The Wordfence Threat Intelligence team has discovered a vulnerability in Booster for WooCommerce, a WordPress plugin installed on over 80,000 sites.

This flaw made it possible for an attacker to log in as any user, as long as certain options were enabled in the plugin.

Booster for WooCommerce is an add-on plugin for WooCommerce designed to enhance its functionality through the use of various modules that site owners can enable and disable at any point. One module that the plugin offers is an `Email Verification` module, which adds a requirement for users to verify their email after they have registered on the site.

In order to exploit this vulnerability, an attacker would need to execute two actions. The first action an attacker would need to perform involves sending a request to the vulnerable site’s home URL with the wcj_user_id parameter set to the user ID that the attacker would like to impersonate. This would likely be set to a user ID of 1 because the first user account typically created on WordPress sites is the administrative user account and this is rarely changed.

} elseif ( isset( $_GET['wcj_user_id'] ) ) {
    $this->reset_and_mail_activation_link( $_GET['wcj_user_id'] );
    wc_add_notice( do_shortcode( wcj_get_option( 'wcj_emails_verification_email_resend_message',
        __( '<strong>Success:</strong> Your activation email has been resent. Please check your email.', 'woocommerce-jetpack' ) ) ) );
}

Once the request was sent, the reset_and_mail_activation_link() function was triggered. This retrieved the supplied user_id and generated a code for the user that was used to verify the email address. The function then triggered an email to be sent to the user with the generated verification link that could be used to verify the email address.

READ
CERT-In Finds Multiple Vulnerabilities in Android, Advises Users to Update

The core of the flaw lies here where the verification code was simply an MD5 hash of the time of the request. This made it possible for an attacker to easily recreate a valid verification code without access to the targeted user’s email account based on the time they sent a verification request for any given user.

Buy Me A Coffee
function reset_and_mail_activation_link( $user_id ) {
    $user_info     = get_userdata( $user_id );
    $code          = md5( time() );
    $url           = add_query_arg( 'wcj_verify_email', base64_encode( json_encode( array( 'id' => $user_id, 'code' => $code ) ) ), wc_get_page_permalink( 'myaccount' ) );
    $email_content = do_shortcode( apply_filters( 'booster_option',
        __( 'Please click the following link to verify your email:<br><br><a href="%verification_url%">%verification_url%</a>', 'woocommerce-jetpack' ),
        get_option( 'wcj_emails_verification_email_content',
            __( 'Please click the following link to verify your email:<br><br><a href="%verification_url%">%verification_url%</a>', 'woocommerce-jetpack' ) ) ) );
    $email_content = str_replace( '%verification_url%', $url, $email_content );
    $email_subject = do_shortcode( apply_filters( 'booster_option',
        __( 'Please activate your account', 'woocommerce-jetpack' ),
        get_option( 'wcj_emails_verification_email_subject',
            __( 'Please activate your account', 'woocommerce-jetpack' ) ) ) );
    update_user_meta( $user_id, 'wcj_is_activated', '0' );
    update_user_meta( $user_id, 'wcj_activation_code', $code );

Once the attacker had sent an email verification request for their target user, they would then need to perform the second action which involved crafting the URL to “verify” the email. This would be the site’s home URL with the wcj_verify_email parameter set to a base64 JSON-encoded payload where the JSON-encoded body contains the target user ID set at the `id` value and the `code` value set as the generated MD5 hash of the time that the email verification request was made.

READ
24 Bugs in Chinese Biometric Devices Can Compromise Data

If the wcj_emails_verification_redirect_on_success option was set to yes and the data sent in the wcj_verify_email parameter was valid, then the wp_set_current_user and wp_set_auth_cookie functions would run and generate an authenticated session as the targeted user, thus allowing the attacker to bypass any authentication and gain access to any account they chose.

 elseif ( isset( $_GET['wcj_verify_email'] ) ) {
    $data = json_decode( base64_decode( $_GET['wcj_verify_email'] ), true );
    if ( ! empty( $data['id'] ) && ! empty( $data['code'] ) && get_user_meta( $data['id'], 'wcj_activation_code', true ) == $data['code'] ) {
        update_user_meta( $data['id'], 'wcj_is_activated', '1' );
        if ( 'yes' === wcj_get_option( 'wcj_emails_verification_redirect_on_success', 'yes' ) ) {
            wp_set_current_user( $data['id'] );
            wp_set_auth_cookie( $data['id'] );
        }
        $url = ( '' != ( $custom_url = wcj_get_option( 'wcj_emails_verification_redirect_on_success_custom_url', '' ) ) ? $custom_url : wc_get_page_permalink( 'myaccount' ) );
        wp_safe_redirect( add_query_arg( 'wcj_verified_email', $_GET['wcj_verify_email'], $url ) );
        exit;

As such, an attacker could exploit this vulnerability to gain administrative access on sites running a vulnerable version of the plugin and effectively take-over the site.

We strongly recommend updating immediately to the latest patched version of Booster for WooCommerce, which is version 5.4.4 at the time of publication.