The Product Stock Manager WordPress plugin is an essential tool for online store managers who use WordPress to manage their store's stock. It simplifies stock management and integrates seamlessly with WooCommerce. However, a critical vulnerability has been discovered in the plugin, which may greatly compromise the security of online stores. The affected versions of the plugin are before 1..5. This vulnerability allows any user with a minimal role, such as subscriber, to perform unauthorised actions and modify essential options on the website.

Exploit Details

The vulnerability lies in the plugin's lack of proper authorisation and CSRF checks for multiple AJAX actions, thus granting access to low-level users. Being able to perform unauthorised actions implies that a subscriber can alter essential aspects of the site and wreak havoc on the website or online store management.

In particular, one of the specific actions vulnerable to exploitation is the plugin's ability to update arbitrary options. This exposure could enable an attacker to modify crucial aspects of the website or gain unauthorized access to sensitive information.

Affected Code Snippet

The vulnerable code snippet is located in the "product_stock_manager_ajax_callback()" function in "includes/ajax.php".

function product_stock_manager_ajax_callback() {
	// Missing authorization and CSRF checks here
	
    switch ($_POST['method']) {
       case 'update_option':
            $option_name = sanitize_text_field($_POST['option_name']);
            $option_value = sanitize_text_field($_POST['option_value']);
            update_option($option_name, $option_value);
            break;
    }
}
add_action('wp_ajax_product_stock_manager_ajax', 'product_stock_manager_ajax_callback');

Notice the missing authorization and CSRF checks, which enables any logged-in user, regardless of role, to perform actions such as updating options on the website.

How to Exploit

An attacker who is logged in as a subscriber can exploit this vulnerability by sending the following AJAX request:

POST /wp-admin/admin-ajax.php?action=product_stock_manager_ajax HTTP/1.1
Host: vulnerable-website.com
Content-Type: application/x-www-form-urlencoded

method=update_option&option_name=arbitrary_option&option_value=new_value

By sending requests like the one above, the attacker can modify essential options on the website, ultimately compromising its security.

Resolution

The vulnerability has been patched in the Product Stock Manager plugin, version 1..5. To secure your website, it's highly recommended to update the plugin to the latest version ASAP.

Original references

1. WPScan Vulnerability Database: https://wpscan.com/vulnerability/f443c864-955b-4aa1-ba77-a1953d3d792a
2. WordPress Plugin Repository: https://wordpress.org/plugins/product-stock-manager/
3. Changelog for Product Stock Manager: https://wordpress.org/plugins/product-stock-manager/#developers

Conclusion

The CVE-2022-3451 vulnerability in the Product Stock Manager WordPress plugin exposes online stores to significant risks. It's vital to act swiftly and update the plugin to the latest secure version. Proper security measures, such as regular plugin updates and user access reviews, can help avoid such exploitations in the future.

Timeline

Published on: 11/07/2022 10:15:00 UTC
Last modified on: 07/21/2023 18:21:00 UTC