Headline
CVE-2021-34646: Critical Authentication Bypass Vulnerability Patched in Booster for WooCommerce
Versions up to, and including, 5.4.3, of the Booster for WooCommerce WordPress plugin are vulnerable to authentication bypass via the process_email_verification function due to a random token generation weakness in the reset_and_mail_activation_link function found in the ~/includes/class-wcj-emails-verification.php file. This allows attackers to impersonate users and trigger an email address verification for arbitrary accounts, including administrative accounts, and automatically be logged in as that user, including any site administrators. This requires the Email Verification module to be active in the plugin and the Login User After Successful Verification setting to be enabled, which it is by default.
On July 30, 2021 the Wordfence Threat Intelligence team initiated the responsible disclosure process for a vulnerability that we discovered in Booster for WooCommerce, a WordPress plugin installed on over 80,000 sites. This flaw made it possible for an attacker to log in as any user, as long as certain options were enabled in the plugin.
Wordfence Premium users received a firewall rule to protect against any exploits targeting this vulnerability on July 30, 2021. Sites still using the free version of Wordfence will receive the same protection on August 29, 2021.
We initially reached out to the plugin vendor on July 30, 2021. After receiving confirmation of an appropriate communication channel a few days later on August 2, 2021, we provided the full disclosure details. The vendor quickly acknowledged the report and a patch was released on August 11, 2021 in version 5.4.4.
We strongly recommend updating immediately to the latest patched version of Booster for WooCommerce, which is version 5.4.4 at the time of publication.
Booster for WooCommerce is an addon plugin for WooCommerce designed to enhance its functionality through the use of various modules that site owners can enable and disable at any point. One module that the plugin offers is an `Email Verification` module, which adds a requirement for users to verify their email after they have registered on the site.
Unfortunately, we found that this feature was insecurely implemented, which made it possible for an attacker to impersonate any user and send a verification request that could allow the attacker to easily recreate the token needed to “verify” the targeted user’s email, and be automatically logged in as that user.
A Closer Look at The Exploit
In order to exploit this vulnerability, an attacker would need to execute two actions. The first action an attacker would need to perform involves sending a request to the vulnerable site’s home URL with the wcj_user_id parameter set to the user ID that the attacker would like to impersonate. This would likely be set to a user ID of 1 because the first user account typically created on WordPress sites is the administrative user account and this is rarely changed.
} elseif ( isset( $\_GET\['wcj\_user\_id'\] ) ) {
$this->reset\_and\_mail\_activation\_link( $\_GET\['wcj\_user\_id'\] );
wc\_add\_notice( do\_shortcode( wcj\_get\_option( 'wcj\_emails\_verification\_email\_resend\_message',
\_\_( '<strong>Success:</strong> Your activation email has been resent. Please check your email.', 'woocommerce-jetpack' ) ) ) );
}
Once the request was sent, the reset_and_mail_activation_link() function was triggered. This retrieved the supplied user_id and generated a code for the user that was used to verify the email address. The function then triggered an email to be sent to the user with the generated verification link that could be used to verify the email address.
The core of the flaw lies here where the verification code was simply an MD5 hash of the time of the request. This made it possible for an attacker to easily recreate a valid verification code without access to the targeted user’s email account based on the time they sent a verification request for any given user.
function reset\_and\_mail\_activation\_link( $user\_id ) {
$user\_info = get\_userdata( $user\_id );
$code = md5( time() );
$url = add\_query\_arg( 'wcj\_verify\_email', base64\_encode( json\_encode( array( 'id' => $user\_id, 'code' => $code ) ) ), wc\_get\_page\_permalink( 'myaccount' ) );
$email\_content = do\_shortcode( apply\_filters( 'booster\_option',
\_\_( 'Please click the following link to verify your email:<br><br><a href="%verification\_url%">%verification\_url%</a>', 'woocommerce-jetpack' ),
get\_option( 'wcj\_emails\_verification\_email\_content',
\_\_( 'Please click the following link to verify your email:<br><br><a href="%verification\_url%">%verification\_url%</a>', 'woocommerce-jetpack' ) ) ) );
$email\_content = str\_replace( '%verification\_url%', $url, $email\_content );
$email\_subject = do\_shortcode( apply\_filters( 'booster\_option',
\_\_( 'Please activate your account', 'woocommerce-jetpack' ),
get\_option( 'wcj\_emails\_verification\_email\_subject',
\_\_( 'Please activate your account', 'woocommerce-jetpack' ) ) ) );
update\_user\_meta( $user\_id, 'wcj\_is\_activated', '0' );
update\_user\_meta( $user\_id, 'wcj\_activation\_code', $code );
Once the attacker had sent an email verification request for their target user, they would then need to perform the second action which involved crafting the URL to “verify” the email. This would be the site’s home URL with the wcj_verify_email parameter set to a base64 JSON-encoded payload where the JSON-encoded body contains the target user ID set at the `id` value and the `code` value set as the generated MD5 hash of the time that the email verification request was made.
If the wcj_emails_verification_redirect_on_success option was set to yes and the data sent in the wcj_verify_email parameter was valid, then the wp_set_current_user and wp_set_auth_cookie functions would run and generate an authenticated session as the targeted user, thus allowing the attacker to bypass any authentication and gain access to any account they chose.
} elseif ( isset( $\_GET\['wcj\_verify\_email'\] ) ) {
$data = json\_decode( base64\_decode( $\_GET\['wcj\_verify\_email'\] ), true );
if ( ! empty( $data\['id'\] ) && ! empty( $data\['code'\] ) && get\_user\_meta( $data\['id'\], 'wcj\_activation\_code', true ) == $data\['code'\] ) {
update\_user\_meta( $data\['id'\], 'wcj\_is\_activated', '1' );
if ( 'yes' === wcj\_get\_option( 'wcj\_emails\_verification\_redirect\_on\_success', 'yes' ) ) {
wp\_set\_current\_user( $data\['id'\] );
wp\_set\_auth\_cookie( $data\['id'\] );
}
$url = ( '' != ( $custom\_url = wcj\_get\_option( 'wcj\_emails\_verification\_redirect\_on\_success\_custom\_url', '' ) ) ? $custom\_url : wc\_get\_page\_permalink( 'myaccount' ) );
wp\_safe\_redirect( add\_query\_arg( 'wcj\_verified\_email', $\_GET\['wcj\_verify\_email'\], $url ) );
exit;
As such, an attacker could exploit this vulnerability to gain administrative access on sites running a vulnerable version of the plugin and effectively take-over the site.
This vulnerability requires the `Email Verification` module to be enabled and the `Login User After Successful Verification` setting to be enabled, which is by default, to be successfully exploited on sites running the plugin.
Disclosure Timeline
July 30, 2021 – Conclusion of the plugin analysis that led to the discovery of an authentication bypass vulnerability in the Booster for WooCommerce WordPress plugin. We develop a firewall rule to protect Wordfence customers and release it to Wordfence Premium users. We initiate contact with the plugin vendor.
August 2, 2021 – The vendor confirms the inbox for handling disclosure. We send over full disclosure details.
August 4, 2021 – The vendor confirms they have received the details and will begin working on a fix.
August 11, 2021 – A newly updated version of the plugin is released containing sufficient patches.
August 29, 2021 – Wordfence free users receive firewall rule.
Conclusion
In today’s post, we detailed a flaw in Booster for WooCommerce that granted attackers the ability to bypass authentication and log in as any existing site user, including administrative users, that could be used to take over a vulnerable WordPress site. This flaw has been fully patched in version 5.4.4. We recommend that WordPress users immediately update to the latest version available, which is version 5.4.4 at the time of this publication.
Wordfence Premium users received a firewall rule to protect against any exploits targeting this vulnerability on July 30, 2021. Sites still using the free version of Wordfence will receive the same protection on August 29, 2021.
If you know a friend or colleague who is using this plugin on their site, we highly recommend forwarding this advisory to them to help keep their sites protected as this is a critical vulnerability that can lead to full site takeover.
Click here to join the WordPress Security mailing list and receive vulnerability reports like this the moment they are published.
Related news
The Image Hover Effects Ultimate plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Title & Description values that can be added to an Image Hover in versions up to, and including, 9.7.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. By default, the plugin only allows administrators access to edit Image Hovers, however, if a site admin makes the plugin's features available to lower privileged users through the 'Who Can Edit?' setting then this can be exploited by those users.
The Stockists Manager for Woocommerce plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.0.2.1. This is due to missing nonce validation on the stockist_settings_main() function. This makes it possible for unauthenticated attackers to modify the plugin's settings and inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
The Beaver Builder – WordPress Page Builder for WordPress is vulnerable to Stored Cross-Site Scripting via the 'caption' parameter added to images via the media uploader in versions up to, and including, 2.5.5.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers with access to the Beaver Builder editor and the ability to upload media files to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
The uContext for Amazon plugin for WordPress is vulnerable to Cross-Site Request Forgery to Cross-Site Scripting in versions up to, and including 3.9.1. This is due to missing nonce validation in the ~/app/sites/ajax/actions/keyword_save.php file that is called via the doAjax() function. This makes it possible for unauthenticated attackers to modify the plugin's settings and inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
The Link Optimizer Lite plugin for WordPress is vulnerable to Cross-Site Request Forgery to Cross-Site Scripting in versions up to, and including 1.4.5. This is due to missing nonce validation on the admin_page function found in the ~/admin.php file. This makes it possible for unauthenticated attackers to modify the plugin's settings and inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
The Visual Composer Website Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the post/page 'Title' value in versions up to, and including, 45.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers with access to the visual composer editor to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
The Visual Composer Website Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'Text Block' feature in versions up to, and including, 45.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers with access to the visual composer editor to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
The WordPress Infinite Scroll – Ajax Load More plugin for WordPress is vulnerable to deserialization of untrusted input via the 'alm_repeaters_export' parameter in versions up to, and including 5.5.3. This makes it possible for unauthenticated users to call files using a PHAR wrapper, granted they can trick a site administrator into performing an action such as clicking on a link, that will deserialize and call arbitrary PHP Objects that can be used to perform a variety of malicious actions granted a POP chain is also present. It also requires that the attacker is successful in uploading a file with the serialized payload.
The String Locator plugin for WordPress is vulnerable to deserialization of untrusted input via the 'string-locator-path' parameter in versions up to, and including 2.5.0. This makes it possible for unauthenticated users to call files using a PHAR wrapper, granted they can trick a site administrator into performing an action such as clicking on a link, that will deserialize and call arbitrary PHP Objects that can be used to perform a variety of malicious actions granted a POP chain is also present. It also requires that the attacker is successful in uploading a file with the serialized payload.
The Beaver Builder – WordPress Page Builder for WordPress is vulnerable to Stored Cross-Site Scripting via the 'Caption - On Hover' value associated with images in versions up to, and including, 2.5.5.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers with access to the Beaver Builder editor to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
The WP Users Exporter plugin for WordPress is vulnerable to CSV Injection in versions up to, and including, 1.4.2 via the 'Export Users' functionality. This makes it possible for authenticated attackers, such as a subscriber, to add untrusted input into profile information like First Names that will embed into the exported CSV file triggered by an administrator and can result in code execution when these files are downloaded and opened on a local system with a vulnerable configuration.
The uContext for Clickbank plugin for WordPress is vulnerable to Cross-Site Request Forgery to Cross-Site Scripting in versions up to, and including 3.9.1. This is due to missing nonce validation in the ~/app/sites/ajax/actions/keyword_save.php file that is called via the doAjax() function. This makes it possible for unauthenticated attackers to modify the plugin's settings and inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
The Beaver Builder – WordPress Page Builder for WordPress is vulnerable to Stored Cross-Site Scripting via the 'Text Editor' block in versions up to, and including, 2.5.5.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers with access to the Beaver Builder editor to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
The Visualizer: Tables and Charts Manager for WordPress plugin for WordPress is vulnerable to deserialization of untrusted input via the 'remote_data' parameter in versions up to, and including 3.7.9. This makes it possible for authenticated attackers with contributor privileges and above to call files using a PHAR wrapper that will deserialize the data and call arbitrary PHP Objects that can be used to perform a variety of malicious actions granted a POP chain is also present. It also requires that the attacker is successful in uploading a file with the serialized payload.
The WordPress plugin Gallery for Social Photo is vulnerable to Cross-Site Request Forgery in versions up to, and including 1.0.0.27 due to failure to properly check for the existence of a nonce in the function gifeed_duplicate_feed. This make it possible for unauthenticated attackers to duplicate existing posts or pages granted they can trick a site administrator into performing an action such as clicking on a link.
The DX Share Selection plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including 1.4. This is due to missing nonce protection on the dxss_admin_page() function found in the ~/dx-share-selection.php file. This makes it possible for unauthenticated attackers to inject malicious web scripts into the page, granted they can trick a site's administrator into performing an action such as clicking on a link.
The Sticky Popup plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘ popup_title' parameter in versions up to, and including, 1.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with admin level capabilities and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This issue mostly affects sites where unfiltered_html has been disabled for administrators and on multi-site installations where unfiltered_html is disabled for administrators.
The WPMK Ajax Finder WordPress plugin is vulnerable to Cross-Site Request Forgery via the createplugin_atf_admin_setting_page() function found in the ~/inc/config/create-plugin-config.php file due to a missing nonce check which allows attackers to inject arbitrary web scripts, in versions up to and including 1.0.1.
The Mitsol Social Post Feed plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 1.10 due to insufficient input sanitization and output escaping on the application id parameters. This makes it possible for authenticated (admin+) attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html is disabled.
The Copify plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.3.0. This is due to missing nonce validation on the CopifySettings page. This makes it possible for unauthenticated attackers to update the plugins settings and inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
The Metform WordPress plugin is vulnerable to sensitive information disclosure due to improper access control in the ~/core/forms/action.php file which can be exploited by an unauthenticated attacker to view all API keys and secrets of integrated third-party APIs like that of PayPal, Stripe, Mailchimp, Hubspot, HelpScout, reCAPTCHA and many more, in versions up to and including 2.1.3.
The RSVPMaker plugin for WordPress is vulnerable to unauthenticated SQL Injection due to missing SQL escaping and parameterization on user supplied data passed to a SQL query in the rsvpmaker-util.php file. This makes it possible for unauthenticated attackers to steal sensitive information from the database in versions up to and including 9.2.5.
The Random Banner WordPress plugin is vulnerable to Stored Cross-Site Scripting due to insufficient escaping via the category parameter found in the ~/include/models/model.php file which allowed attackers with administrative user access to inject arbitrary web scripts, in versions up to and including 4.1.4. This affects multi-site installations where unfiltered_html is disabled for administrators, and sites where unfiltered_html is disabled.
The WordPress Popular Posts WordPress plugin is vulnerable to arbitrary file uploads due to insufficient input file type validation found in the ~/src/Image.php file which makes it possible for attackers with contributor level access and above to upload malicious files that can be used to obtain remote code execution, in versions up to and including 5.3.2.
The LearnPress WordPress plugin is vulnerable to Stored Cross-Site Scripting due to insufficient escaping on the $custom_profile parameter found in the ~/inc/admin/views/backend-user-profile.php file which allowed attackers with administrative user access to inject arbitrary web scripts, in versions up to and including 4.1.3.1. This affects multi-site installations where unfiltered_html is disabled for administrators, and sites where unfiltered_html is disabled. Please note that this is seperate from CVE-2021-24702.
A vulnerability in the getSelectedMimeTypesByRole function of the WP Upload Restriction WordPress plugin allows low-level authenticated users to view custom extensions added by administrators. This issue affects versions 2.2.3 and prior.