István Márton
September 24, 2024

20,000 WordPress Sites Affected by Privilege Escalation Vulnerability in WCFM – WooCommerce Frontend Manager WordPress Plugin

📢 Did you know Wordfence runs a Bug Bounty Program for all WordPress plugins and themes at no cost to vendors? Through October 7th, 2024, XSS vulnerabilities in all plugins and themes with >=1,000 Active Installs are in scope for all researchers. In addition, through October 14th, 2024, researchers can earn up to $31,200, for all in-scope vulnerabilities submitted to our Bug Bounty Program! Find a vulnerability, submit the details directly to us, and we handle all the rest.

On August 28th, 2024, we received a submission for a Privilege Escalation via Account Takeover vulnerability in WCFM – WooCommerce Frontend Manager, a WordPress plugin with more than 20,000 active installations. This vulnerability makes it possible for an authenticated attacker to change the email of any user, including an administrator, which allows them to reset the password and take over the account and website.

Props to wesley (wcraft) who discovered and responsibly reported this vulnerability through the Wordfence Bug Bounty Program. This researcher earned a bounty of $1,127.00 for this discovery. Our mission is to Secure the Web, which is why we are investing in quality vulnerability research and collaborating with researchers of this caliber through our Bug Bounty Program. We are committed to making the WordPress ecosystem more secure, which ultimately makes the entire web more secure.

Wordfence Premium, Wordfence Care, and Wordfence Response users received a firewall rule to protect against any exploits targeting this vulnerability on August 28, 2024. Sites using the free version of Wordfence will receive the same protection 30 days later on September 27, 2024.

We contacted the WCLovers team on August 28, 2024, and received a response on the same day. After providing full disclosure details, the developer released a patch on September 23, 2024. We would like to commend the WCLovers team for their prompt response and timely patch.

We urge users to update their sites with the latest patched version of WCFM – WooCommerce Frontend Manager, which is version 6.7.13, as soon as possible.

Vulnerability Summary from Wordfence Intelligence

Description: WCFM – Frontend Manager for WooCommerce along with Bookings Subscription Listings Compatible <= 6.7.12 – Insecure Direct Object Reference to Account Takeover/Privilege Escalation
Affected Plugin: WCFM – Frontend Manager for WooCommerce along with Bookings Subscription Listings Compatible
Plugin Slug: wc-frontend-manager
Affected Versions: <= 6.7.12
CVE ID: CVE-2024-8290
CVSS Score: 8.8 (High)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Researcher/s: wesley (wcraft)
Fully Patched Version: 6.7.13
Bounty Award: $1,127.00

The WCFM – Frontend Manager for WooCommerce along with Bookings Subscription Listings Compatible plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 6.7.12 via the WCFM_Customers_Manage_Controller::processing function due to missing validation on the ID user controlled key. This makes it possible for authenticated attackers, with subscriber/customer-level access and above, to change the email address of administrator user accounts which allows them to reset the password and access the administrator account.

Technical Analysis

WCFM is a WordPress and WooCommerce multi vendor frontend store manager plugin, which includes many features, such as frontend dashboard, product and order manager, reports and much more. One such feature of the plugin is the ability for registered vendors to manage users who have purchased from their store. Unfortunately, part of this functionality was insecurely implemented making it possible to reset arbitrary user’s emails, and subsequently request a password reset to gain access to the account.

Examining the code reveals that the plugin uses the wcfm_customers_ajax_controller() function in the WCFM_Customer class to handle AJAX requests based on the ‘controller‘ parameter.

public function wcfm_customers_ajax_controller() {
	global $WCFM, $WCFMu;

	if (!check_ajax_referer('wcfm_ajax_nonce', 'wcfm_ajax_nonce', false)) {
		echo '{"status": false, "message": "' . esc_html__('Invalid nonce! Refresh your page and try again.', 'wc-frontend-manager') . '"}';
		wp_die();
	}

	$controllers_path = $WCFM->plugin_path . 'controllers/customers/';

	$controller = '';
	if (isset($_POST['controller'])) {
		$controller = wc_clean($_POST['controller']);

		switch ($controller) {

When invoking the ‘wcfm-customers-manage‘ controller, a capability check ensures that the user has at least one of the specified capabilities or roles, such as the ‘manage_woocommerce‘ capability or the ‘wcfm_vendor‘ role.

After that, it invokes an instance of the WCFM_Customers_Manage_Controller class.

case 'wcfm-customers-manage':
	if (!current_user_can('manage_woocommerce') && !current_user_can('wcfm_vendor') && !current_user_can('seller') && !current_user_can('vendor') && !current_user_can('shop_staff')) {
		wp_send_json_error(esc_html__('You don&#8217;t have permission to do this.', 'woocommerce'));
		wp_die();
	}

	include_once($controllers_path . 'wcfm-controller-customers-manage.php');
	new WCFM_Customers_Manage_Controller();
	break;

The constructor immediately invokes the processing() function, which handles the form processing. It parses the ‘wcfm_customers_manage_form‘ parameter into the $wcfm_customer_form_data variable.

class WCFM_Customers_Manage_Controller {

	public function __construct() {
		global $WCFM, $WCFMu;

		$this->processing();
	}

	public function processing() {
		global $WCFM, $WCFMu, $wpdb, $wcfm_customer_form_data;

		$wcfm_customer_form_data = array();
	  parse_str($_POST['wcfm_customers_manage_form'], $wcfm_customer_form_data);

If the ‘customer_id‘ parameter is specified in the request, it sets the $customer_id variable and also sets the $is_update variable, which means it will update the specified customer.

if( isset($wcfm_customer_form_data['customer_id']) && $wcfm_customer_form_data['customer_id'] != 0 ) {
	$customer_id = absint( $wcfm_customer_form_data['customer_id'] );
	$is_update = true;
if( $is_update ) {
	unset( $user_data['user_login'] );
	unset( $user_data['display_name'] );
	unset( $user_data['nickname'] );
	unset( $user_data['user_pass'] );
	unset( $user_data['role'] );
	$customer_id = wp_update_user( $user_data ) ;

The $user_data includes the email, which means an attacker could change the user’s email. Once the attacker changes the email, they can reset the password for that user and take over the account. This functionality has no restrictions on the users that a vendor can reset emails for and no verification on the email update, making it possible for a registered vendor to update the password for an administrative user and gain complete control over the site.

As with any Privilege Escalation vulnerability, this can be used for complete site compromise. Once an attacker has gained administrative user access to a WordPress site they can then manipulate anything on the targeted site as a normal administrator would. This includes the ability to upload plugin and theme files, which can be malicious zip files containing backdoors, and to modify posts and pages which can be leveraged to redirect site users to other malicious sites or inject spam content.

Disclosure Timeline

August 28, 2024 – We received the submission for the Insecure Direct Object Reference to Account Takeover/Privilege Escalation vulnerability in WCFM – WooCommerce Frontend Manager via the Wordfence Bug Bounty Program.
August 28, 2024 – We validated the report and confirmed the proof-of-concept exploit.
August 28, 2024Wordfence Premium, Care, and Response users received a firewall rule to provide protection against any exploits that may target this vulnerability.
August 28, 2024 – We initiated contact with the plugin vendor asking that they confirm the inbox for handling the discussion.
August 29, 2024 – The vendor confirmed the inbox for handling the discussion.
August 29, 2024 – We sent over the full disclosure details. The vendor acknowledged the report and began working on a fix.
September 23, 2024 – The fully patched version of the plugin, 6.7.13, is released.
September 27, 2024 – Wordfence Free users will receive the same protection.

Conclusion

In this blog post, we detailed a Privilege Escalation via Account Takeover vulnerability within the WCFM – WooCommerce Frontend Manager plugin affecting versions 6.7.12 and earlier. This vulnerability allows authenticated threat actors with subscriber-level permissions or higher to change an administrator’s email and subsequently take over the account via a password reset which could ultimately lead to complete site compromise. The vulnerability has been fully addressed in version 6.7.13 of the plugin.

We encourage WordPress users to verify that their sites are updated to the latest patched version of WCFM – WooCommerce Frontend Manager.

Wordfence Premium, Wordfence Care, and Wordfence Response users received a firewall rule to protect against any exploits targeting this vulnerability on August 28, 2024. Sites using the free version of Wordfence will receive the same protection 30 days later on September 27, 2024.

If you know someone who uses this plugin on their site, we recommend sharing this advisory with them to ensure their site remains secure, as this vulnerability poses a significant risk.

Trust Your Site
to the Leader in WordPress Security

Wordfence Security includes an endpoint firewall, malware scanner, robust login security features, live traffic views, and more. Discover why over 5 million WordPress sites put their trust in Wordfence.

Protect Your Site

Did you enjoy this post? Share it!

LinkedIn 

Comments

No Comments

All comments are moderated before being published. Inappropriate or off-topic comments may not be approved.

Breaking WordPress Security Research in your inbox as it happens.

Example of a news story

This site uses cookies in accordance with our Privacy Policy.