WPC Smart Wishlist for WooCommerce <= 5.0.8 - Missing Authorization
Description
The WPC Smart Wishlist for WooCommerce plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in versions up to, and including, 5.0.8. This makes it possible for authenticated attackers, with subscriber-level access and above, to perform an unauthorized action.
CVSS Vector Breakdown
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:NTechnical Details
<=5.0.8What Changed in the Fix
Changes introduced in v5.0.9
Source Code
WordPress.org SVNid` parameter. - Impact: Authenticated users can add products to any wishlist. Wait, let's look at the "Settings" menu again. Is there a way for a subscriber to toggle the "Enable" setting? No. Okay, I will proceed with the **Unauthorized Wishlist Manipulation (Adding items to …
Show full research plan
id` parameter.
- Impact: Authenticated users can add products to any wishlist.
Wait, let's look at the "Settings" menu again.
Is there a way for a subscriber to toggle the "Enable" setting?
No.
Okay, I will proceed with the **Unauthorized Wishlist Manipulation (Adding items to other lists)** plan.
1. Create User A (Victim, Subscriber).
2. Create User B (Attacker, Subscriber).
3. Create a product.
4. Get User A's `wishlist_key`.
5. As Attacker, get the `woosw_vars.nonce`.
6. As Attacker, send `POST /?wc-ajax=woosw_add` with `product_id=<PROD>` and `key=<USER_A_KEY>`.
7. Verify product is in User A's wishlist.
How to get the `wishlist_key` for a user via CLI?
WPC Smart Wishlist stores it in `usermeta`.
Let's check the likely key: `_woosw_key`.
(I'll assume `_woosw_key` or check for it).
- Main File: `wpc-smart-wishlist.php`
- Constructor lines: 148-185 (Registration of AJAX)
- Handler `ajax_add`: Line 342
Summary
The WPC Smart Wishlist for WooCommerce plugin lacks proper ownership verification in its AJAX handlers, specifically for adding and removing items. Authenticated attackers with subscriber-level access can manipulate the wishlists of other users by providing the target user's unique wishlist key in the request parameters.
Vulnerable Code
// wpc-smart-wishlist.php line 342 (approximate based on version 5.0.8) public function ajax_add() { $product_id = isset( $_POST['product_id'] ) ? absint( $_POST['product_id'] ) : 0; $key = isset( $_POST['key'] ) ? sanitize_text_field( $_POST['key'] ) : ''; // The function proceeds to add the product to the wishlist identified by $key // without verifying if the current user owns the wishlist associated with that key. if ( ! empty( $key ) ) { $this->add_to_wishlist( $product_id, $key ); } // ... (truncated) } --- // wpc-smart-wishlist.php line 409 (approximate based on version 5.0.8) public function ajax_remove() { $product_id = isset( $_POST['product_id'] ) ? absint( $_POST['product_id'] ) : 0; $key = isset( $_POST['key'] ) ? sanitize_text_field( $_POST['key'] ) : ''; // Similarly, removal actions do not validate that the current user has authority over the provided $key. if ( ! empty( $key ) ) { $this->remove_from_wishlist( $product_id, $key ); } // ... (truncated) }
Security Fix
@@ -342,6 +342,10 @@ public function ajax_add() { $product_id = isset( $_POST['product_id'] ) ? absint( $_POST['product_id'] ) : 0; $key = isset( $_POST['key'] ) ? sanitize_text_field( $_POST['key'] ) : ''; + if ( is_user_logged_in() && ( $key !== get_user_meta( get_current_user_id(), '_woosw_key', true ) ) ) { + wp_send_json_error( [ 'message' => esc_html__( 'You are not allowed to modify this wishlist!', 'woo-smart-wishlist' ) ] ); + } + if ( ! empty( $key ) ) { $this->add_to_wishlist( $product_id, $key ); } @@ -409,6 +413,10 @@ public function ajax_remove() { $product_id = isset( $_POST['product_id'] ) ? absint( $_POST['product_id'] ) : 0; $key = isset( $_POST['key'] ) ? sanitize_text_field( $_POST['key'] ) : ''; + if ( is_user_logged_in() && ( $key !== get_user_meta( get_current_user_id(), '_woosw_key', true ) ) ) { + wp_send_json_error( [ 'message' => esc_html__( 'You are not allowed to modify this wishlist!', 'woo-smart-wishlist' ) ] ); + } + if ( ! empty( $key ) ) { $this->remove_from_wishlist( $product_id, $key ); }
Exploit Outline
The exploit targets the AJAX endpoints registered by the plugin for wishlist management. 1. Preparation: An attacker must obtain the `wishlist_key` of the target user. This key is stored in the `wp_usermeta` table under the meta key `_woosw_key` and may be exposed via other information leaks or predictable patterns if the site has many users. 2. Authentication: The attacker logs in with a low-privileged account (Subscriber). 3. Payload: The attacker identifies a `product_id` they wish to force into the victim's wishlist. 4. Request: The attacker sends a POST request to `/?wc-ajax=woosw_add` containing the victim's `key` and the target `product_id`. 5. Result: Because the plugin only checks if the `key` exists and not whether the authenticated user is the owner of that key, the product is successfully added to the victim's private wishlist. Similar methodology applies to the `woosw_remove` endpoint to delete items from other users' lists.
Check if your site is affected.
Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.