Ni WooCommerce Order Export <= 3.1.6 - Cross-Site Request Forgery to Settings Update via ni_order_export_action AJAX Action

This research plan outlines the process for exploiting a Cross-Site Request Forgery (CSRF) vulnerability in the Ni WooCommerce Order Export plugin.

1. Vulnerability Summary

The Ni WooCommerce Order Export plugin (up to version 3.1.6) fails to implement nonce verification and capability checks in its AJAX handler for the ni_order_export_action action. Specifically, when the page parameter is set to nioe-order-settings, the code delegates processing to Ni_Order_Setting::page_ajax(). This function takes the entire $_REQUEST array and saves it directly into the WordPress database using update_option('ni_order_export_option', ...).

Because there is no verification that the request was intentionally sent by an administrator, an attacker can trick a logged-in admin into submitting a request that overwrites the plugin's configuration.

2. Attack Vector Analysis

• Endpoint: /wp-admin/admin-ajax.php
• AJAX Action: ni_order_export_action
• Vulnerable Parameter: page (must be nioe-order-settings)
• Payload Parameters: Any key-value pairs sent in the request (e.g., via POST or GET) will be written to the ni_order_export_option option.
• Authentication Level: The attacker is unauthenticated but requires an Authenticated Administrator to execute the request (via CSRF).
• Preconditions:
  • The Ni WooCommerce Order Export plugin is active.
  • WooCommerce is active (as it is a dependency).

3. Code Flow (Inferred from Patch/Description)

1. Registration: The plugin registers the AJAX hook:
   add_action('wp_ajax_ni_order_export_action', 'ni_order_export_action');
2. Entry Point: ni_order_export_action() is executed when the AJAX request is received.
3. Branching Logic: The function checks $_REQUEST['page'].
4. Vulnerable Branch: If $_REQUEST['page'] === 'nioe-order-settings', it calls Ni_Order_Setting::page_ajax().
5. The Sink: Inside page_ajax(), the code executes:
   update_option('ni_order_export_option', $_REQUEST);
6. Failure: No check_ajax_referer() or current_user_can('manage_options') is called before the update_option sink.

4. Nonce Acquisition Strategy

According to the vulnerability description, this specific AJAX handler missing nonce validation entirely. Therefore, no nonce is required to successfully exploit the vulnerability.

If a nonce were required, it would typically be found in the admin dashboard under the "Order Export" settings page, likely localized under a JS object. However, for this CVE, the strategy is to bypass the nonce check by simply omitting it or providing any value, as it is not verified in the affected versions.

5. Exploitation Strategy

The goal is to modify the plugin's export settings (e.g., the default filename for exports) to demonstrate unauthorized data modification.

Step-by-Step Plan:

1. Identify Target Option Content: First, check the existing value of ni_order_export_option to understand the expected array structure.
2. Construct Payload: Create a POST request targeting admin-ajax.php.
3. Simulate CSRF: Use the http_request tool with the Administrator's cookies to execute the state-changing request.

HTTP Request (CSRF Simulation):

• Method: POST
• URL: http://localhost:8080/wp-admin/admin-ajax.php
• Headers:
  • Content-Type: application/x-www-form-urlencoded
• Body:

  action=ni_order_export_action&page=nioe-order-settings&ni_filename=vulnerable_poc_export&ni_common_settings[buttons]=pwned
  

Note: Since the plugin saves the entire $_REQUEST array, the keys used depend on what the plugin's settings form expects. The keys ni_filename or ni_common_settings are common identifiers for this plugin.

6. Test Data Setup

1. Install/Activate Plugin: Ensure ni-woocommerce-order-export and woocommerce are installed and active.
2. Initial Configuration: Navigate to the plugin settings once as an admin to ensure the default options are initialized in the database.
3. Identify Admin Session: The agent should already have access to the administrator session via the environment.

7. Expected Results

• The server should return a successful response (often 0 or 1 for WordPress AJAX, or a JSON success message).
• The WordPress option ni_order_export_option will be updated with the malicious values provided in the request.

8. Verification Steps

After performing the http_request, verify the change using WP-CLI:

# Check the value of the affected option
wp option get ni_order_export_option --format=json

Successful Exploit Criteria:

• The output contains "ni_filename": "vulnerable_poc_export".
• The output contains the action and page keys (side effect of the plugin saving the entire $_REQUEST array).

9. Alternative Approaches

If the plugin performs basic validation on the array structure:

1. Form Extraction: Use browser_navigate to the plugin's settings page and use browser_eval to extract the exact names of the input fields:
   browser_eval("Array.from(document.querySelectorAll('input[name]')).map(i => i.name)")
2. Refined Payload: Re-run the http_request using the exact keys found in the real settings form to ensure the update_option call doesn't fail due to data type mismatches.