ANALYSIS · 24e5e44c· FINISHED 2026-06-13 · PATCHDIFF

payu-india3.8.2 → 3.8.5✓ COMPLETED

Files17

Vulnerable17

True positives0

CVE matched1

1 CVE article ready PatchLeaks generated full security writeups for the matched CVEs · one per CVE, with affected files linked

CVE-2024-12264

FILTERS 0

SEARCH

STATUS

JUDGE

CVE MATCH

EXTENSION

CWE

OPTIONS

Hide “No vulnerability” Hide unjudged

SCOPE

All 17 CVE 1 Vuln 17

SORT

1 files · page 1/1

includes/class-payu-shipping-tax-api-calculation.php

AI: 5 vulnerabilities

CWE-287: Improper AuthenticationCWE-20: Improper Input ValidationCWE-639: Authorization Bypass Through User-Controlled Key CVE-2024-12264

#%!d(float64=008)

1–1 of 1

⌖

Select a file from the list to inspect its diff and AI analysis.

↑ ↓ to navigate

CVES 1

CVE-2024-12264

Security writeup for CVE-2024-12264

✓ 1 FILE

## The Exploit

An unauthenticated attacker with network access to the WordPress REST API can invoke the `/wp-json/payu/v1/get-shipping-cost` endpoint to bypass authentication entirely. The endpoint accepts arbitrary email and transaction ID parameters without verifying the caller's identity, then processes those values in downstream code that modifies user state.

```http
POST /wp-json/payu/v1/get-shipping-cost HTTP/1.1
Host: target.com
Content-Type: application/json

{
  "email": "attacker@example.com",
  "txnid": "12345_order",
  "udf4": "session_key_value",
  "address": "123 Main St"
}
```

The response confirms successful processing without requiring authentication. An attacker observes a 200 status code with shipping cost data, and if the request parameters align with an existing order or guest session, the endpoint will extract and process user-controlled data within a protected context. The vulnerability lies upstream: no permission check guards the endpoint before the callback executes, allowing unauthenticated callers to reach code paths that validate only an optional auth token — not membership in a privileged role.

## What the Patch Did

**Before:**

```php
public function getPaymentFailedUpdate()
{
    register_rest_route('payu/v1', '/get-shipping-cost', array(
        'methods' => ['POST'],
        'callback' => array($this, 'payuShippingCostCallback'),
        'permission_callback' => '__return_true'
    ));
}
```

**After:**

The patch replaced `'permission_callback' => '__return_true'` — which unconditionally permits all requests — with a closure that enforces either a WordPress capability check via `current_user_can('manage_woocommerce')` or validation of a cryptographic authentication token through `payu_validate_authentication_token()`. This is a guard-rail control that executes *before* the callback function itself, at the REST API dispatcher level.

Additionally, the patch added explicit null-checks for required parameters:

```php
if (!isset($parameters['email']) || !isset($parameters['txnid'])) {
    return new WP_REST_REST_Response([
        'status' => 'false',
        'data' => [],
        'message' => 'Missing required parameters'
    ], 400);
}
```

And validation of the auth token header:

```php
$token = isset($auth['Auth-Token']) ? $auth['Auth-Token'] : '';

if (empty($token)) {
    return new WP_REST_Response([
        'status' => 'false',
        'data' => [],
        'message' => 'Token is missing'
    ], 401);
}
```

## Root Cause

**CWE-287 (Improper Authentication)** and **CWE-20 (Improper Input Validation)** chain to create unauthenticated access to a sensitive endpoint. The attacker-controlled parameters `email`, `txnid`, `udf4`, and `address` are passed in the POST body and reach the callback function without any permission boundary. The REST dispatcher evaluates `permission_callback: __return_true`, which is a magic function that always returns true, effectively disabling authentication. No capability check (e.g., `current_user_can()`) guards entry. Inside the callback, the code sanitizes but does not validate presence of required parameters before use, and attempts to read `$auth['Auth-Token']` without verifying the key exists. The trust boundary — the line between unauthenticated and authenticated callers — is never enforced because the permission callback is a no-op.

## Why It Works

The load-bearing line is the new `permission_callback` closure that invokes `current_user_can('manage_woocommerce')` or `payu_validate_authentication_token()`. Without this change, the endpoint remains callable by any HTTP client regardless of session or token state. The patch's secondary defensive layers — null-checks on `$parameters['email']` and `$parameters['txnid']`, and the isset-guard on `$auth['Auth-Token']` — prevent downstream undefined-key warnings and ensure that if the permission callback is somehow bypassed, the callback itself will reject malformed requests early. However, those checks are redundant defenses; the permission callback is the critical control. If you removed it and restored `'permission_callback' => '__return_true'`, the vulnerability would re-emerge immediately because the code path would be reachable by unauthenticated users. The secondary guards catch sloppy input, but they do not authenticate the caller — only the permission callback does.

## Hardening Checklist

- **Audit all REST endpoints for `'permission_callback' => '__return_true'` or missing permission_callback entirely.** Use `wp-cli plugin code-search` or grep to identify register_rest_route() calls without a real permission_callback function.
- **Implement mandatory authentication at the route level**, not inside the callback. Use `current_user_can()` in a closure or a dedicated function that returns a WP_Error on failure. Never delay authentication to callback logic.
- **Validate required parameters before use.** Check isset() on all expected keys in `$request->get_params()` or `$request->get_json_params()` before sanitization, and return a 400 WP_REST_Response if any are missing.
- **Use `$request->get_header()` instead of `apache_request_headers()`** to read headers in a portable, testable way. Always check isset() or truthiness before dereferencing array keys.
- **Test unauthenticated access to all endpoints.** Write a PHPUnit test that invokes each REST endpoint as an unauthenticated user and asserts a 401 or 403 response. Add the test to CI/CD.

## References

- https://nvd.nist.gov/vuln/detail/CVE-2024-12264

CVE CVE-2024-12264

PRODUCT payu-india

AFFECTED ≤ 3.8.2

FIXED IN 3.8.5

STATUS Generated

Security writeup · CVE-2024-12264

Source files · 1

includes/class-payu-shipping-tax-api-calculation.php Linked

↗ NVD