CVE-2026-32406

WPC Product Bundles for WooCommerce <= 8.4.5 - Missing Authorization

mediumMissing Authorization

4.3

CVSS Score

4.3

CVSS Score

medium

Severity

8.4.6

Patched in

53d

Time to patch

Description

The WPC Product Bundles for WooCommerce plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in versions up to, and including, 8.4.5. This makes it possible for authenticated attackers, with contributor-level access and above, to perform an unauthorized action.

CVSS Vector Breakdown

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

None

Confidentiality

Low

Integrity

None

Availability

Technical Details

Affected versions<=8.4.5

PublishedFebruary 22, 2026

Last updatedApril 15, 2026

Affected pluginwoo-product-bundle

What Changed in the Fix

Changes introduced in v8.4.6

Loading patch diff...

Source Code

WordPress.org SVN

Vulnerable v8.4.5

Browse source Download .zip

Patched v8.4.6

Browse source Download .zip

Research Plan

Unverified

# Vulnerability Research Plan: CVE-2026-32406 ## 1. Vulnerability Summary The **WPC Product Bundles for WooCommerce** plugin (up to and including version 8.4.5) contains a **Missing Authorization** vulnerability. Specifically, the AJAX handlers registered in `includes/class-woosb.php` fail to perfo…

Show full research plan

Vulnerability Research Plan: CVE-2026-32406

1. Vulnerability Summary

The WPC Product Bundles for WooCommerce plugin (up to and including version 8.4.5) contains a Missing Authorization vulnerability. Specifically, the AJAX handlers registered in includes/class-woosb.php fail to perform capability checks (e.g., current_user_can( 'manage_options' )), allowing any authenticated user with at least Contributor-level access to execute administrative actions.

Based on the CVSS score (I:L - Integrity Low), the primary exploit path involves the woosb_update_search_settings action, which allows an attacker to modify global plugin configuration settings related to the product search functionality.

2. Attack Vector Analysis

Endpoint: /wp-admin/admin-ajax.php
AJAX Action: woosb_update_search_settings (as registered in includes/class-woosb.php line 52).
Vulnerable Function: ajax_update_search_settings in WPCleverWoosb class.
Authentication Required: Authenticated, Contributor role or higher.
Payload Parameter: settings (likely a URL-encoded string or array of search configuration options).
Preconditions: The plugin must be active, and a valid WordPress nonce for the action must be obtained.

3. Code Flow

Entry Point: The plugin registers AJAX hooks in WPCleverWoosb::__construct:

add_action( 'wp_ajax_woosb_update_search_settings', [ $this, 'ajax_update_search_settings' ] );

Missing Check: In includes/class-woosb.php, the function ajax_update_search_settings is called. It lacks a check for current_user_can().
Sink: The function likely processes the $_POST['settings'] parameter and updates a WordPress option (e.g., woosb_search_settings) or user metadata using update_option() or update_user_meta().

4. Nonce Acquisition Strategy

The plugin enqueues scripts for the backend in admin_enqueue_scripts. The nonce required for AJAX requests is typically localized into a JavaScript object.

Identify Variable: WPClever plugins usually use the variable woosb_vars.
Navigation: Log in as a Contributor and navigate to any page where the plugin's admin scripts are loaded. Although Contributors have limited access, they can access the dashboard.
Extraction:
- Navigate to: /wp-admin/index.php (Dashboard).
- Use browser_eval to extract the nonce:
```
window.woosb_vars?.nonce
```
- If woosb_vars is not found on the dashboard, check /wp-admin/edit.php?post_type=product (Contributors can often view the product list even if they cannot edit).

5. Exploitation Strategy

Step 1: Data Setup

Create a user with the Contributor role.
Check the current value of the search settings via WP-CLI:
```
wp option get woosb_search_settings
```

Step 2: Nonce Extraction

Log into the WordPress site as the Contributor via browser_navigate.
Execute browser_eval to retrieve woosb_vars.nonce.

Step 3: Trigger Unauthorized Setting Update

Submit an unprivileged POST request to modify the plugin's search behavior. We will attempt to change the limit or search_sku settings.

URL: http://localhost:8080/wp-admin/admin-ajax.php
Method: POST
Headers: Content-Type: application/x-www-form-urlencoded

Body:

action=woosb_update_search_settings&nonce=[EXTRACTED_NONCE]&settings=limit=999&search_sku=yes&search_exact=yes

6. Test Data Setup

Plugin: WPC Product Bundles for WooCommerce 8.4.5.
User: Contributor (username: attacker, password: password123).
Configuration: No special configuration is required as the vulnerability is in the default AJAX handler.

7. Expected Results

Response: The server should return a JSON success message (e.g., {"success":true}).
State Change: The global option woosb_search_settings should be updated to reflect the values provided in the payload.

8. Verification Steps

Verify via CLI:
```
wp option get woosb_search_settings
```
Check for Persistence: The output should show the modified limit (999) and other parameters injected during the exploit.
Security Check: Confirm that the user attacker (Contributor) does not have the manage_options capability, yet was able to change this setting.

9. Alternative Approaches

If woosb_update_search_settings proves to be restricted to user-meta only (unlikely based on the plugin structure), target the second AJAX action:

Action: woosb_get_search_results
Goal: Information Disclosure.
Payload: action=woosb_get_search_results&nonce=[NONCE]&keyword=secret
Success Criteria: If this action returns products that are in "Draft" or "Private" status which the Contributor should not be able to see, it confirms the Missing Authorization vulnerability for sensitive data retrieval.

Research Findings

Static analysis — not yet PoC-verified

Summary

The WPC Product Bundles for WooCommerce plugin for WordPress is vulnerable to unauthorized access and information disclosure due to missing capability checks on several AJAX handlers. This allows authenticated attackers with contributor-level permissions or higher to modify plugin search settings or view private product data that should be restricted.

Vulnerable Code

// includes/class-woosb.php line 52
add_action( 'wp_ajax_woosb_update_search_settings', [ $this, 'ajax_update_search_settings' ] );
add_action( 'wp_ajax_woosb_get_search_results', [ $this, 'ajax_get_search_results' ] );

---

// includes/class-woosb.php line 2482
                if ( $query->have_posts() ) {
                    while ( $query->have_posts() ) {
                        $query->the_post();
                        $_product = wc_get_product( get_the_ID() );

                        if ( ! $_product ) {
                            continue;
                        }

Security Fix

diff -ru /home/deploy/wp-safety.org/data/plugin-versions/woo-product-bundle/8.4.5/includes/class-woosb.php /home/deploy/wp-safety.org/data/plugin-versions/woo-product-bundle/8.4.6/includes/class-woosb.php
--- /home/deploy/wp-safety.org/data/plugin-versions/woo-product-bundle/8.4.5/includes/class-woosb.php	2026-02-10 10:27:46.000000000 +0000
+++ /home/deploy/wp-safety.org/data/plugin-versions/woo-product-bundle/8.4.6/includes/class-woosb.php	2026-02-11 09:16:18.000000000 +0000
@@ -136,7 +136,7 @@
             }
 
             // Admin order
-            add_action( 'woocommerce_ajax_add_order_item_meta', [ $this, 'ajax_add_order_item_meta' ], 10, 3 );
+            add_action( 'woocommerce_ajax_add_order_item_meta', [ $this, 'add_order_item_meta' ], 10, 3 );
             add_filter( 'woocommerce_hidden_order_itemmeta', [ $this, 'hidden_order_itemmeta' ] );
             add_action( 'woocommerce_before_order_itemmeta', [ $this, 'before_order_itemmeta' ], 10, 2 );
 
@@ -2223,7 +2223,7 @@
             }
         }
 
-        function ajax_add_order_item_meta( $order_item_id, $order_item, $order ) {
+        function add_order_item_meta( $order_item_id, $order_item, $order ) {
             $quantity = $order_item->get_quantity();
 
             if ( 'line_item' === $order_item->get_type() ) {
@@ -2445,10 +2445,10 @@
                 }
 
                 $query_args = [
+                        's'              => $keyword,
                         'is_woosb'       => true,
                         'post_type'      => 'product',
                         'post_status'    => [ 'publish', 'private' ],
-                        's'              => $keyword,
                         'posts_per_page' => $limit
                 ];
 
@@ -2482,7 +2482,7 @@
                     $query->the_post();
                     $_product = wc_get_product( get_the_ID() );
 
-                    if ( ! $_product ) {
+                    if ( ! $_product || ! current_user_can( 'read_product', $_product->get_id() ) ) {
                         continue;
                     }

Exploit Outline

The exploit targets the AJAX endpoints registered in the WPCleverWoosb class. An attacker first logs in with Contributor-level credentials and navigates to the WordPress dashboard to extract a valid security nonce from the localized 'woosb_vars' JavaScript object. Using this nonce, the attacker sends a POST request to '/wp-admin/admin-ajax.php' with the action set to 'woosb_update_search_settings' to modify global plugin configurations (like search limits or SKU matching). Alternatively, the attacker can use the 'woosb_get_search_results' action with a search keyword to retrieve data from products with 'private' or 'draft' status, bypassing standard WooCommerce visibility restrictions due to the missing 'read_product' capability check in the vulnerable version.

References

https://www.wordfence.com/threat-intel/vulnerabilities/id/d0693b76-dd6a-4ebc-8384-b7dadb606849?source=api-prod

Check if your site is affected.

Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.

Run free audit Browse CVE database