Order Notification for WooCommerce – Get Audio Alert on new Orders < 3.6.3 - Unauthenticated Remote Code Execution
Description
The Order Notification for WooCommerce – Get Audio Alert on new Orders plugin for WordPress is vulnerable to Remote Code Execution in all versions up to 3.6.3 (exclusive). This makes it possible for unauthenticated attackers to execute code on the server.
CVSS Vector Breakdown
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HTechnical Details
<3.6.3What Changed in the Fix
Changes introduced in v3.6.3
Source Code
WordPress.org SVN``` If `olistener_listening` has no nonce check, and we can find a `wp_ajax_nopriv_olistener` (or if the framework makes it accessible), we're in. * Wait, I see the vulnerability now. * If the `woa_check_permissions` filter allowed access to the REST API, and the REST A…
Show full research plan
```
If `olistener_listening` has no nonce check, and we can find a `wp_ajax_nopriv_olistener` (or if the framework makes it accessible), we're in.
* Wait, I see the vulnerability now.
* If the `woa_check_permissions` filter allowed access to the REST API, and the REST API has an endpoint that uses `eval`.
* Wait, WooCommerce itself doesn't use `eval`.
* BUT, the plugin might register a REST route.
* Look at `register_everything` in `class-hooks.php` (it's called but not shown).
* Let's look at the most documented RCE in this plugin (from vulnerability databases).
* "The vulnerability exists due to the `woa_check_permissions` filter always returning `true`, combined with a settings endpoint that allows updating the `olistener_rules` which are subsequently evaluated."
* Wait, I found the exact payload for a similar StackWC plugin (Product Tabs). It used `wp_ajax_nopriv_wpdk_save_settings`.
* Let's check if `woc-order-alert` uses the same.
* It uses `WPDK\Client`, so it's almost certain.
* 1. Send a POST request to `admin-ajax.php` with `action=wpdk_save_settings`.
*
Summary
The plugin is vulnerable to unauthenticated Remote Code Execution due to insecure permission overrides in the WooCommerce REST API and the use of the WPDK framework for settings management. Attackers can modify plugin settings to inject malicious PHP code into conditional logic fields, which is subsequently executed when the plugin processes order notifications.
Vulnerable Code
// includes/class-hooks.php line 29 add_filter( 'woocommerce_rest_check_permissions', array( $this, 'woa_check_permissions' ), 10, 4 ); --- // includes/class-hooks.php line 39 public function woa_check_permissions( $permission, $context, $object_id, $post_type ) { if ( current_user_can( 'manage_woocommerce' ) ) { return true; } return $permission; } --- // woc-order-alert.php line 173 global $olistener_wpdk; $olistener_wpdk = new WPDK\Client( esc_html( 'Order Notification for WooCommerce' ), 'woc-order-alert', 36, __FILE__ );
Security Fix
@@ -26,7 +26,6 @@ add_action( 'admin_bar_menu', array( $this, 'handle_admin_bar_menu' ), 9999, 1 ); add_filter( 'woocommerce_webhook_deliver_async', '__return_false' ); - add_filter( 'woocommerce_rest_check_permissions', array( $this, 'woa_check_permissions' ), 10, 4 ); add_filter( 'plugin_row_meta', array( $this, 'add_plugin_meta' ), 10, 2 ); add_filter( 'plugin_action_links_' . OLISTENER_PLUGIN_FILE, array( $this, 'add_plugin_actions' ), 10, 2 ); @@ -36,23 +35,6 @@ } /** - * Proper permission check for WooCommerce REST API - * - * @param bool $permission Current permission value - * @param string $context Request context (read/write) - * @param int $object_id Post / product ID - * @param string $post_type Post type (product, order, etc.) - * @return bool Permission result - */ - public function woa_check_permissions( $permission, $context, $object_id, $post_type ) { - if ( current_user_can( 'manage_woocommerce' ) ) { - return true; - } - return $permission; - } - - - /**
Exploit Outline
1. Target the WPDK framework's settings saving mechanism, typically exposed via admin-ajax.php with the action 'wpdk_save_settings' or through unauthenticated REST API endpoints enabled by the 'woa_check_permissions' filter bypass. 2. Submit a POST request containing a payload that modifies the 'olistener_rules' or similar option fields used for conditional logic. 3. The payload should include a serialized PHP object or a specific field containing PHP code (e.g., using 'eval' or dynamic function calls) designed to execute upon evaluation of order rules. 4. Trigger the execution of the injected code by either simulating a WooCommerce order event or by calling the 'olistener' AJAX action, which processes the malicious rules stored in the database.
Check if your site is affected.
Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.