Klarna Checkout for WooCommerce < 2.0.10 - Authenticated Arbitrary Plugin Deactivation, Activation and Installation



Description
The plugin registers one AJAX action intended for installing addon plugins from WordPress.org. The callback method to this action does not have a capability nor nonce check. This enables any logged in user to post a request to the endpoint and install, activate or deactivate any plugin. Since the action is not registered with a "nopriv"-parameter this exploit can only be used when logged in.

The plugin is used in conjunction with the e-commerce plugin WooCommerce which in most cases creates a WordPress-user when a purchase is made in the shop. It is also possible to register as a customer in many of the shops. We have verified that the exploit can be used with users that has the customer-role which means that many websites are affected by this.

This exploit is available in the version (2.0.9) and all the way back to version 1.0.9.
Proof of Concept The PoC will be displayed on June 07, 2020, to give users the time to update.

Affects Plugin

fixed in version 2.0.10

References

URL https://plugins.trac.wordpress.org/changeset/2279932

Classification

Type AUTHBYPASS
OWASP Top 10 A2: Broken Authentication and Session Management
CWE CWE-287

Miscellaneous

Views 2228
Verified No
WPVDB ID 10173

Timeline

Publicly Published 2020-04-08 (about 2 months ago)
Added 2020-04-09 (about 2 months ago)
Last Updated 2020-05-04 (21 days ago)

Our Other Services

Online WordPress Vulnerability Scanner WPScan WordPress Security Plugin