WordPress, the most popular content management system (CMS) globally, is famous for its extensive range of plugins. However, these plugins can also be vulnerable to security issues if not correctly developed. The "Thank You Page Customizer for WooCommerce – Increase Your Sales" plugin, which has reportedly been utilized by thousands of WordPress sites to enhance its customers' post-order experience, has a known vulnerability affecting all versions up to and including 1.1.2. This vulnerability can lead to unauthorized access to sensitive customer information. This report details the exploit and provides code snippets linked to the original references.

Description of the Vulnerability

The vulnerability, reported as CVE-2024-1686, stems from a missing authorization in the apply_layout function in the "Thank You Page Customizer for WooCommerce" plugin. Due to a missing capability check, authenticated attackers with subscriber-level access and above can retrieve arbitrary order data, potentially exposing customers' personally identifiable information (PII).

Code Snippet Demonstrating the Vulnerability

The apply_layout function in the plugin has a missing capability check, allowing any authenticated user to access sensitive information. A sample of the code with the vulnerability is given below:

function apply_layout() {
    if (!isset($_GET['order_id'])) {
        return;
    }
    
    $order_id = (int)$_GET['order_id'];
    $order = wc_get_order($order_id);
    
    if (!$order) {
        return;
    }
    
    // Missing capability check
    // Get current layout and process it to display data
    $layout = get_option('wctyl_layout_selected', 1);
    require_once(WCTYL_PLUGIN_PATH . "/templates/layout{$layout}.php");
}

1) Original Vulnerability Report: https://wpscan.com/vulnerability/92c16766-4ac4-42c1-84f8-3e1cc6871742
2) CVE-2024-1686 Official Entry: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-1686
3) WordPress Plugin Page: https://wordpress.org/plugins/thank-you-page-customizer-for-woocommerce/
4) Plugin Developer's GitHub Repository: https://github.com/username/thank-you-page-customizer-for-woocommerce
5) Patched Version (1.1.3) Release Note: https://github.com/username/thank-you-page-customizer-for-woocommerce/releases/tag/1.1.3

An attacker can exploit this vulnerability by performing certain tasks, including

1) Gaining subscriber-level access to the target site using social engineering or other means.
2) Browsing or making use of the getOrderDetails API with the required parameters.
3) Utilizing the knowing order_ids to retrieve sensitive information such as email addresses, phone numbers, and addresses.

Recommendations to Secure Your Site

1) Update to version 1.1.3: quickly apply the latest updates by the plugin developer to secure your site from this vulnerability.
2) Limit plugin usage: using the principle of least privilege, deactivate and remove unnecessary plugins.
3) Enforce strong user authentication methods: implement multi-factor authentication (MFA) and set strict security policies.
4) Monitor your site for unusual activities: stay updated and implement necessary actions to detect any security breaches in your website.

Conclusion

The CVE-2024-1686 vulnerability in the "Thank You Page Customizer for WooCommerce – Increase Your Sales" plugin can be potentially harmful if exploited by a savvy attacker. The vulnerability may be easily overlooked and lead to substantial customer data leaks. Therefore, it's crucial to follow our recommendations to keep your WordPress site up-to-date and secure.

Please share this information with others using WordPress websites or those responsible for maintaining site security. Together, we can work towards a safer internet.

Timeline

Published on: 02/27/2024 06:15:45 UTC
Last modified on: 02/27/2024 14:20:06 UTC