There are SQLi and unauthenticated stored XSS vulnerabilities in Discount Rules for WooCommerce WordPress plugin.
The Discount Rules for WooCommerce plugin (versions 2.0.2 and below) is suffering from multiple vulnerabilities such as for example SQL injection, authorization issues and unauthenticated stored cross-site scripting.
In this scenario, the unauthenticated stored cross-site scripting issue may potentially result in remote code execution.
The plugin is referred to as a plugin that allows you to create any kind of bulk discounts, dynamic pricing, advanced discounts, percentage discounts, product based discounts, tiered discounts for the products. It has 30.000+ active installations by August 7th, 2020.
The described issues were fixed in version 2.1.0 following a rapid response by the developer team of the plugin involved.
The issues in this plugin are caused because of insufficient authorization and nonce token check. The plugin registers several AJAX actions which one, wp_ajax_wdr_ajax, handles a almost all different AJAX actions which are supposedly only be accessed by administrators.
Unfortunately this AJAX action can be registered as wp_ajax_nopriv_wdr_ajax. Even though wp_ajax_nopriv_wdr_ajax had not been registered, authenticated users could still exploit this since wp_ajax_wdr_ajax will not perform any kind of authorization or CSRF check.
A snippet of what the event wdr_ajax_requests appears like (that is bound to both AJAX actions) are available below.
public function wdr_ajax_requests() $result = null; $method = $this->input->post('method', ''); $method_name = 'wdr_ajax_' . $method; if (method_exists($this, $method_name)) $result = $this->$method_name(); wp_send_json_success($result);
It grabs the technique that it requires to execute from the method POST parameter and executes it so long as it’s area of the current class scope. A number of the methods in the class are of no interest, but there are many that could result in serious vulnerabilities.
These actions could be executed by any unauthenticated user. There is absolutely no authentication, authorization, or CSRF check. A number of the methods of interest are available below.
- Retrieve list (userid and username only) of most users.
- Retrieve the set of all online codes.
- Update the configuration settings (of the plugin only), letting you result in a great financial loss in case a shop notices too late.
- Since the values of a number of the configuration settings are displayed to an individual, unauthenticated stored XSS can be done at both frontend and backend in values such as for example on_sale_badge_html, applied_rule_message, and awdr_banner_editor which could trigger a remote code execution exploit since we are able to execute any kind of code on the admin screen.
- The mix of overwriting the values awdr_banner_editor and display_banner_text allows any unauthenticated user to inject XSS into any display location they really want, like the header, footer or any admin page.
- Save a discount rule.
- Delete a discount rule.
- Duplicate a discount rule.
- This method can be susceptible to SQL injection because the rowid POST parameter is directly found in a SQL query.
- Bulk enable, disable, or delete discount rules.
The patch for version 2.1.0 are available here which ultimately shows they added an authorization and CSRF check to the admin methods.
The image below implies that the AJAX action handler is now able to only be executed by authorized users. Or if the action is really a public frontend AJAX action. The average person AJAX admin actions also determine in case a valid CSRF token exists.
07-08-2020 – We discovered the vulnerability in Discount Rules for WooCommerce and released a virtual patch to all or any WebARX customers.
07-08-2020 – We reported the problem to the developer of the plugin.
07-08-2020 – The developer replied and started focusing on a fix.
12-08-2020 – The developer asked us to examine the fixed version, which we approved.
13-08-2020 – Version 2.1.0 premiered which provides the proper fixes.
20-08-2020 – Published this article.
The post Multiple Vulnerabilities In Discount Rules for WooCommerce Plugin appeared first on WebARX.