Klarna Checkout for WooCommerce < 2.0.10 – Authenticated Arbitrary Plugin Deactivation, Activation and Installation

Description

The plugin registers one AJAX action intended for installing addon plugins from WordPress.org. The callback method to this action does not have a capability nor nonce check. This enables any logged in user to post a request to the endpoint and install, activate or deactivate any plugin. Since the action is not registered with a "nopriv"-parameter this exploit can only be used when logged in.

The plugin is used in conjunction with the e-commerce plugin WooCommerce which in most cases creates a WordPress-user when a purchase is made in the shop. It is also possible to register as a customer in many of the shops. We have verified that the exploit can be used with users that has the customer-role which means that many websites are affected by this.

This exploit is available in the version (2.0.9) and all the way back to version 1.0.9.

Proof of Concept

1. Install WooCommerce and the plugin
2. Register as a customer in the webshop
3. Make a post request to /wp-admin/admin-ajax.php with the payload:
action: change_klarna_addon_status
plugin_action: activate|deactivate|install
plugin_slug: woocommerce/woocommerce.php or any other WordPress plugin slug
4. See as a plugin is installed, deactivated or activated