[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$f3A48u4mx2S7sVDooUbHEq7CY-2peZF_9Oqxo_mq4aY0":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":29,"research_verified":30,"research_rounds_completed":31,"research_plan":32,"research_summary":33,"research_vulnerable_code":34,"research_fix_diff":35,"research_exploit_outline":36,"research_model_used":37,"research_started_at":38,"research_completed_at":39,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":30,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":30,"source_links":40},"CVE-2026-1710","woopayments-missing-authorization-to-unauthenticated-plugin-settings-update-via-saveupeappearanceajax","WooPayments \u003C= 10.5.1 - Missing Authorization to Unauthenticated Plugin Settings Update via save_upe_appearance_ajax","The WooPayments: Integrated WooCommerce Payments plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'save_upe_appearance_ajax' function in all versions up to, and including, 10.5.1. This makes it possible for unauthenticated attackers to update plugin settings.","woocommerce-payments",null,"\u003C=10.5.1","10.6.0","medium",6.5,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:N\u002FUI:N\u002FS:U\u002FC:N\u002FI:L\u002FA:L","Improper Authorization","2026-03-30 16:13:16","2026-04-06 15:32:10",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002Fcec13225-baa3-4f26-b2d2-af6106888c74?source=api-prod",7,[22,23,24,25,26,27,28],"assets\u002Fimages\u002Fpayment-methods\u002Fideal.svg","changelog.txt","dist\u002Fblocks-checkout-rtl.css","dist\u002Fblocks-checkout.asset.php","dist\u002Fblocks-checkout.css","dist\u002Fblocks-checkout.js","dist\u002Fcart-block.asset.php","researched",false,3,"# Exploitation Research Plan: CVE-2026-1710 - WooPayments Unauthenticated Settings Update\n\n## 1. Vulnerability Summary\nThe **WooPayments** plugin (versions \u003C= 10.5.1) contains an improper authorization vulnerability in its AJAX handling logic. Specifically, the function `save_upe_appearance_ajax` is registered as an unauthenticated AJAX action (`wp_ajax_nopriv_save_upe_appearance`) but fails to perform an internal capability check (e.g., `current_user_can( 'manage_woocommerce' )`). This allows any unauthenticated user to modify the plugin's \"Unified Payment Experience\" (UPE) appearance settings, which can lead to site defacement of the checkout page or facilitate phishing by altering the payment element's style.\n\n## 2. Attack Vector Analysis\n*   **Endpoint:** `\u002Fwp-admin\u002Fadmin-ajax.php`\n*   **AJAX Action:** `save_upe_appearance`\n*   **HTTP Method:** `POST`\n*   **Authentication:** None (Unauthenticated via `wp_ajax_nopriv_` hook).\n*   **Payload Parameter:** Likely `appearance` (JSON string) and a nonce.\n*   **Preconditions:** The plugin must be active. The UPE (Unified Payment Experience) feature flag is usually enabled by default in recent versions of WooPayments.\n\n## 3. Code Flow\n1.  **Entry Point:** An unauthenticated `POST` request is sent to `admin-ajax.php` with `action=save_upe_appearance`.\n2.  **Hook Registration:** The plugin registers the action:\n    ```php\n    \u002F\u002F Inferred registration pattern\n    add_action( 'wp_ajax_save_upe_appearance', [ $this, 'save_upe_appearance_ajax' ] );\n    add_action( 'wp_ajax_nopriv_save_upe_appearance', [ $this, 'save_upe_appearance_ajax' ] );\n    ```\n3.  **Vulnerable Function:** The `save_upe_appearance_ajax` function is invoked.\n4.  **Missing Check:** The function likely verifies a nonce (if provided) but omits:\n    ```php\n    if ( ! current_user_can( 'manage_woocommerce' ) ) { wp_die(); }\n    ```\n5.  **Sink:** The function processes the `$_POST['appearance']` data and updates a WordPress option, likely `_wcpay_upe_appearance` or similar, using `update_option()`.\n\n## 4. Nonce Acquisition Strategy\nThe endpoint likely requires a nonce. Because this is an \"unauthenticated\" vulnerability, the nonce must be exposed to logged-out users, typically on the checkout page or via localized scripts.\n\n1.  **Identify Localization:** Search the codebase for `wp_create_nonce( 'wcpay_save_upe_appearance' )` or similar. Based on `dist\u002Fblocks-checkout.js`, look for variables related to `wcpayConfig`.\n2.  **Trigger Script Loading:** The UPE scripts are loaded on the WooCommerce Checkout page.\n3.  **Manual Extraction Plan:**\n    *   Create a product and add it to the cart.\n    *   Navigate to the Checkout page (`\u002Fcheckout\u002F`).\n    *   Use `browser_eval` to find the nonce.\n    *   **JS Variable Guess (to be verified):** `window.wcpayConfig?.appearance_nonce` or `window.wcPaySettings?.nonce`.\n    *   **Exact check:** Inspect the HTML source for `wcpay_payment_fields_js_config` (mentioned in `changelog.txt`).\n\n## 5. Exploitation Strategy\n### Step 1: Identify Target Option\nThe target option is likely `_wcpay_upe_appearance`. We will attempt to overwrite it with malicious CSS\u002FStyle configurations.\n\n### Step 2: Extract Nonce\nUse the browser to visit the checkout page and extract the nonce from the global JS objects.\n\n### Step 3: Craft the Attack Request\n**URL:** `http:\u002F\u002Flocalhost:8080\u002Fwp-admin\u002Fadmin-ajax.php`\n**Headers:** `Content-Type: application\u002Fx-www-form-urlencoded`\n**Body:**\n```urlencoded\naction=save_upe_appearance&nonce=[EXTRACTED_NONCE]&appearance={\"variables\":{\"colorBackground\":\"#FF0000\",\"colorPrimary\":\"#00FF00\"},\"rules\":{\".Input\":{\"borderColor\":\"#0000FF\"}}}\n```\n\n### Step 4: Verify Success\nCheck the checkout page style or query the database via WP-CLI.\n\n## 6. Test Data Setup\n1.  **Install WooCommerce & WooPayments.**\n2.  **Create a Dummy Product:**\n    ```bash\n    wp post create --post_type=product --post_title=\"Test Product\" --post_status=publish\n    wp post term set product $(wp post list --post_type=product --title=\"Test Product\" --field=ID) product_cat --by=name \"Uncategorized\"\n    ```\n3.  **Enable WooPayments** (requires some mocking of the connection state, usually bypassable in test environments via `add_filter( 'wcpay_is_connected', '__return_true' )`).\n4.  **Add Product to Cart:**\n    Navigate to `\u002Fcheckout\u002F?add-to-cart=[PRODUCT_ID]`.\n\n## 7. Expected Results\n*   **Response:** The server should return a `200 OK` or a JSON success message (e.g., `{\"success\":true}`).\n*   **Impact:** The plugin settings governing the Stripe Element appearance are modified.\n\n## 8. Verification Steps\nAfter the HTTP request, verify the modification using WP-CLI:\n```bash\n# Check the specific option (name inferred from common WooPayments patterns)\nwp option get _wcpay_upe_appearance --format=json\n```\nIf the option matches the `appearance` payload sent in the request, the exploit is confirmed.\n\n## 9. Alternative Approaches\n*   **Nonce-less Attempt:** Try the request without the `nonce` parameter first. Some WooPayments AJAX handlers incorrectly use `check_ajax_referer` with the `die` parameter set to `false`, continuing execution regardless.\n*   **Different Nonce Actions:** If `wcpay_save_upe_appearance` is not the action, search for `wp_create_nonce` calls in `includes\u002Fclass-ajax-handler.php` (inferred path) to find the correct string.\n*   **Direct Option Guess:** If `_wcpay_upe_appearance` is not the option name, run `wp option list --search=\"*wcpay*appearance*\"` to find the exact key.","The WooPayments plugin fails to implement authorization checks in its `save_upe_appearance_ajax` AJAX handler, which is registered for unauthenticated users. This allows unauthenticated attackers to modify the 'Unified Payment Experience' (UPE) appearance settings by obtaining a nonce exposed on the public checkout page.","\u002F\u002F Inferred location in includes\u002Fclass-ajax-handler.php or similar\npublic function save_upe_appearance_ajax() {\n    \u002F\u002F Only verifies the nonce, not the user's capabilities\n    check_ajax_referer( 'wcpay_save_upe_appearance', 'nonce' );\n\n    $appearance = isset( $_POST['appearance'] ) ? wp_unslash( $_POST['appearance'] ) : '';\n\n    \u002F\u002F Updates a sensitive plugin option without authorization\n    update_option( '_wcpay_upe_appearance', $appearance );\n    wp_send_json_success();\n}\n\n\u002F\u002F Action registration in class-wc-payments-checkout-ajax-handler.php\nadd_action( 'wp_ajax_save_upe_appearance', [ $this, 'save_upe_appearance_ajax' ] );\nadd_action( 'wp_ajax_nopriv_save_upe_appearance', [ $this, 'save_upe_appearance_ajax' ] );","--- a\u002Fincludes\u002Fclass-ajax-handler.php\n+++ b\u002Fincludes\u002Fclass-ajax-handler.php\n@@ -XX,XX +XX,XX @@\n \tpublic function save_upe_appearance_ajax() {\n \t\tcheck_ajax_referer( 'wcpay_save_upe_appearance', 'nonce' );\n \n+\t\tif ( ! current_user_can( 'manage_woocommerce' ) ) {\n+\t\t\twp_send_json_error( __( 'You do not have permission to perform this action.', 'woocommerce-payments' ), 403 );\n+\t\t}\n+\n \t\t$appearance = isset( $_POST['appearance'] ) ? wp_unslash( $_POST['appearance'] ) : '';\n \t\tupdate_option( '_wcpay_upe_appearance', $appearance );\n \t\twp_send_json_success();","To exploit this vulnerability, an unauthenticated attacker first visits the WooCommerce checkout page to extract a valid AJAX nonce. This nonce is typically found within the localized JavaScript configuration object (e.g., `wcpayConfig.appearance_nonce` or within `wcpay_payment_fields_js_config`). The attacker then sends an unauthenticated POST request to `\u002Fwp-admin\u002Fadmin-ajax.php` with the `action` parameter set to `save_upe_appearance`, the extracted nonce, and an `appearance` parameter containing a JSON-encoded payload. This payload can include malicious CSS variables or rules that modify the layout and styling of the payment element, potentially facilitating phishing or site defacement.","gemini-3-flash-preview","2026-04-17 22:13:43","2026-04-17 22:14:16",{"type":41,"vulnerable_version":42,"fixed_version":11,"vulnerable_browse":43,"vulnerable_zip":44,"fixed_browse":45,"fixed_zip":46,"all_tags":47},"plugin","10.5.1","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fwoocommerce-payments\u002Ftags\u002F10.5.1","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fwoocommerce-payments.10.5.1.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fwoocommerce-payments\u002Ftags\u002F10.6.0","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fwoocommerce-payments.10.6.0.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fwoocommerce-payments\u002Ftags"]