CVE-2023-37872 – This CVE describes a Missing Authorization (Bro... (How to Fix)

Q: What is the severity of CVE-2023-37872?

CVE-2023-37872 has a CVSS score of 6.5 (MEDIUM). This CVE describes a Missing Authorization (Broken Access Control) vulnerability in the WooCommerce Ship to Multiple Addresses WordPress plugin. It allows unauthorized users to perform actions that should require proper authentication, potentially manipulating shipping addresses or order data. All WordPress sites using affected versions of this plugin are vulnerable.

📋 TL;DR

This CVE describes a Missing Authorization (Broken Access Control) vulnerability in the WooCommerce Ship to Multiple Addresses WordPress plugin. It allows unauthorized users to perform actions that should require proper authentication, potentially manipulating shipping addresses or order data. All WordPress sites using affected versions of this plugin are vulnerable.

💻 Affected Systems

Products:

WooCommerce Ship to Multiple Addresses WordPress plugin

Versions: All versions up to and including 3.8.5

Operating Systems: Any OS running WordPress

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects WordPress installations with the vulnerable plugin enabled. Requires WooCommerce to be installed.

⚠️ Manual Verification Required

This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.

Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).

🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.

Recommended Actions:

Review the CVE details at NVD
Check vendor security advisories for your specific version
Test if the vulnerability is exploitable in your environment
Consider updating to the latest version as a precaution

⚠️ Risk & Real-World Impact

🔴

Worst Case

Unauthenticated attackers could modify shipping addresses, manipulate orders, or potentially access sensitive customer information, leading to data theft, order fraud, or supply chain disruption.

🟠

Likely Case

Attackers with some site access could escalate privileges or manipulate shipping data, potentially redirecting shipments or compromising order integrity.

🟢

If Mitigated

With proper access controls and monitoring, impact would be limited to failed unauthorized access attempts that are logged and blocked.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires some level of access to the WordPress site. The vulnerability is in authorization logic, making exploitation straightforward once initial access is obtained.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 3.8.6 or later

Vendor Advisory: https://patchstack.com/database/vulnerability/woocommerce-shipping-multiple-addresses/wordpress-woocommerce-ship-to-multiple-addresses-plugin-3-8-5-broken-access-control-vulnerability

Restart Required: No

Instructions:

1. Log into WordPress admin panel. 2. Navigate to Plugins > Installed Plugins. 3. Find 'WooCommerce Ship to Multiple Addresses'. 4. Click 'Update Now' if available, or download version 3.8.6+ from WordPress.org. 5. Activate the updated plugin.

🔧 Temporary Workarounds

Disable Plugin

all

Temporarily disable the vulnerable plugin until patched

wp plugin deactivate woocommerce-shipping-multiple-addresses

Restrict Access

linux

Implement IP-based restrictions to admin areas

# Add to .htaccess for Apache:
Order Deny,Allow
Deny from all
Allow from 192.168.1.0/24
# Add to nginx config:
location /wp-admin/ {
    allow 192.168.1.0/24;
    deny all;
}

🧯 If You Can't Patch

Implement strict access controls and monitoring for the /wp-admin/ directory and plugin-specific endpoints.
Deploy a Web Application Firewall (WAF) with rules to detect and block unauthorized access attempts to shipping-related endpoints.

🔍 How to Verify

Check if Vulnerable:

Check WordPress admin > Plugins > Installed Plugins for 'WooCommerce Ship to Multiple Addresses' version. If version is 3.8.5 or lower, you are vulnerable.

Check Version:

wp plugin get woocommerce-shipping-multiple-addresses --field=version

Verify Fix Applied:

Verify plugin version shows 3.8.6 or higher in WordPress admin panel. Test shipping address functionality to ensure it works properly with proper authorization.

📡 Detection & Monitoring

Log Indicators:

Unauthorized access attempts to /wp-admin/admin-ajax.php with shipping-related actions
Multiple failed authentication attempts followed by shipping address modifications
Unusual POST requests to shipping endpoints from unauthorized users

Network Indicators:

Unusual traffic patterns to /wp-admin/ or /wp-json/ endpoints from unexpected IPs
Multiple shipping address modification requests from single IP in short timeframe

SIEM Query:

source="wordpress.log" AND ("admin-ajax.php" AND "shipping" AND "action") AND NOT user="authenticated_user"

📊 Metadata

CVE ID: CVE-2023-37872

CVSS v3 Score: 6.5 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

CWE: CWE-862

Published: June 19, 2024

Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-37872, you might also want to check these: