YITH WooCommerce Request A Quote <= 2.46.0 - Missing Authorization
Description
The YITH Request a Quote for WooCommerce plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in all versions up to, and including, 2.46.0. This makes it possible for unauthenticated attackers to perform an unauthorized action.
CVSS Vector Breakdown
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:NTechnical Details
<=2.46.0What Changed in the Fix
Changes introduced in v2.46.1
Source Code
WordPress.org SVN# Exploitation Research Plan - CVE-2026-24366 ## 1. Vulnerability Summary The **YITH Request a Quote for WooCommerce** plugin (up to 2.46.0) contains a **Missing Authorization** vulnerability in its AJAX handling logic. Specifically, the AJAX action `yith_ywraq_action` (and its unauthenticated coun…
Show full research plan
Exploitation Research Plan - CVE-2026-24366
1. Vulnerability Summary
The YITH Request a Quote for WooCommerce plugin (up to 2.46.0) contains a Missing Authorization vulnerability in its AJAX handling logic. Specifically, the AJAX action yith_ywraq_action (and its unauthenticated counterpart wp_ajax_nopriv_yith_ywraq_action) fails to check if the current user has the necessary permissions or if the plugin's restriction settings (like "Only registered users") are active before performing actions like adding items to a quote list or sending a quote request. This allows unauthenticated attackers to bypass intended restrictions and perform unauthorized actions.
2. Attack Vector Analysis
- Endpoint:
/wp-admin/admin-ajax.php - Action:
yith_ywraq_action(viaPOST) - Sub-Action Parameter:
ywraq_action(carried in thePOSTbody) - Vulnerable Sub-Actions:
add_item,remove_item, and potentiallysend_quote. - Authentication: None required (exploits
wp_ajax_nopriv_hook). - Preconditions: The plugin must be active. The exploit is most impactful when the admin has configured the plugin to restrict quote requests to "Registered Users only," as this setting is bypassed.
3. Code Flow
- Entry Point: The
Summary
The YITH Request a Quote for WooCommerce plugin is vulnerable to unauthorized action due to missing capability and visibility checks in its AJAX handler. This allows unauthenticated attackers to add items to a quote list, bypassing visibility restrictions or 'registered users only' settings intended to protect private or restricted product data.
Vulnerable Code
/* includes/class.yith-request-quote.php:432 */ $product_id = ( isset( $posted['product_id'] ) && is_numeric( $posted['product_id'] ) ) ? (int) $posted['product_id'] : false; $is_valid_variation = isset( $posted['variation_id'] ) ? ! ( ( empty( $posted['variation_id'] ) || ! is_numeric( $posted['variation_id'] ) ) ) : true; $is_valid = $is_valid_variation; if ( ! $is_valid ) { $errors[] = __( 'Error occurred while adding product to Request a Quote list.', 'yith-woocommerce-request-a-quote' ); }
Security Fix
@@ -76,6 +75,7 @@ /* ajax action. */ add_action( 'wp_ajax_yith_ywraq_action', array( $this, 'ajax' ) ); add_action( 'wp_ajax_nopriv_yith_ywraq_action', array( $this, 'ajax' ) ); + add_filter( 'ywraq_ajax_add_item_is_valid', array( $this, 'add_item_is_valid' ), 10, 2 ); /* session settings. */ add_action( 'wp_loaded', array( $this, 'init' ) ); // Get raq after WP and plugins are loaded. @@ -432,7 +432,17 @@ $product_id = ( isset( $posted['product_id'] ) && is_numeric( $posted['product_id'] ) ) ? (int) $posted['product_id'] : false; $is_valid_variation = isset( $posted['variation_id'] ) ? ! ( ( empty( $posted['variation_id'] ) || ! is_numeric( $posted['variation_id'] ) ) ) : true; - $is_valid = $is_valid_variation; + /** + * APPLY_FILTERS: ywraq_ajax_add_item_is_valid + * + * Filter if the item to add is valid. + * + * @param boolean $is_valid Check if the item to add is valid. + * @param int $product_id Product id. + * + * @return boolean + */ + $is_valid = apply_filters( 'ywraq_ajax_add_item_is_valid', $product_id && $is_valid_variation, $product_id ); if ( ! $is_valid ) { $errors[] = __( 'Error occurred while adding product to Request a Quote list.', 'yith-woocommerce-request-a-quote' ); @@ -459,6 +469,23 @@ } /** + * Prevent non-authenticated users from adding non-visible products to quote + * + * @param bool $is_valid Product is valid for quote. + * @param int $product_id The product ID. + * @return bool + */ + public function add_item_is_valid( $is_valid, $product_id ) { + if ( $is_valid && $product_id ) { + if ( get_current_user_id() === 0 ) { + $product = wc_get_product( $product_id ); + $is_valid = $product instanceof WC_Product && $product->is_visible(); + } + } + return $is_valid; + }
Exploit Outline
An unauthenticated attacker can exploit this vulnerability by sending a POST request to `/wp-admin/admin-ajax.php` using the `yith_ywraq_action` action. By including the parameter `ywraq_action=add_item` along with a target `product_id`, the attacker can add products to a quote list regardless of visibility settings or user authentication requirements. This methodology bypasses logic intended to restrict quote functionality to registered users or visible products, allowing unauthorized interaction with restricted shop inventory.
Check if your site is affected.
Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.