Insufficient Privilege Validation in WooCommerce Checkout Manager

Exploitation Level: Easy / Remote

DREAD Score: 6

Vulnerability: Arbitrary File Upload

Patched Version: 4.3

Due to the poor handling of a vulnerability disclosure, a new attack vector has appeared for the WooCommerce Checkout Manager WordPress plugin and is affecting over 60,000 sites. If you are using this plugin, we recommend that you update it to version 4.3 immediately.

As we’ve seen some exploit attempts occurring in the wild, we feel it is a good time to describe what the issue is.

Current State of the Vulnerability

This arbitrary file upload vulnerability was made public a few weeks ago and has recently been patched. It can be exploited by unauthenticated remote attackers if users have the Categorize Uploaded Files option enabled in the plugin settings.

What Is It All About?

A WordPress plugin enables API routes by registering actions with either wp_ajax_ for authenticated or wp_ajax_nopriv_ for unauthenticated calls. Plugins using wp_ajax_nopriv_ actions should be fine as long as they are not giving access to methods with critical functionalities.

Unfortunately, vulnerable versions of the WooCommerce Checkout Manager are giving access to an upload functionality without using the proper restrictions. Under certain circumstances, this can allow a bad actor to upload malicious files to the affected site, modify data, or gain administrative access.

Indicators of Compromise

You can look for requests pointing to the PHP file /wp-admin/admin-ajax.php with the following parameter in your access logs:

wccs_upload_file_func
order_id
Name

Protect Yourself

Users with vulnerable versions of this plugin should update to version 4.3 as soon as possible, however, it’s worth noting that this vulnerability was left unpatched for weeks. Due to the unresponsive nature of the development team, we’d encourage you to pursue other plugin options that have more active development teams and demonstrate a concern for security.

If you’re seeing symptoms of a hack and need a hand cleaning it up, contact us—we’d be happy to help clean up your site.

Note: Users of our Web Application Firewall (WAF) product are already protected against this threat via our virtual patching feature.

John Castro

John Castro is Sucuri's Vulnerability Researcher who joined the company in 2015. His main responsibilities include threat intelligence and vulnerability analysis. John's professional experience covers more than a decade of pentesting, vulnerability research and malware analysis. When John isn't working with WordPres plugin vulnerabilities, you might find him hiking or hunting for new restaurants. Connect with him on LinkedIn

Related Tags

Spotlight: How a Digital Marketing Agency Secures Client Sites

Nikki Gerren
June 2, 2017

Based in Melbourne, Australia for over 17 years, 24Digital knows what it takes to succeed in the ever-evolving digital marketing space which is no longer…

Read the Post

Fake Font Domain Used to Skim Credit Card Data

Kayleigh Martin
April 10, 2025

Recently, a client of ours came to us concerned about credit card theft on their WordPress site. The client’s users reported that their credit card…

Read the Post

WordPress REST API Vulnerability Abused in Defacement Campaigns

Daniel Cid
February 6, 2017

WordPress 4.7.2 was released two weeks ago, including a fix for a severe vulnerability in the WordPress REST API. We have been monitoring our WAF…

Read the Post

Fake WordPress Plugin SiteSpeed Hosts Malicious Ads & Backdoors

Fake WordPress Plugin SiteSpeed Serves Malicious Ads & Backdoors

Krasimir Konov
July 16, 2020

Fake WordPress plugins appear to be trending as an effective way of establishing a foothold on compromised websites. During a recent investigation, we discovered a…

Read the Post

How to Backup a WordPress Site for Free with WP-CLI

Rianna MacLeod
December 22, 2022

Regular website backups are the foundation of a solid website security plan. In the event of data loss or malware infection, restoring a WordPress backup…

Read the Post

An Overview of Basic WordPress Hardening

Ben Martin
July 14, 2021

We have discussed in the past how out-of-the-box security configurations tend to not be very secure. This is usually true for all software and WordPress…

Read the Post

New WordPress Security Email Course

Rianna MacLeod
November 5, 2018

Recent statistics show that over 32% of website administrators across the web use WordPress. Unfortunately, the CMSs popularity comes at a price — attackers often…

Read the Post

HTML entity encoding in WordPress malware

Data URLs and HTML Entities in New WordPress Malware

Denis Sinegubko
October 30, 2019

Last week, an ongoing WordPress malware campaign started a new wave which included a variety of experimental injection types. Scripts as Data URLs The first…

Read the Post

Vulnerabilities Digest: March 2020

John Castro
March 27, 2020

Fixed Plugins and Vulnerabilities Plugin Vulnerability Patched Version Installs Cookiebot Reflected Cross-Site Scripting 3.6.1 40000 Data Tables Generator By Supsystic Authenticated Stored XSS 1.9.92 30000…

Read the Post

New XM1RPC SEO Spam and Backdoor Campaign

Fernando Barbosa
November 8, 2016

We have been monitoring a new campaign specifically targeting WordPress sites, using hundreds of them for SEO spam distribution. We call it the XM1RPC campaign…

Read the Post

Current State of the Vulnerability

What Is It All About?

Indicators of Compromise

Protect Yourself

Related Tags

Related Categories

You May Also Like