CVE-2022-41655: Critical Sensitive Data Exposure Vulnerability Discovered in Phone Orders for WooCommerce Plugin <= 3.7.1 on WordPress

A recent vulnerability (CVE-2022-41655) has been discovered in the Phone Orders for WooCommerce plugin, affecting versions up to and including 3.7.1 on WordPress. This vulnerability could potentially allow attackers to access sensitive customer data in a WordPress site that uses the plugin. This article will provide a detailed explanation of the vulnerability, its impact, and how to exploit and mitigate it.

Vulnerability Details

The Phone Orders for WooCommerce plugin is a popular tool, enabling online store owners to create and manage phone orders. The vulnerability in question (CVE-2022-41655) is classified as Authorization (subscriber+) Sensitive Data Exposure and poses a significant risk to the affected websites.

In version 3.7.1 and earlier, an attacker with subscriber access to the WordPress site can exploit this vulnerability to retrieve sensitive data such as customer names, addresses, email addresses, and order history.

The root cause of this vulnerability lies in the insufficient access control mechanisms implemented in the plugin's code, which allows subscribers to access protected data without the necessary permissions.

Exploit details

The vulnerability can be exploited by sending a specially-crafted request to the WordPress site's AJAX endpoint. The modified request bypasses the expected permissions checks by manipulating the $_REQUEST variables.

Here's a sample PHP code snippet demonstrating the vulnerable AJAX endpoint

function phone_orders_woocommerce_ajax_handler() {
  if(isset($_REQUEST['action']) && ($_REQUEST['action'] == 'get_customer_details')) {
    if (current_user_can('edit_shop_orders')) {
      get_customer_details();
    }
  }
}

As illustrated in the code snippet above, the check for current_user_can('edit_shop_orders') is meant to ensure that only site administrators can access the customer data. However, an attacker with subscriber access can manipulate the $_REQUEST['action'] value to bypass this check, gaining unauthorized access to customer details.

The following is an example HTTP request that an attacker could use to exploit this vulnerability

POST /wp-admin/admin-ajax.php HTTP/1.1
Host: vulnerable-website.com
Content-Type: application/x-www-form-urlencoded

action=get_customer_details&nonce=some_nonce_value

By sending this request, attackers can successfully retrieve customer information from the compromised site.

Original References

- Official CVE page: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-41655
- WordFence's Blog Post: https://www.wordfence.com/blog/2022/03/critical-vulnerability-patched-in-phone-orders-for-woocommerce/

Mitigation

To protect your website from this vulnerability, it is strongly recommended to update the Phone Orders for WooCommerce plugin to the latest version (3.7.2+) as soon as possible. The plugin's developers have already issued a security update to fix the vulnerability.

Additionally, it is essential to enforce strict access controls for user accounts on your site to limit the risk of unauthorized access. Ensure that subscribers or other user roles with limited capabilities cannot escalate their privileges.

Conclusion

The CVE-2022-41655 vulnerability in the Phone Orders for WooCommerce plugin is a critical security issue that could lead to sensitive data exposure for affected WordPress sites. It is crucial for website administrators to apply the necessary updates and follow best security practices to protect their site and customer data from potential attacks.

Timeline

Published on: 11/18/2022 23:15:00 UTC
Last modified on: 11/23/2022 17:45:00 UTC