4.3 CVE-2023-4948

 

The WooCommerce CVR Payment Gateway plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the refresh_order_cvr_data AJAX action in versions up to 6.1.0. This makes it possible for authenticated attackers with contributor-level access and above, to update CVR numbers for orders.
https://nvd.nist.gov/vuln/detail/CVE-2023-4948

Categories

CWE-862 : Missing Authorization
The product does not perform an authorization check when an actor attempts to access a resource or perform an action. "AuthZ" is typically used as an abbreviation of "authorization" within the web application security community. It is distinct from "AuthN" (or, sometimes, "AuthC") which is an abbreviation of "authentication." The use of "Auth" as an abbreviation is discouraged, since it could be used for either authentication or authorization. Automated dynamic analysis may find many or all possible interfaces that do not require authorization, but manual analysis is required to determine if the lack of authorization violates business logic. Ensure that access control checks are performed related to the business logic. These checks may be different than the access control checks that are applied to more generic resources such as files, connections, processes, memory, and database records. For example, a database may restrict access for medical records to a specific database user, but each record might only be intended to be accessible to the patient and the patient's doctor [REF-7]. Use the access control capabilities of your operating system and server environment and define your access control lists accordingly. Use a "default deny" policy when defining these ACLs. Go-based continuous deployment product does not check that a user has certain privileges to update or create an app, allowing adversaries to read sensitive repository information Web application does not restrict access to admin scripts, allowing authenticated users to reset administrative passwords. Web application stores database file under the web root with insufficient access control (CWE-219), allowing direct request. Terminal server does not check authorization for guest access. System monitoring software allows users to bypass authorization by creating custom forms. Content management system does not check access permissions for private files, allowing others to view those files. Product does not check the ACL of a page accessed using an "include" directive, allowing attackers to read unauthorized files. Web application does not restrict access to admin scripts, allowing authenticated users to modify passwords of other users. Database server does not use appropriate privileges for certain sensitive operations. Gateway uses default "Allow" configuration for its authorization settings. Chain: product does not properly interpret a configuration option for a system group, allowing users to gain privileges. Chain: SNMP product does not properly parse a configuration option for which hosts are allowed to connect, allowing unauthorized IP addresses to connect. Chain: reliance on client-side security (CWE-602) allows attackers to bypass authorization using a custom client. Chain: product does not properly handle wildcards in an authorization policy list, allowing unintended access. Chain: Bypass of access restrictions due to improper authorization (CWE-862) of a user results from an improperly initialized (CWE-909) I/O permission bitmap ACL-based protection mechanism treats negative access rights as if they are positive, allowing bypass of intended restrictions. Default ACL list for a DNS server does not set certain ACLs, allowing unauthorized DNS queries. Product relies on the X-Forwarded-For HTTP header for authorization, allowing unintended access by spoofing the header. OS kernel does not check for a certain privilege before setting ACLs for files. Chain: file-system code performs an incorrect comparison (CWE-697), preventing default ACLs from being properly applied. Chain: product does not properly check the result of a reverse DNS lookup because of operator precedence (CWE-783), allowing bypass of DNS-based access restrictions. Chain: unchecked return value (CWE-252) of some functions for policy enforcement leads to authorization bypass (CWE-862)

References


 

CPE

cpe start end
Configuration 1
cpe:2.3:a:yanco:woocommerce_cvr_payment_gateway:*:*:*:*:*:wordpress:*:* <= 6.1.0


REMEDIATION




EXPLOITS


Exploit-db.com

id description date
No known exploits

Other (github, ...)

Url
No known exploits


CAPEC


Common Attack Pattern Enumerations and Classifications

id description severity
665 Exploitation of Thunderbolt Protection Flaws
Very High


MITRE


Techniques

id description
T1211 Exploitation for Defensive Evasion
T1542.002 Pre-OS Boot:Component Firmware
T1556 Modify Authentication Process
© 2022 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation.

Mitigations

id description
T1211 Update software regularly by employing patch management for internal enterprise endpoints and servers.
T1542.002 Perform regular firmware updates to mitigate risks of exploitation and/or abuse.
T1556 Ensure that proper policies are implemented to dictate the the secure enrollment and deactivation of authentication mechanisms, such as MFA, for user accounts.
© 2022 The MITRE Corporation. Esta obra se reproduce y distribuye con el permiso de The MITRE Corporation.