CVE-2024-1686 - How Missing Authorization in “Thank You Page Customizer for WooCommerce” Exposes Your Order Data

WordPress powers millions of sites, and WooCommerce is its go-to eCommerce solution. Plenty of plugins aim to improve WooCommerce, one of which is the popular Thank You Page Customizer for WooCommerce – Increase Your Sales. However, a recent vulnerability tracked as CVE-2024-1686 puts user data at risk due to a missing authorization check in the plugin's code. Let’s break down what this means, how it works, and why you should care.

What Is CVE-2024-1686?

CVE-2024-1686 is a vulnerability found in all versions of the Thank You Page Customizer for WooCommerce – Increase Your Sales plugin up to and including version 1.1.2. The flaw lets users with low WordPress privileges—like subscribers—access sensitive order information they should not see.

Why is this dangerous? It can expose personally identifiable information (PII) such as names, addresses, emails, and more, putting both users and store owners at risk.

Technical Details: The Root Cause

At the heart of this vulnerability is a missing capability check in the apply_layout function. Normally, sensitive actions are protected by role-based permissions in WordPress. In this plugin, the check was skipped, letting any logged-in user perform the action.

Let's look at a simplified version of the vulnerable code

public function apply_layout() {
    // NO PERMISSION CHECK HERE!
    
    $order_id = $_POST['order_id'];
    $order = wc_get_order($order_id);

    // Return order data to user, including PII
    echo json_encode($order->get_data());
    wp_die();
}

Here, anyone who can make an authenticated request (even a Subscriber) could call this function with any order ID. The code retrieves and returns all order data, exposing names, addresses, payment info, and more.

Normally, you’d want to limit this to admins or shop managers with something like

if ( ! current_user_can('manage_woocommerce') ) {
    wp_die('Insufficient permissions');
}

Exploiting CVE-2024-1686: A Step-by-Step Example

Let’s walk through how an attacker might use this flaw.

Step 1: Create a Subscriber Account

Anyone can register as a Subscriber if sign-ups are enabled—or use a compromised basic account.

Step 2: Find a Valid Order ID

Order IDs are sequential. They might be easy to guess or enumerate.

With a tool like Postman or curl, send a POST request

POST /wp-admin/admin-ajax.php?action=tyc_apply_layout HTTP/1.1
Host: victim.site
Cookie: wordpress_logged_in_xxx=...

Content-Type: application/x-www-form-urlencoded

order_id=1234

Step 4: Receive Sensitive Data

The plugin returns a JSON object with all order details—names, addresses, emails, and maybe payment info.

How to Fix

The vendor addressed the issue quickly in an update. Upgrade immediately to version 1.1.3 or later.

Original References

- Wordfence Advisory
- CVE Record
- Plugin on WordPress.org

Conclusion

CVE-2024-1686 is a serious reminder that a missing line of authorization in plugin code can have big consequences. If you use the Thank You Page Customizer for WooCommerce, don’t wait: update now and keep your user data safe!

If you're a developer, always validate user capabilities—especially in AJAX handlers or anything that outputs sensitive information.

Stay safe. Secure your WordPress. And don’t let one missing check sink your store.


*This post is for educational purposes only. Do not use this information for unauthorized attacks. Always test vulnerabilities responsibly and ethically.*

Timeline

Published on: 02/27/2024 06:15:45 UTC
Last modified on: 02/27/2024 14:20:06 UTC