Woocommerce Subscriptions < 3.0.3 – CSRF to Cancel/Re-Activate Subscription | Plugin Vulnerabilities

Description

During a blog assessment, we identified a CSRF issue in the Woocommerce Subscriptions plugin, which could allow attackers to cancel and re-activate a logged in user's subscription. Even though the _wpnonce parameter was needed in the request, its value was not verified, allowing an empty value to be honoured.

Knowledge of the subscription_id parameter is required, or could be iterated upon hoping to guess the correct one for the logged in user.

Proof of Concept

https://example.com/my-account/view-subscription/?subscription_id=XXXXX&change_subscription_to=cancelled&_wpnonce=

https://example.com/my-account/view-subscription/?subscription_id=XXXXX&change_subscription_to=active&_wpnonce=

Affects Plugins

woocommerce-subscriptions

Fixed in 3.0.3

References

URL

https://woocommerce.com/products/woocommerce-subscriptions/

Classification

Type

CSRF

OWASP top 10

A2: Broken Authentication and Session Management

CWE

CVSS

Miscellaneous

Original Researcher

Dewhurst Security

Verified

Yes

WPVDB ID

a5360943-e1fa-4fad-8996-213438c428c9

Timeline

Publicly Published

2020-04-02 (about 6 years ago)

Added

2021-03-01 (about 5 years ago)

Last Updated

2021-03-02 (about 5 years ago)

Other

Published

Title

Published

2024-11-01

Title

Featured Posts Scroll <= 1.25 - Cross-Site Request Forgery to Stored Cross-Site Scripting

Published

2024-12-16

Title

Tidy Up <= 1.3 - Cross-Site Request Forgery

Published

2023-05-31

Title

TS Webfonts for さくらのレンタルサーバ < 3.1.3 - Font Type Settings Change via CSRF

Published

2023-02-28

Title

OAuth Single Sign On - SSO (OAuth Client) Standard < 28.4.9 - IdP Deletion via CSRF

Published

2024-12-12

Title

CRUDLab Google Plus Button <= 1.0.2 - Cross-Site Request Forgery to Stored Cross-Site Scripting