Unauthenticated Media Deletion Vulnerability Patched In WooCommerce Checkout Manager Plugin

Earlier this week, a security update was released for the WooCommerce Checkout Manager plugin for WordPress. This update fixes two distinct vulnerabilities: an arbitrary file upload flaw present in certain configurations, and a flaw allowing attackers to delete media files from affected sites. The plugin’s users are advised to install the latest available version (4.3 at the time of this writing) as soon as possible to prevent exploitation of the flaws patched in this update.

The file upload vulnerability was initially made public in a report by an unnamed security researcher, which was irresponsibly published on April 23rd without privately notifying the plugin’s author. In the process of verifying the report, our team identified an additional media deletion flaw which needed to be patched. We reached out to the plugin’s developer the same day to begin the disclosure process, and have deployed a firewall rule to protect our users from these exploits.

In this post we’ll be sharing details regarding both of these flaws, with particular focus on the media deletion flaw which has yet to be reported.

Conditional Arbitrary File Upload

The initially disclosed flaw in WooCommerce Checkout Manager allowed unauthenticated users to upload arbitrary files to affected sites in certain configurations. Specifically, the plugin’s “Categorize Uploaded Files” option needed to be active for this flaw to be exploitable.

With the plugin active, a site’s customers have the ability to upload files associated with their orders during the checkout process. Without the “Categorize Uploaded Files” option enabled, the plugin made use of WordPress’s built-in media upload handler, which is generally effective at keeping out malicious scripts. However, when the option is enabled, it directly uploads the file without any security checks, allowing dangerous files to be uploaded.

Wordfence firewall users, both premium and free, are protected from malicious script uploads.

Unauthenticated Media Deletion Flaw

While testing reports of the file upload flaw above, our team discovered a flaw which would allow attackers to delete media files from the affected site.

Alongside the file upload feature, the plugin is able to delete the attachments users have uploaded at checkout. In unpatched versions, this deletion feature allowed unauthenticated users to delete any media file, not just those associated with a user’s checkout uploads.

function update_attachment_wccm_callback() {

	global $post, $wpdb, $woocommerce;

	$array1 = explode( ',', sanitize_text_field( isset( $_POST['wccm_default_keys_load'] ) ? $_POST['wccm_default_keys_load'] : '' ) );
	$array2 = explode( ',', sanitize_text_field( isset( $_POST['product_image_gallery'] ) ? $_POST['product_image_gallery'] : '' ) );
	$attachment_ids = array_diff( $array1, $array2 );

	if( isset( $_POST['wccm_default_keys_load'] ) ) {
		if( !empty( $attachment_ids ) ) {
			foreach( $attachment_ids as $key => $values ) {
				wp_delete_attachment( $attachment_ids[$key] );
			}
		}
		echo __('Deleted successfully.','woocommerce-checkout-manager');
	}
	die();

}
add_action( 'wp_ajax_update_attachment_wccm', 'update_attachment_wccm_callback' );
add_action( 'wp_ajax_nopriv_update_attachment_wccm', 'update_attachment_wccm_callback' );

The above function, update_attachment_wccm_callback, is hooked into the update_attachment_wccm AJAX action. The function is only intended for Administrator and Shop Manager users, but was available to unauthenticated users due to its additional nopriv_ registration and a lack of capabilities checks. In the function, two POST body parameters are converted to arrays and then compared. Any media attachments with IDs present in $_POST['wccm_default_keys_load'] but not in $_POST['product_image_gallery'] are deleted via the built-in wp_delete_attachment function. This not only deletes the associated file, but removes its metadata from the WordPress media library.

An attacker with motivation to take down a site’s images and other media could do so by identifying a set of media IDs, or simply iterating over a wide range of values, and assigning them to wccm_default_keys_load as a comma-delimited string. Because the ternary operation on line 2176 returns an empty string by default, we don’t need to set a product_image_gallery parameter for comparison unless we wanted to exclude specific IDs for some reason.

For example, to delete any media files with IDs from 1 to 10, you’d send a POST request to http://example[.]com/wp-admin/admin-ajax.php?action=update_attachment_wccm with the POST body wccm_default_keys_load=1,2,3,4,5,6,7,8,9,10.

Next Steps

The plugin’s author, Visser Labs, has patched these issues in version 4.3 of WooCommerce Checkout Manager. It is advised that all sites making use of the plugin update as soon as possible. For sites which haven’t patched, a new Wordfence firewall rule has been deployed to prevent abuse of the media deletion flaw. Premium users have immediate access to this new rule, and free users will gain access in thirty days. Both free and premium users already benefit from built-in rules which offer protection from the file upload vulnerability as well.

At this time, we have not identified significant exploitation of either of these vulnerabilities. We will continue to monitor for related activity and issue further reports if necessary.

Thanks to Ram Gall from the Defiant QA team for the discovery of the media deletion vulnerability.