Insufficient Privilege Validation in WooCommerce Checkout Manager

Exploitation Level: Easy / Remote

DREAD Score: 6

Vulnerability: Arbitrary File Upload

Patched Version: 4.3

Due to the poor handling of a vulnerability disclosure, a new attack vector has appeared for the WooCommerce Checkout Manager WordPress plugin and is affecting over 60,000 sites. If you are using this plugin, we recommend that you update it to version 4.3 immediately.

As we’ve seen some exploit attempts occurring in the wild, we feel it is a good time to describe what the issue is.

Current State of the Vulnerability

This arbitrary file upload vulnerability was made public a few weeks ago and has recently been patched. It can be exploited by unauthenticated remote attackers if users have the Categorize Uploaded Files option enabled in the plugin settings.

What Is It All About?

A WordPress plugin enables API routes by registering actions with either wp_ajax_ for authenticated or wp_ajax_nopriv_ for unauthenticated calls. Plugins using wp_ajax_nopriv_ actions should be fine as long as they are not giving access to methods with critical functionalities.

Unfortunately, vulnerable versions of the WooCommerce Checkout Manager are giving access to an upload functionality without using the proper restrictions. Under certain circumstances, this can allow a bad actor to upload malicious files to the affected site, modify data, or gain administrative access.

Indicators of Compromise

You can look for requests pointing to the PHP file /wp-admin/admin-ajax.php with the following parameter in your access logs:

wccs_upload_file_func
order_id
Name

Protect Yourself

Users with vulnerable versions of this plugin should update to version 4.3 as soon as possible, however, it’s worth noting that this vulnerability was left unpatched for weeks. Due to the unresponsive nature of the development team, we’d encourage you to pursue other plugin options that have more active development teams and demonstrate a concern for security.

If you’re seeing symptoms of a hack and need a hand cleaning it up, contact us—we’d be happy to help clean up your site.

Note: Users of our Web Application Firewall (WAF) product are already protected against this threat via our virtual patching feature.

John Castro

John Castro is Sucuri's Vulnerability Researcher who joined the company in 2015. His main responsibilities include threat intelligence and vulnerability analysis. John's professional experience covers more than a decade of pentesting, vulnerability research and malware analysis. When John isn't working with WordPres plugin vulnerabilities, you might find him hiking or hunting for new restaurants. Connect with him on LinkedIn

Related Tags

WordPress Plugin WP Statistics: Unauthenticated Stored XSS Under Certain Configurations

Antony Garand
July 3, 2019

The WordPress plugin WP Statistics, which has an active installation base of 500k users, has an unauthenticated stored XSS vulnerability on versions prior to 12.6.7.…

Read the Post

Attacks on Closed WordPress Plugins

John Castro
April 10, 2019

The WordPress plugin repository team may “close” plugins and restrict downloads when they become aware of a security issue that the developer cannot fix quickly.…

Read the Post

Authentication Bypass Vulnerability in InfiniteWP Client <= 1.9.4.4

Marc-Alexandre Montpas
January 16, 2020

An authentication bypass vulnerability affecting more than 300,000 InfiniteWP Client plugin users has recently been disclosed to the public. This plugin allows site owners to…

Read the Post

WordPress Redirect Hack via Test0.com/Default7.com

R_Evil WordPress Hacktool & Malicious JavaScript Injections

Luke Leal
October 22, 2020

We often see hackers reusing the same malware, with only a few new adjustments to obfuscate the code so that it is more difficult for…

Read the Post

Using WPScan: Finding WordPress Vulnerabilities

Alycia Mitchell
December 23, 2015

When using WPScan you can scan your WordPress website for known vulnerabilities within the core version, plugins, and themes. You can also find out if…

Read the Post

Using Innocent roles to hide admin users

Cesar Anjos
July 18, 2018

All across the internet we find guides and tutorials on how to keep your WordPress site secure, and they all approach the concept of user…

Read the Post

SQL Injection Vulnerability in WP Statistics

John Castro
June 30, 2017

Update 11/3/2017: We are always looking for the latest to be shared with you and now we have released our WordPress Security Guide, were you…

Read the Post

Critical Vulnerability in File Manager Plugin Affecting 700k WordPress Websites

Antony Garand
September 2, 2020

Yesterday, the WordPress plugin File Manager was updated, fixing a critical vulnerability allowing any website visitor to gain complete access to the website. Users of…

Read the Post

Raising Awareness: WPBeginner Spotlight

Chase Watts
September 30, 2019

We’re dedicated to creating the best website security guides and professional services. One way we get our message out is by partnering with open-source CMS…

Read the Post

Massive WordPress Redirect Campaign Targets Vulnerable tagDiv Themes and Ultimate Member Plugins

Denis Sinegubko
August 22, 2018

This August, we’ve seen a new massive wave of WordPress infections that redirect visitors to unwanted sites. When redirected, users see annoying pages with random…

Read the Post

Current State of the Vulnerability

What Is It All About?

Indicators of Compromise

Protect Yourself

Related Tags

Related Categories

You May Also Like