WordPress Plugin Vulnerabilities

TrustMate.io integration for WooCommerce < 1.7.1 - Subscriber+ Arbitrary Blog Option Update

Description

The plugin does not have any CSRF and authorisation checks in the save_checkbox AJAX action, available to any authenticated users, and do not validate the option key to ensure the option to update belongs to the plugin. As a result, any authenticated user, such as subscriber can update arbitrary WordPress options, for example, the siteurl which would redirect all visitors to an arbitrary website.

v1.7.1 added a check to ensure that the option to be updated starts with trustmate_ but is still missing any authorisation and CSRF checks. A separate issue has been created for it

Proof of Concept

Affects Plugins

Plugin icon
trustmate-io-integration-for-woocommerce
Fixed in 1.7.1

Classification

Type
ACCESS CONTROLS
OWASP top 10
A5: Broken Access Control
CWE
CWE-284
CVSS
8.8 (high)

Miscellaneous

Original Researcher
WPScanTeam
Verified
Yes
WPVDB ID
32d79fe0-31e8-4362-ad3e-d811e1d8d2ce

Timeline

Publicly Published
2022-01-03 (about 4 years ago)
Added
2022-01-03 (about 4 years ago)
Last Updated
2022-01-03 (about 4 years ago)

Other

Published
Title
Published
2024-02-27
Title
Under Construction / Maintenance Mode from Acurax <= 2.6 - Information Exposure
Published
2024-12-09
Title
LearnPress – WordPress LMS Plugin < 4.2.7.4 - Course Material Sensitive Information Exposure via REST API
Published
2024-11-04
Title
Zotpress < 7.3.13 - Missing Authorization
Published
2021-05-08
Title
ThemeHigh WooCommerce Wishlist and Comparison < 1.0.5 - Unauthorised AJAX call
Published
2021-04-20
Title
Redirection for Contact Form 7 < 2.3.4 - Authenticated Arbitrary Plugin Installation