticated-shop-manager-privilege-escalation","Wholesale Suite \u003C= 2.2.6 - Authenticated (Shop Manager) Privilege Escalation","The Wholesale Suite – B2B, Dynamic Pricing & WooCommerce Wholesale Prices plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 2.2.6.This makes it possible for authenticated attackers, with Shop Manager-level access and above, to elevate their privileges to that of an administrator.","woocommerce-wholesale-prices",null,"\u003C=2.2.6","2.2.7","high",7.2,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:H\u002FUI:N\u002FS:U\u002FC:H\u002FI:H\u002FA:H","Improper Privilege Management","2026-02-20 00:00:00","2026-03-06 18:37:22",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F2942644d-c330-4ec0-ab1d-64b3044d5a87?source=api-prod",15,[22,23,24,25,26],"dist\u002F.vite\u002Fmanifest.json","dist\u002Fapps\u002Fdashboard\u002Fcomponents\u002Ficons\u002FActivateLicense-legacy.RTBl6CpT.js","dist\u002Fapps\u002Fdashboard\u002Fcomponents\u002Ficons\u002FActivateLicense.Gqsgm9oj.js","dist\u002Fapps\u002Fdashboard\u002Fcomponents\u002Ficons\u002FContact-legacy.Djs1-Gwk.js","dist\u002Fapps\u002Fdashboard\u002Fcomponents\u002Ficons\u002FContact.C7Fw4R9V.js","researched",false,3,"# Research Plan: CVE-2026-27541 - Wholesale Suite Privilege Escalation\n\n## 1. Vulnerability Summary\nThe **Wholesale Suite (woocommerce-wholesale-prices)** plugin for WordPress (versions \u003C= 2.2.6) contains a privilege escalation vulnerability. The core issue resides in the plugin's settings management or role management functionality. It allows authenticated users with **Shop Manager** capabilities (who typically have `manage_woocommerce`) to perform administrative actions, specifically escalating their own role or modifying site-wide settings (like `default_role`) due to insufficient capability checks (checking for `manage_woocommerce` or `edit_posts` instead of `manage_options`) in AJAX or REST API handlers.\n\n## 2. Attack Vector Analysis\n*   **Endpoint:** `wp-admin\u002Fadmin-ajax.php` (or potentially a REST API endpoint under `wp-json\u002Fwholesale-suite\u002Fv1\u002F`).\n*   **Vulnerable Action:** Likely `wwp_save_settings`, `wwp_ajax_save_settings`, or `wwhp_update_settings` (inferred from plugin naming conventions).\n*   **Payload Parameter:** `settings` or a specific option parameter like `default_role`.\n*   **Authentication:** Authenticated, **Shop Manager** level or higher.\n*   **Preconditions:** The plugin must be active, and a Shop Manager account must be available.\n\n## 3. Code Flow (Inferred)\n1.  **Entry Point:** The plugin registers an AJAX handler using `add_action( 'wp_ajax_wwp_save_settings', ... )` (or similar).\n2.  **Authorization Check:** The handler likely uses `current_user_can( 'manage_woocommerce' )`. While Shop Managers have this, they should not be allowed to modify arbitrary site options or roles.\n3.  **Nonce Verification:** A nonce check is likely present (e.g., `check_ajax_referer( 'wwp_settings_nonce', 'nonce' )`), but this nonce is exposed to Shop Managers on the plugin's settings page.\n4.  **Processing:** The code iterates through the provided `settings` array.\n5.  **Sink:** It calls `update_option()` for each key-value pair without a whitelist of allowed options, or it improperly handles role assignments during user updates.\n\n## 4. Nonce Acquisition Strategy\nTo obtain a valid nonce for the `Shop Manager` user:\n1.  **Identify Trigger:** The plugin settings are typically located at `\u002Fwp-admin\u002Fadmin.php?page=wwp-settings`.\n2.  **Access Page:** Log in as the Shop Manager and navigate to the settings page.\n3.  **Extract Nonce:** The nonce is likely localized in the page source via `wp_localize_script`.\n    *   **JS Variable:** Based on the manifest and plugin history, check `window.wwp_settings_vars` or `window.wwp_bulk_actions_vars`.\n    *   **Key:** Look for `nonce` or `wwp_settings_nonce`.\n4.  **Command:**\n    ```javascript\n    \u002F\u002F Browser Eval\n    browser_eval(\"window.wwp_settings_vars?.nonce || window.wwp_vars?.nonce\")\n    ```\n\n## 5. Exploitation Strategy\nThe goal is to update the WordPress `default_role` to `administrator` and then trigger a registration, or directly update the current user's role if the endpoint supports it.\n\n### Step-by-Step Plan:\n1.  **Login:** Authenticate as the Shop Manager user.\n2.  **Discover Action:** Grep the plugin directory for the settings saving action:\n    `grep -rn \"wp_ajax_\" . | grep \"save\"`\n3.  **Obtain Nonce:** Navigate to the plugin settings page and extract the nonce using `browser_eval`.\n4.  **Execute Privilege Escalation:**\n    *   **Method A: Update `default_role`** (if the handler allows arbitrary options):\n        *   **Request:** `POST \u002Fwp-admin\u002Fadmin-ajax.php`\n        *   **Content-Type:** `application\u002Fx-www-form-urlencoded`\n        *   **Body:** `action=wwp_save_settings&nonce=[NONCE]&settings[default_role]=administrator` (or similar structure).\n    *   **Method B: Direct Role Update** (if the handler supports user modification):\n        *   **Request:** `POST \u002Fwp-admin\u002Fadmin-ajax.php`\n        *   **Body:** `action=wwp_update_user_role&nonce=[NONCE]&user_id=[CURRENT_ID]&role=administrator`\n\n## 6. Test Data Setup\n1.  **Install Plugin:** Wholesale Suite \u003C= 2.2.6 and WooCommerce.\n2.  **Create User:** A user with the `shop_manager` role.\n3.  **Configure Plugin:** Ensure the plugin is initialized so settings pages are accessible.\n4.  **Identify Settings Page:** Confirm the slug (usually `wwp-settings`).\n\n## 7. Expected Results\n*   **Response:** A successful response (e.g., `{\"success\": true}` or `1`).\n*   **Effect:** The WordPress option `default_role` is changed to `administrator`, OR the Shop Manager user's role is directly changed to `administrator` in the `wp_users`\u002F`wp_usermeta` tables.\n\n## 8. Verification Steps\n1.  **Check Option via WP-CLI:**\n    `wp option get default_role` (Should return `administrator`).\n2.  **Check User Role via WP-CLI:**\n    `wp user get [USERNAME] --field=roles` (Should return `administrator`).\n3.  **UI Verification:** Log in as the former Shop Manager and verify that the \"Plugins\" and \"Settings\" menus are now visible (indicating full Admin access).\n\n## 9. Alternative Approaches\n*   **REST API:** If AJAX is well-protected, check for REST routes:\n    `grep -rn \"register_rest_route\" .`\n    Look for endpoints that update settings and check if the `permission_callback` only checks for `manage_woocommerce`.\n*   **Insecure Deserialization:** If the settings are saved as a serialized object, check if the plugin uses `unserialize()` on the input before saving.\n*   **Wholesale Role Management:** Specifically target the \"Wholesale Roles\" creation feature. If a Shop Manager can create a role with `administrator` capabilities, they can then assign it to themselves.\n    *   **Action:** `wwp_add_wholesale_role`\n    *   **Payload:** `role_name=attacker_role&capabilities[administrator]=1`","gemini-3-flash-preview","2026-04-19 01:56:11","2026-04-19 01:57:08",{"type":35,"vulnerable_version":36,"fixed_version":11,"vulnerable_browse":37,"vulnerable_zip":38,"fixed_browse":39,"fixed_zip":40,"all_tags":41},"plugin","2.2.6","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fwoocommerce-wholesale-prices\u002Ftags\u002F2.2.6","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fwoocommerce-wholesale-prices.2.2.6.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fwoocommerce-wholesale-prices\u002Ftags\u002F2.2.7","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fwoocommerce-wholesale-prices.2.2.7.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fwoocommerce-wholesale-prices\u002Ftags"]