Insufficient Privilege Validation in WooCommerce Checkout Manager

  • April 29, 2019
WordPress Vulnerability Detail

Exploitation Level: Easy / Remote

DREAD Score: 6

Vulnerability: Arbitrary File Upload

Patched Version: 4.3

Due to the poor handling of a vulnerability disclosure, a new attack vector has appeared for the WooCommerce Checkout Manager WordPress plugin and is affecting over 60,000 sites. If you are using this plugin, we recommend that you update it to version 4.3 immediately.

As we’ve seen some exploit attempts occurring in the wild, we feel it is a good time to describe what the issue is.

Current State of the Vulnerability

This arbitrary file upload vulnerability was made public a few weeks ago and has recently been patched. It can be exploited by unauthenticated remote attackers if users have the Categorize Uploaded Files option enabled in the plugin settings.

What Is It All About?

A WordPress plugin enables API routes by registering actions with either wp_ajax_ for authenticated or wp_ajax_nopriv_ for unauthenticated calls. Plugins using wp_ajax_nopriv_ actions should be fine as long as they are not giving access to methods with critical functionalities.

Unfortunately, vulnerable versions of the WooCommerce Checkout Manager are giving access to an upload functionality without using the proper restrictions. Under certain circumstances, this can allow a bad actor to upload malicious files to the affected site, modify data, or gain administrative access.

Indicators of Compromise

You can look for requests pointing to the PHP file /wp-admin/admin-ajax.php with the following parameter in your access logs:

  • wccs_upload_file_func
  • order_id
  • Name

Protect Yourself

Users with vulnerable versions of this plugin should update to version 4.3 as soon as possible, however, it’s worth noting that this vulnerability was left unpatched for weeks. Due to the unresponsive nature of the development team, we’d encourage you to pursue other plugin options that have more active development teams and demonstrate a concern for security.

If you’re seeing symptoms of a hack and need a hand cleaning it up, contact us—we’d be happy to help clean up your site.

Note: Users of our Web Application Firewall (WAF) product are already protected against this threat via our virtual patching feature.

John Castro is Sucuri's Vulnerability Researcher who joined the company in 2015. His main responsibilities include threat intelligence and vulnerability analysis. John's professional experience covers more than a decade of pentesting, vulnerability research and malware analysis. When John isn't working with WordPres plugin vulnerabilities, you might find him hiking or hunting for new restaurants. Connect with him on LinkedIn

Related Tags
Related Categories
You May Also Like