WooCommerce < 8.1.1 – Shop Manager+ User Metadata Disclosure | Plugin Vulnerabilities

Description

The plugin returns all user metadata via an AJAX action, which could allow users with a role as low as Shop Manager to access an arbitrary user's metadata which could include tokens and other potentially sensitive data

Proof of Concept

As a shop manager or product vendor admin:

Edit an order/create an order.
Search for a user (any user, including admin level users).
Select the user, then edit the billing/shipping address and use the Load (Billing|Shipping) Address tool.
Via your browser console, observe the resulting ajax request (action: woocommerce_get_customer_details) and response.

Affects Plugins

Fixed in 8.1.1

References

URL

https://hackerone.com/reports/1702658

URL

https://developer.woocommerce.com/2023/09/16/woocommerce-vulnerability-reintroduced-from-7-0-1/

Classification

Type

SENSITIVE DATA DISCLOSURE

OWASP top 10

A3: Sensitive Data Exposure

CWE

CVSS

Miscellaneous

Original Researcher

David Anderson

Verified

Yes

WPVDB ID

bb9f355a-be33-41b1-af36-0a30c24bec8c

Timeline

Publicly Published

2023-09-11 (about 8 months ago)

Added

2023-09-11 (about 8 months ago)

Last Updated

2023-09-18 (about 7 months ago)

Other

Published

Title

Published

2023-11-30

Title

Quiz Maker < 6.4.9.5 - Unauthenticated Email Address Disclosure

Published

2024-04-22

Title

Newsletters < 4.9.6 - Information Exposure via Log files

Published

2024-04-15

Title

Radio Player – Live Shoutcast, Icecast and Any Audio Stream Player for WordPress < 2.0.74 - Missing Authorization to Authenticated (Subscriber+) Information Disclosure

Published

2022-03-09

Title

Booking Package < 1.5.29 - Unauthenticated Sensitive Data Disclosure

Published

2023-11-30

Title

Backup Migration < 1.3.7 - Unauthenticated Arbitrary File Download to Sensitive Information Exposure