WooCommerce Conditional Marketing Mailer < 1.5.2 - Arbitrary Plugin Installation/Activation via Low Privilege User
Description
Low privileged users can use the AJAX action 'cp_plugins_do_button_job_later_callback' in the WooCommerce Conditional Marketing Mailer WordPress plugin before 1.5.2, to install any plugin (including a specific version) from the WordPress repository, as well as activate arbitrary plugin from then blog, which helps attackers install vulnerable plugins and could lead to more critical vulnerabilities like RCE.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
2- Range: <1.5.2
- wp-buy/WooCommerce Conditional Marketing Mailerv5Range: 1.5.2
Patches
Vulnerability mechanics
Root cause
"Missing capability checks on the AJAX action 'cp_plugins_do_button_job_later_callback' allows low-privileged users to install and activate arbitrary plugins."
Attack vector
An attacker with low-privileged access (e.g., a subscriber or contributor) can send a crafted AJAX request to the 'cp_plugins_do_button_job_later_callback' action [ref_id=1]. The request can specify any plugin slug (and version) from the WordPress.org repository to be installed, and can also activate any already-installed plugin on the blog [ref_id=1]. This enables the attacker to install vulnerable plugins and escalate to more critical vulnerabilities such as remote code execution [ref_id=1].
Affected code
The vulnerable AJAX action is 'cp_plugins_do_button_job_later_callback' [ref_id=1]. The advisory does not specify the exact file or function name within the plugin.
What the fix does
The advisory does not include a patch diff, but the vulnerability was fixed in version 1.5.2 of the WooCommerce Conditional Marketing Mailer plugin [ref_id=1]. The fix presumably adds proper capability or nonce checks to the AJAX handler to ensure only users with sufficient privileges (e.g., administrators) can install or activate plugins. Without such checks, any authenticated user can trigger plugin installation and activation.
Preconditions
- authAttacker must be an authenticated low-privileged user (e.g., subscriber or contributor) on the WordPress site.
- networkAttacker must be able to send AJAX requests to the WordPress admin-ajax.php endpoint.
Generated on May 25, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
1- wpscan.com/vulnerability/74889e29-5349-43d1-baf5-1622493be90cmitrex_refsource_CONFIRM
News mentions
0No linked articles in our index yet.