WordPress Plugin Vulnerabilities

WooCommerce Anti-Fraud < 3.9 - Unauthenticated Order Status Manipulation

Description

The plugin is affected by an issue where an unauthenticated user could change the order status of any order to processing, as there were no checks when changing the order status. The order_id was also predictable.

On an individual level, if you have already received your order, you can set the order status back to Processing, which may have unintended consequences, such as being able to claim that your order has not been shipped yet.

On a bigger level, order ids can be looped from 1 to ++ and every order on the site can be set to Processing, requiring remediation by the owner before continuing business.

Proof of Concept

Affects Plugins

Plugin icon
woocommerce-anti-fraud
Fixed in 3.9

References

URL
https://woocommerce.com/products/woocommerce-anti-fraud/
URL
https://dzv365zjfbd8v.cloudfront.net/changelogs/woocommerce-anti-fraud/changelog.txt

Classification

Type
AUTHBYPASS
OWASP top 10
A2: Broken Authentication and Session Management
CWE
CWE-287
CVSS
6.5 (medium)

Miscellaneous

Original Researcher
Brian Henry
Submitter
Brian Henry
Submitter website
http://BrianHenry.ie
Submitter twitter
BrianHenryIE
Verified
Yes
WPVDB ID
482ea84d-fc03-41dc-b698-327ffd9251b1

Timeline

Publicly Published
2020-11-22 (about 5 years ago)
Added
2020-11-23 (about 5 years ago)
Last Updated
2022-10-12 (about 3 years ago)

Other

Published
Title
Published
2025-03-13
Title
WP JobHunt <= 7.1 - Authentication Bypass
Published
2014-11-24
Title
Download Manager <= 2.7.2 - Privilege Escalation
Published
2016-05-31
Title
Stream <= 3.0.5 - Unauthenticated Events Export
Published
2023-04-14
Title
ZM Ajax Login & Register <= 2.0.2 - Unauthenticated Authentication Bypass
Published
2015-03-04
Title
Ya'aburnee 1.0.7 - Privilage Escalation