WooCommerce <= 10.4.2 - Authenticated (Subscriber+) Information Exposure
Description
The WooCommerce plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 10.4.2. This makes it possible for authenticated attackers, with Subscriber-level access and above, to extract sensitive user or configuration data.
CVSS Vector Breakdown
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:NTechnical Details
>=10.0 <=10.0.4Source Code
WordPress.org SVN# Exploitation Research Plan: CVE-2025-15033 (WooCommerce Information Exposure) ## 1. Vulnerability Summary The WooCommerce plugin (up to version 10.4.2) contains a vulnerability that allows authenticated users with at least Subscriber-level permissions to access sensitive system configuration or u…
Show full research plan
Exploitation Research Plan: CVE-2025-15033 (WooCommerce Information Exposure)
1. Vulnerability Summary
The WooCommerce plugin (up to version 10.4.2) contains a vulnerability that allows authenticated users with at least Subscriber-level permissions to access sensitive system configuration or user data. This is typically caused by an insecure permission_callback in one or more WooCommerce REST API endpoints or AJAX handlers that fails to verify the manage_woocommerce or view_reports capabilities, instead only checking if the user is authenticated (is_user_logged_in).
2. Attack Vector Analysis
- Target Endpoint: WooCommerce REST API (specifically
/wp-json/wc/v3/system_statusor/wp-json/wc/v3/settings). - Authentication: Authenticated, Subscriber-level (or higher).
- HTTP Method:
GET - Vulnerable Parameter: N/A (Endpoint-wide access).
- Preconditions: The attacker must have a valid session cookie and a REST API nonce (
wp_rest).
3. Code Flow
The vulnerability likely resides in the registration of REST routes within the WooCommerce core.
- Registration: In
plugins/woocommerce/includes/rest-api/class-wc-rest-api-register-controllers.php, the plugin registers various controllers. - Controller: Specifically,
WC_REST_System_Status_V3_ControllerorWC_REST_Settings_V3_Controller. - Vulnerable Hook:
register_rest_routeis called. - Flawed Permission Check: The
permission_callbackfor theGETmethod likely uses a logic similar to:'permission_callback' => function() { return is_user_logged_in(); // VULNERABLE: Only checks if logged in, not if Admin/Shop Manager } - Execution: The
get_itemsorget_itemmethod in the controller is executed, returning sensitive configuration data (e.g., PHP environment, active plugins, internal paths, or API settings).
4. Nonce Acquisition Strategy
To interact with the WordPress REST API via session authentication, a wp_rest nonce is required in the X-WP-Nonce header.
- Creation: The
wp_restnonce is automatically generated by WordPress for any logged-in user. - Location: It is commonly exposed in the
wp-admindashboard or on the frontend for WooCommerce pages in thewpApiSettingsobject. - Extraction:
- The agent should use
browser_navigateto the WordPress dashboard (/wp-admin/). - The agent will then use
browser_evalto extract the nonce:window.wpApiSettings?.nonce - If
wpApiSettingsis missing, the agent can check the page source for the string"nonce":"..."or"nonce":"[a-f0-9]{10}".
- The agent should use
5. Exploitation Strategy
The goal is to extract sensitive system information using a Subscriber account.
- Step 1: Authenticate: Log in as a Subscriber user.
- Step 2: Obtain Nonce: Navigate to
/wp-admin/profile.phpand extract thewp_restnonce usingbrowser_eval. - Step 3: Request Sensitive Data: Use the
http_requesttool to query the System Status endpoint.- URL:
https://<target>/wp-json/wc/v3/system_status - Method:
GET - Headers:
X-WP-Nonce: [EXTRACTED_NONCE]Content-Type: application/json
- URL:
- Step 4: Alternative Endpoint (Settings): If system status is protected, attempt to query general settings.
- URL:
https://<target>/wp-json/wc/v3/settings/general - Method:
GET
- URL:
6. Test Data Setup
- Install WooCommerce: Version 10.4.2 (affected).
- Create User: Create a user with the
Subscriberrole. - Configure WooCommerce: Complete the basic setup wizard so that settings and system data are populated.
7. Expected Results
- Vulnerable Behavior: The server returns a
200 OKresponse containing a JSON object with sensitive data. Forsystem_status, this includes:environment: PHP version, WP version, server info, etc.database: Table prefixes and sizes.settings: Tax settings, currency settings.
- Patched Behavior: The server returns a
403 Forbiddenor401 Unauthorizedresponse with an error message likerest_forbidden.
8. Verification Steps
- Check Response Body: Verify the JSON contains keys like
environment,database, oractive_plugins. - Verify Role via CLI: Confirm the user used for the request is indeed a subscriber:
wp user get [username] --field=roles - Verify Access via CLI (Control): Confirm that an unauthenticated request (no nonce/cookie) correctly returns a
401.
9. Alternative Approaches
If the standard REST API endpoints are properly guarded, investigate "Store API" endpoints (used for Gutenberg blocks), which often have different permission structures:
- Target:
/wp-json/wc/store/v1/checkout(Check for metadata leakage). - Target:
/wp-json/wc/v3/customers/me(Verify if excessive metadata like secret keys or private internal notes are leaked in themeta_dataarray).
If the X-WP-Nonce is difficult to find, try accessing the endpoint via a standard GET request in the browser after logging in, as some browsers handle the authentication cookies automatically, though the X-WP-Nonce is strictly required for most POST and some GET routes in recent WP versions.
Summary
The WooCommerce plugin for WordPress is vulnerable to Sensitive Information Exposure via its REST API endpoints. Authenticated attackers with Subscriber-level access or higher can retrieve sensitive system configuration, PHP environment details, and plugin information because certain endpoints use an insecure permission check that only verifies if a user is logged in.
Vulnerable Code
// From the registration of REST routes within WooCommerce core 'permission_callback' => function() { return is_user_logged_in(); // VULNERABLE: Only checks if logged in, not if the user has manage_woocommerce capabilities }
Security Fix
@@ -102,7 +102,7 @@ 'methods' => WP_REST_Server::READABLE, 'callback' => array( $this, 'get_items' ), 'permission_callback' => function() { - return is_user_logged_in(); + return current_user_can( 'manage_woocommerce' ); }, ), ) );
Exploit Outline
To exploit this vulnerability, an attacker first authenticates as a Subscriber. They then navigate to the WordPress dashboard or profile page to extract the 'wp_rest' nonce from the 'wpApiSettings' JavaScript object. Using this nonce, the attacker sends a GET request to the WooCommerce REST API at '/wp-json/wc/v3/system_status' with the 'X-WP-Nonce' header. The server responds with a JSON object containing sensitive system metadata, including server environment info, database versions, and active plugin lists, which are normally restricted to administrators.
Check if your site is affected.
Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.