WordPress Plugin Vulnerabilities
Booster for WooCommerce - Subscriber+ Order Status Update
Description
The plugins allow users to update their own order status via a settings defined by admins when the My Account module is enabled, however does not ensure that the status set is allowed. As a result, users could set arbitrary status to their own orders, making them paid without actually paying for them even though admins did not allow such status to be set.
Proof of Concept
Requirements: - Enable the "My Account" module of the plugin (/wp-admin/admin.php?page=wc-settings&tab=jetpack&wcj-cat=dashboard§ion=all_module) - Add a status such as Canceled in the "Add Order Status Actions" settings of the module (/wp-admin/admin.php?page=wc-settings&tab=jetpack&wcj-cat=emails_and_misc§ion=my_account) As any logged in user, such as a subscriber, place an order and go the Order dashboard, a 'Canceled' action will be displayed in the Actions column, copy its link and change the status=canceled to status=processing, e.g: https://example.com/?wcj_action=wcj_woocommerce_mark_order_status&status=processing&order_id=337&_wpnonce=f3f6e8839d
Affects Plugins
Fixed in 5.6.3
Fixed in 5.6.1
Fixed in 1.1.3 Classification
Type
IDOR
OWASP top 10
CWE
CVSS
Miscellaneous
Original Researcher
WPScan
Verified
Yes
WPVDB ID
Timeline
Publicly Published
2022-09-19 (about 1 years ago)
Added
2022-09-19 (about 1 years ago)
Last Updated
2022-11-02 (about 1 years ago)
WPScan 