WordPress Plugin Vulnerabilities
WooCommerce < 8.6 - Contributor+ Private/Draft Products Access
Description
The plugin does not prevent users with at least the contributor role from leaking products they shouldn't have access to. (e.g. private, draft and trashed products)
Proof of Concept
1. ADMIN: Install WooCommerce 2. ADMIN: Add products of various visibility and statuses including Publish, Draft, Private, and create an extra one so that you can trash it 3. CONTRIBUTOR: Add a new post and embed one of the shortcode scenarios above (see supporting references for examples too) 4. CONTRIBUTOR: Save the post and preview it 5. CONTRIBUTOR: See product(s) you should not be able to access normally as you lack the expected WooCommerce/WordPress capabilities ## Supporting Material/References Below are the shortcode patterns I tested with along with what is currently possible. ``` You can embed basic info about any Hidden product: [product id="ANY_HIDDEN_PRODUCT_ID" visibility="hidden"] You can embed any Hidden product: [product_page id="ANY_HIDDEN_PRODUCT_ID"] You can embed any Private, Draft, Pending Review, Trash product: [product_page id="ANY_PRODUCT_ID" status="ANY_PRODUCT_STATUS"] ^^^ NOTE: if this is in placed into the block editor, the editor will attempt to load that corresponding product ID on next editor load and prevent further edits to the original post. I've reported this separately to WooCommerce already. It's secure because it checks access rights on it's own. You can list any Hidden products: [products visibility="hidden"] You can list any Hidden products by ID: [products ids="ANY_HIDDEN_PRODUCT_IDS_COMMA_SEPARATED" visibility="hidden"] ```
Affects Plugins
References
CVE
Classification
Type
ACCESS CONTROLS
OWASP top 10
CWE
Miscellaneous
Original Researcher
Scott Kingsley Clark
Submitter
Scott Kingsley Clark
Submitter website
Verified
Yes
WPVDB ID
Timeline
Publicly Published
2024-03-25 (about 1 months ago)
Added
2024-03-25 (about 1 months ago)
Last Updated
2024-03-25 (about 1 months ago)