CVE-2022-3995: TeraWallet Plugin for WordPress Vulnerable to Insecure Direct Object Reference in Versions up to 1.4.3

The TeraWallet plugin for WordPress, designed to help users manage their virtual wallets and transactions with ease, has recently been found to contain a vulnerability that poses security risks to its users. Specifically, this vulnerability, designated as CVE-2022-3995, has been identified in TeraWallet versions up to and including version 1.4.3. The vulnerability lies in the Insecure Direct Object Reference (IDOR) in the lock_unlock_terawallet AJAX action, as there is not enough validation of user-controlled keys.

This vulnerability makes it possible for attackers with minimal permissions, even as low as subscriber-level access, to lock and unlock other users' wallets, potentially causing disruptions and unauthorized access to sensitive data.

IDOR Vulnerabilities

IDOR vulnerabilities arise when an application allows an attacker to manipulate an identifier directly, giving them unauthorized access to resources they shouldn't be able to access. Essentially, it occurs when a user has the ability to control or modify a parameter value, leading to access or manipulation of another user's data. An IDOR vulnerability can have serious consequences, including data theft, unauthorized transactions, and other malicious activities.

The vulnerability can be located in the following code snippet from the TeraWallet plugin

// terawallet/includes/admin/class-terawallet-admin-ajax.php
public function lock_unlock_wallet() {
    $user_id = isset( $_POST['user_id'] ) ? sanitize_key( $_POST['user_id'] ) : '';
    $wallet_status = ! empty( get_user_meta( $user_id, '_wallet_status', true ) ) ? 'unlocked' : 'locked';
    update_user_meta( $user_id, '_wallet_status', $wallet_status );
    wp_send_json_success();
}

The issue with this code snippet is the insufficient validation of the user-controlled $_POST['user_id'] parameter. By sanitizing the user input through the sanitize_key() function, but not validating whether the requesting user has the appropriate role or permissions, the plugin allows even subscriber-level users to access wallets that do not belong to them.

For more information about this vulnerability, you can refer to the following sources

1. CVE - CVE-2022-3995 - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-3995
2. TeraWallet Plugin Homepage - https://wordpress.org/plugins/woo-wallet/
3. WordPress Plugin Vulnerability Database - https://wpvulndb.com/vulnerabilities/10796

Exploit Details and Mitigation

To exploit this vulnerability, an attacker must be logged in as a subscriber or higher level user. They would then send an AJAX request to the lock_unlock_terawallet action with the user ID of the target user they wish to access. By doing this, they can lock or unlock the target user's wallet without proper permissions.

WordPress website administrators can mitigate the risk of this vulnerability by updating the TeraWallet plugin to a version greater than 1.4.3. It is always recommended to keep your plugins and WordPress installations up to date and follow the WordPress security guidelines to further protect your website from potential threats.

Conclusion

The CVE-2022-3995 vulnerability found in the TeraWallet plugin is a serious issue that should be addressed as quickly as possible to prevent any unauthorized access to user wallets. Website administrators are encouraged to update the plugin to its latest version and regularly check for updates in the future to protect their sites and user data.

Timeline

Published on: 11/29/2022 21:15:00 UTC
Last modified on: 12/01/2022 19:56:00 UTC