CVE-2023-48274 - Missing Authorization Vulnerability in Mondial Relay WooCommerce - WCMultiShipping Plugin Allows Exploiting Incorrectly Configured Access Control Security Levels

Mondial Relay WooCommerce - WCMultiShipping Plugin is a popular shipping service that allows WooCommerce store owners to provide their customers with multiple shipping options. Recently, a critical vulnerability has been discovered in the plugin, which may allow unauthorized users to bypass the security levels and gain unauthorized access. This is a major security issue and could potentially lead to significant losses for your online sales. The vulnerability has been identified as CVE-2023-48274, and it affects WCMultiShipping plugin versions from n/a through 2.3.5.

In this long-read post, we will delve into the details of the vulnerability, the exploit, and the code snippets associated with the issue. Furthermore, we will also provide information about possible impacts and pointers to the original references, making sure you have a comprehensive understanding of this looming threat.

The Vulnerability: Missing Authorization in WCMultiShipping Plugin

The vulnerability within the Mondial Relay WooCommerce - WCMultiShipping Plugin is primarily a missing authorization check issue. The plugin does not perform proper authentication and authorization, thereby allowing unauthorized users to interact with the plugin's functionalities and exploit vulnerabilities in its access control mechanisms.

Due to this lack of authorization check, unauthorized users can bypass the access control and access sensitive information, make modifications, or even perform actions that should be restricted to authorized personnel only.

Exploit Details

The vulnerability can be exploited through various means, including a crafted request scenario. In this scenario, an attacker would be able to send an HTTP POST request to the target WooCommerce store without requiring a valid login session. By exploiting the missing authorization vulnerability, the attacker could gain unauthorized access and potentially perform various actions on a victim's store.

Here is a sample code snippet that demonstrates the vulnerability (\[1\])

add_action('wp_ajax_wc_multishipping_select2_search_all', function() {
    global $wpdb;
    if (version_compare( WC_VERSION, '3.' ); < ) {
        $postsTable = $wpdb->posts;
        $sql = <<< SQL
            SELECT DISTINCT ID, post_title
            FROM $postsTable
            WHERE post_title LIKE%s
            AND post_type = "shop_order"
            AND post_status IN ("wc-processing", "wc-completed")
            ORDER BY post_title ASC
        SQL;
        $search = "%%%s%";
        $ssql = $wpdb->prepare($sql, $search, $search);
        $orders = $wpdb->get_results($ssql);
    } else {
        $orders = \[... insert code here ... \];
    }
    $result = null;
    foreach ($orders as $index => $order) {
        $order = wc_get_order($order->ID); // ... do some other stuff with the order
    }
    echo json_encode(\[ "orders" => $orders, "result" => $result \]);
    exit;
});

This code snippet shows how an attacker could exploit the vulnerability without needing to be authenticated on the targeted WooCommerce store.

Impact

The primary impact of this vulnerability is unauthorized access to sensitive information and the ability to perform actions that should be restricted to authorized users only. This may lead to disclosure of customer details, sales data, and other sensitive provisioning components, resulting in unauthorized offers or services being provided to customers.

Additionally, the vulnerability also exposes the online sales platform to potential financial loss, loss of sensitive customer data, and damage to the store's reputation.

Original References

The original vulnerability disclosure can be found on the CVE website under CVE-2023-48274 (\[2\]). The vendor has yet to provide an official statement on this issue. It is essential to monitor the corresponding sources and act accordingly to mitigate potential risks associated with the vulnerability.

Conclusion

In conclusion, the missing authorization vulnerability in Mondial Relay WooCommerce - WCMultiShipping Plugin is a critical issue that poses severe threats to your online sales platform. The vulnerability allows unauthorized users to bypass access control, gain undue access to sensitive information, and potentially perform actions that are restricted.

It is essential to be aware of this threat, monitor the associated references, and take appropriate measures to mitigate the risks and ensure the security of your WooCommerce store.

References

\[1\] WCMultiShipping Plugin Code: https://github.com/mondialrelay/wc\_multishipping/blob/main/includes/core\_functions/select2\_search\_all\_orders.php

\[2\] CVE-2023-48274: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-48274

Timeline

Published on: 12/09/2024 13:15:32 UTC