WordPress and WooCommerce are some of the most widely used tools for building e-commerce stores. Extensions or plugins expand what your shop can do. But, when a plugin has weak security, your store and customer data might be exposed. One such vulnerability, tracked as CVE-2023-46635, exists in the popular YITH WooCommerce Product Add-Ons plugin. If you are using this plugin, you should pay close attention to this CVE as it’s a case of “missing authorization”—anyone could bypass security controls due to a coding oversight, potentially wreaking havoc on your store.
What is CVE-2023-46635?
CVE-2023-46635 is a missing authorization vulnerability in the YITH WooCommerce Product Add-Ons plugin (versions up to 4.2. were vulnerable). The plugin allows store owners to offer customizable product options, but it failed to ensure that only authorized users could perform some protected actions. This is what security experts call an “incorrect access control” or “broken access control” vulnerability.
Fixed: 4.2.1 and newer
If you use an older version, you should update immediately.
Technical Details
The plugin provides AJAX handlers to process backend requests (like updating product options), but in some handlers it did not check if the requester was logged in as an admin or shop manager. This means anyone, including unauthenticated visitors, could call these functions and perform changes they shouldn’t be allowed to.
Let’s look at an example using simplified code
// A plugin function responding to AJAX requests
add_action('wp_ajax_yith_addon_update', 'update_product_addon');
// (NO wp_ajax_nopriv_yith_addon_update, which shouldn't allow guests, but...)
function update_product_addon() {
// (NO capability check here, like current_user_can('edit_products'))
$addon_id = $_POST['addon_id'];
$new_value = $_POST['new_value'];
// Update the database directly!
update_post_meta($addon_id, 'addon_data', $new_value);
echo json_encode(['status' => 'success']);
wp_die();
}
The function doesn’t check if the current user is logged in.
- It doesn’t check if they have permission to edit products/addons.
The Exploit: How Attackers Use This Flaw
An attacker can create a simple HTTP request (for example with curl, Postman, or even via JavaScript in the browser) to update product addons—no login required.
Example Exploit Request
curl -X POST "https://yourstore.com/wp-admin/admin-ajax.php?action=yith_addon_update"; \
-d "addon_id=123&new_value=HACKED-BY-CVE-2023-46635"
What does this do?
More Advanced Exploit
If the plugin relied on AJAX for deletion, creation, or more sensitive operations, the attacker could:
Delete addons
- Add fraudulent costs/options
Impact
- Product addons could be hijacked/graffiti’d.
Detection
Check your site logs for unusual requests to wp-admin/admin-ajax.php with the action parameter related to YITH Add-Ons. Look for requests from users without valid logins or from suspicious IPs.
Mitigation
1. Update to the latest version of YITH WooCommerce Product Add-Ons.
Make sure only trusted admins can access your WordPress admin.
3. Use a web application firewall (WAF) like Wordfence.
Fix Example
Developers should always check capabilities before performing sensitive actions. Here is a fixed version of the vulnerable function:
function update_product_addon() {
// Only allow logged-in shop managers/admins
if (!current_user_can('edit_products')) {
wp_send_json_error(['message' => 'Unauthorized'], 403);
wp_die();
}
$addon_id = $_POST['addon_id'];
$new_value = $_POST['new_value'];
update_post_meta($addon_id, 'addon_data', $new_value);
wp_send_json_success(['status' => 'success']);
wp_die();
}
References
- WPScan Entry on CVE-2023-46635
- NVD: CVE-2023-46635
- YITH Plugin Page
- Responsible disclosure article
Summary
CVE-2023-46635 shows how missing a single line of authorization checking can undermine an entire WordPress shop. If you use YITH WooCommerce Product Add-Ons, update right away. Always review plugin changelogs and audit your site's security. Even one missed check can put your business at risk.
Stay safe, update plugins, and remember that good coding is in the details!
Timeline
Published on: 01/02/2025 12:15:13 UTC