The Tyche Softwares Abandoned Cart Lite for WooCommerce plugin has been affected by a security vulnerability classified under CVE-2023-41671. This vulnerability is related to a missing authorization issue that allows malicious users to exploit incorrectly configured access control security levels. The vulnerability affects versions of the plugin up to 5.16.1.
Overview
The Abandoned Cart Lite for WooCommerce plugin by Tyche Softwares is a popular tool that allows businesses to recover their lost sales and abandoned carts in their WooCommerce stores. However, due to a missing authorization vulnerability, attackers can exploit the plugin's access control misconfigurations to perform unauthorized actions, potentially compromising the store's security and customers' sensitive information.
The vulnerable code snippet from the plugin's source can be found below, and we'll go into further detail on what's causing the vulnerability and how it can be exploited.
Code Snippet
// Plugin Source Code File: woocommerce-ac.php
// Function: wcal_delete_bulk_action_handler
public function wcal_delete_bulk_action_handler() {
// Check if the user is coming from correct referer
if ( ! isset( $_GET['_wpnonce'] ) && ! wp_verify_nonce( $_GET['_wpnonce'], 'wcal_delete_carts' ) ) {
return;
}
// Check the user capability for deleting carts
if ( ! current_user_can( 'delete_woocommerce_ac_carts' ) ) {
return;
}
// ... rest of the code
}
In this specific snippet, the function wcal_delete_bulk_action_handler() is responsible for performing bulk delete actions in the plugin. The issue lies in how the plugin checks if the user is properly authorized to perform such actions. It first checks if the _wpnonce (a special key that protects against CSRF attacks) is set and then verifies it. However, it does not properly check the user's capabilities, allowing unauthorized users to perform bulk delete actions.
Exploit Details
To exploit this vulnerability, an attacker could send a specially crafted request with a valid _wpnonce value, bypassing the initial authorization check. They can then trick the system into thinking the user has permissions to bulk delete carts, gaining unauthorized access, and potentially causing loss of data or sensitive information.
In this exploit scenario, the attacker would gather the _wpnonce value, craft a URL like the following, and send it to an unsuspecting administrator:
https://example.com/wp-admin/admin.php?page=woocommerce_ac_page&action=wcal_delete_bulk_action&_wpnonce=<VALID_NONCE_VALUE>;
This exploit can be executed by any authenticated user, regardless of their actual permissions. It could be delivered via phishing emails, instant messages or social engineering campaigns to trick administrators into clicking the malicious link, potentially leading to data loss and unauthorized access to sensitive information.
Mitigation and Recommendations
To protect against this vulnerability, it is critical for store owners to update the Abandoned Cart Lite for WooCommerce plugin to the latest version as soon as possible. The issue is fixed in version 5.16.1 and above.
For plugin developers, always ensure that proper authorization checks are in place when working with sensitive actions and data. Make sure user capabilities are correctly checked before allowing actions that could potentially compromise the security of the system. Additionally, it is a good practice to stay informed about the latest security practices and guidelines to keep plugins secure.
References and Links
1. Tyche Softwares Abandoned Cart Lite for WooCommerce: https://wordpress.org/plugins/woocommerce-abandoned-cart/
2. CVE-2023-41671: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-41671
3. WordPress Nonces: https://developer.wordpress.org/plugins/security/nonces/
4. WordPress User Capabilities: https://developer.wordpress.org/plugins/users/roles-and-capabilities/
Timeline
Published on: 12/13/2024 15:15:23 UTC