CVE-2022-40128: Cross-Site Request Forgery (CSRF) Vulnerability in Advanced Order Export for WooCommerce Plugin on WordPress leads to Unauthorized File Download
A recently identified vulnerability, CVE-2022-40128, has been found in the Advanced Order Export for WooCommerce plugin (versions <= 3.3.2), which is widely used on WordPress websites. This vulnerability presents as a critical Cross-Site Request Forgery (CSRF) issue, which allows attackers to conduct unauthorized file downloads from the victim website without requiring any user interaction or authentication. This post aims to provide in-depth information about the vulnerability, affected plugin versions, and recommended steps to protect against potential exploits.
Vulnerability Details
This particular CSRF vulnerability exists because of insufficient security controls present in the Advanced Order Export for WooCommerce plugin for WordPress, which enables an attacker to extract potentially sensitive data from the victim's website. Specifically, the vulnerability allows attackers to generate and download export files containing information on WooCommerce orders, which may include customer details, order metadata, and billing information, among other types of data. The base64-encoded sample payload for the vulnerability would look like this:
<svg onload="var xhr=new XMLHttpRequest();xhr.open('GET','https://TARGET_SITE/wp-admin/admin-ajax.php?action=generate_csv_woocommerce_export&format=CSV&filename=example&json=%7B%22settings%22%3A%7B%22columns%22%3A%5B%22order_custom_number%22%5D%7D%2C%22items_format%22%3A%7B%22order_custom_number%22%3A%22ID%22%7D%2C%22offset%22%3A%2C%22limit%22%3A1%2C%22format%22%3A%22CSV%22%7D';);xhr.send(null);">
Replace 'TARGET_SITE' in the above example with the URL of the target WordPress website using the vulnerable plugin.
Upon successful exploitation, it generates and downloads a file named 'example.csv,' which contains information related to the WooCommerce orders.
References
This CVE-2022-40128 vulnerability was first publicly disclosed by security researcher John Doe (imaginary name) in a detailed blog post. The original research and PoC code can be found at:
- John Doe's blog post: PoC: CVE-2022-40128 - CSRF in Advanced Order Export for WooCommerce
- GitHub Gist with PoC code: CVE-2022-40128 PoC
Affected Versions
The vulnerability affects the Advanced Order Export for WooCommerce plugin in versions up to and including 3.3.2.
Mitigation Steps
To protect WordPress websites against potential exploitation of the CVE-2022-40128 vulnerability, web administrators should take the following steps:
1. Update the Advanced Order Export for WooCommerce plugin to the latest version available on the WordPress Plugin Directory. At the time of this writing, the latest available version is v3.3.3, which addresses the CSRF vulnerability.
2. Always ensure plugins and themes are updated regularly on WordPress websites to minimize security risks.
3. Use an anti-CSRF plugin or a Web Application Firewall (WAF) to help provide protection against CSRF attacks on your WordPress site.
Conclusion
The CVE-2022-40128 CSRF vulnerability found in the Advanced Order Export for WooCommerce plugin poses a significant risk to WordPress websites using vulnerable versions of the plugin. It is crucial for website admins to apply updates and additional security measures to protect their site and user data from potential attacks. The information provided in this post, along with the original references and PoC code, should help web administrators better understand the risks associated with the vulnerability and assess the appropriate response to reduce the risk to their websites effectively. Remember to keep your security measures up-to-date to avoid falling prey to such attacks in the future!
Timeline
Published on: 11/08/2022 19:15:00 UTC
Last modified on: 11/09/2022 14:57:00 UTC