CVE-2024-10860: A Warning to WordPress Users – Unauthorized Submission of Data in NextMove Lite – Thank You Page for WooCommerce Plugin

---

Are you using the NextMove Lite – Thank You Page for WooCommerce plugin for enhancing your WordPress website's customer experience? If so, you must read this post to learn about a critical vulnerability that could affect your website's security. The vulnerability identifier is CVE-2024-10860 and is present in all versions up to, and including, 2.19..

This security issue stems from a missing capability check on the _submit_uninstall_reason_action() function. It allows authenticated attackers with Subscriber-level access to submit a deactivation reason on behalf of a site. In this post, we will delve into the details of this vulnerability, including what it is, how it can be exploited, and what you can do to protect your site.

The Vulnerability: Missing Capability Check

First, let's understand the root cause of this issue – a missing capability check. In WordPress, capability checks are critical for controlling access to various features and functions. In the case of the NextMove Lite – Thank You Page for WooCommerce plugin, the capability check is missing on the _submit_uninstall_reason_action() function.

This function is meant to handle the submission of deactivation reasons for the plugin. However, due to the lack of a capability check, unauthorized users can exploit the function to submit a deactivation reason on behalf of a site.

Here's a code snippet from the vulnerable plugin, showcasing the absence of a capability check

public function _submit_uninstall_reason_action() {
    if (!isset($_POST['data']))
        wp_send_json_error();

    parse_str($_POST['data'], $data);
    $reason_id = trim(sanitize_text_field($data['reason_id']));
    ...
}

As we can see, the code does not include a capability check before proceeding with the submission.

Exploit Details

An attacker with Subscriber-level access can exploit this vulnerability by crafting a custom request that submits a deactivation reason on behalf of a site. The attacker needs to be authenticated to the targeted site as a Subscriber or higher. Since the plugin does not validate the user capabilities before accepting the submission, the site is left open to unauthorized data submissions.

For more information about this vulnerability, you can refer to the following sources

1. CVE Details – CVE-2024-10860
2. WordPress Plugin Vulnerability Disclosure
3. Security Advisory by Plugin Developer

How to Protect Your Site

To secure your WordPress site from this vulnerability, we strongly recommend taking the following actions:

1. Update your plugin: The plugin developers have released a patch addressing this vulnerability in version 2.20.. Make sure to update your plugin to the latest version as soon as possible.
2. Review user access: Ensure that only trusted users have Subscriber-level access or higher on your site. Regularly review user accounts and revoke access for any suspicious or inactive accounts.
3. Monitor your site: Keep an eye on any unauthorized activity on your site. Regularly check logs and utilize security tools for detecting and blocking suspicious activity.

Stay vigilant, and make sure to keep your WordPress site up-to-date to ensure its security.

Timeline

Published on: 02/28/2025 10:15:09 UTC