CVE-2022-3762 - The Booster for WooCommerce Security Vulnerability in Multiple WordPress Plugins

A recent security vulnerability has been discovered in multiple WooCommerce WordPress plugins. The vulnerability affects Booster for WooCommerce WordPress plugin before 5.6.7, Booster Plus for WooCommerce WordPress plugin before 5.6.5, and Booster Elite for WooCommerce WordPress plugin before 1.1.7. This newly discovered security issue has been assigned the CVE identifier CVE-2022-3762. In this post, we will provide you with all the necessary details about this vulnerability, along with its consequences on your website's security, and a possible workaround to mitigate the risks.

Vulnerability Description

The aforementioned WooCommerce plugins fail to properly validate files for download in some of their modules. This security issue allows users with ShopManager and Admin roles to download arbitrary files from the server even when they are not supposed to possess such privileges, especially in a multisite setup.

Here's an example of how the vulnerability could be exploited by a malicious user

// URL to the affected plugin's file download functionality
$request_url = "https://your-site.com/wp-admin/admin-ajax.php?action=booster_for_woocommerce_get_pdf_invoice&order_id=123";;

// Path to the target file on the server (e.g., wp-config.php)
$target_file_path = "../../../wp-config.php";

// Malicious request constructed to exploit the vulnerability and download the target file
$exploit_request = $request_url . "&file_path=" . urlencode($target_file_path);

// Sending the malicious request
$response = file_get_contents($exploit_request);

By constructing a specially crafted request, a malevolent user can misuse the vulnerable plugin's file download functionality to download arbitrary files from the server.

Exploit Details

The vulnerability's exploitability stems from the plugins' insufficient validation of file paths before allowing them for download. When a user sends a request to download a file, the plugin should strictly validate whether the requested file is allowed to be downloaded by the user. However, due to the absence of such validation, a cunning user can send specially crafted requests to download files they shouldn't have access to.

Original References

The CVE-2022-3762 vulnerability was discovered and reported by Karel Klima. To learn more about this vulnerability, you can visit the original reference links below:

1. CVE-2022-3762 on CVE Details
2. The WordPress Vulnerability Database

If you have any of the affected plugins installed and activated on your website, it is crucial to take immediate action to mitigate the risks. We recommend updating the concerned plugin to the latest version available, as the developers have patched the vulnerability in the following updated versions:

Booster Elite for WooCommerce WordPress plugin - 1.1.7 or later

In case you cannot update any of the plugins, consider temporarily disabling them until a compatible update is released, or consult with your development team to create a custom solution to bolster the file validation process in the plugins' download modules.

Timeline

Published on: 11/21/2022 11:15:00 UTC
Last modified on: 11/23/2022 15:18:00 UTC