Klarna Checkout for WooCommerce < 2.0.10 - Authenticated Arbitrary Plugin Deactivation, Activation and Installation

The plugin registers one AJAX action intended for installing addon plugins from WordPress.org. The callback method to this action does not have a capability nor nonce check. This enables any logged in user to post a request to the endpoint and install, activate or deactivate any plugin. Since the action is not registered with a "nopriv"-parameter this exploit can only be used when logged in.

The plugin is used in conjunction with the e-commerce plugin WooCommerce which in most cases creates a WordPress-user when a purchase is made in the shop. It is also possible to register as a customer in many of the shops. We have verified that the exploit can be used with users that has the customer-role which means that many websites are affected by this.

This exploit is available in the version (2.0.9) and all the way back to version 1.0.9.
Proof of Concept The PoC will be displayed on June 07, 2020, to give users the time to update.

Affects Plugin

fixed in version 2.0.10


URL https://plugins.trac.wordpress.org/changeset/2279932


OWASP Top 10 A2: Broken Authentication and Session Management


Views 2228
Verified No
WPVDB ID 10173


Publicly Published 2020-04-08 (about 2 months ago)
Added 2020-04-09 (about 2 months ago)
Last Updated 2020-05-04 (21 days ago)

Our Other Services

Online WordPress Vulnerability Scanner WPScan WordPress Security Plugin