WordPress Plugin Vulnerabilities

Woocommerce Customers Manager < 26.5 - Arbitrary Account Creation/Update by Low Privilege Users

Description

The upload_csv AJAX action, available to authenticated users, did not have proper capability checks. allowing any authenticated users, such as a subscriber, to call it and import arbitrary users. They could either update their own account, to make themselves administrator, or create new administrator accounts.

Note (WPScanTeam): Even though capability check has been added in v26.5, there is still no CSRF, which could allow attacker to perform the same attack by tricking a logged infuser with the manage_woocommerce capability to open a malicious link/page. A separate issue has been created for it.

Proof of Concept

Affects Plugins

Plugin icon
woocommerce-customers-manager
Fixed in 26.5

References

URL
https://codecanyon.net/item/woocommerce-customers-manager/10965432
URL
https://pagely.com/blog/wordpress-security-updates-february-2021/
URL
https://blog.wpscan.com/2021/04/08/woocommerce-customers-manager-wordpress-security-vulnerabilities.html

Classification

Type
PRIVESC
OWASP top 10
A2: Broken Authentication and Session Management
CWE
CWE-269
CVSS
8.8 (high)

Miscellaneous

Original Researcher
John Castro (Pagely.com)
Verified
Yes
WPVDB ID
126143e0-b0cc-4517-862e-3ac557db744f

Timeline

Publicly Published
2021-02-24 (about 4 years ago)
Added
2021-03-30 (about 4 years ago)
Last Updated
2021-04-09 (about 4 years ago)

Other

Published
Title
Published
2025-10-10
Title
WP Freeio < 1.2.22 - Unauthenticated Privilege Escalation
Published
2018-10-11
Title
WooCommerce <= 3.4.5 - Authenticated File Deletion to Privilege Escalation
Published
2024-10-16
Title
Miniorange OTP Verification with Firebase < 3.6.1 - Privilege Escalation via Registration due to Administrator Default User Role Value
Published
2025-05-30
Title
WP-GeoMeta 0.3.4 - 0.3.5 - Subscriber+ Privilege Escalation
Published
2023-07-31
Title
Shop as a Customer for WooCommerce < 1.2.4 - Shop Manager+ Privilege Escalation