CVE-2023-5132
📋 TL;DR
The Soisy Pagamento Rateale WordPress plugin up to version 6.0.1 has an authorization bypass vulnerability that allows unauthenticated attackers to access sensitive WooCommerce order information. Attackers only need knowledge of an existing order ID to retrieve customer names, addresses, email addresses, and other order metadata. This affects all WordPress sites using the vulnerable plugin version.
💻 Affected Systems
- Soisy Pagamento Rateale WordPress Plugin
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Mass data exfiltration of all WooCommerce customer PII including names, addresses, emails, and order details leading to privacy violations, regulatory fines, and reputational damage.
Likely Case
Targeted data harvesting of specific customer information for phishing, fraud, or identity theft campaigns.
If Mitigated
Limited exposure if proper network segmentation and access controls prevent external exploitation, though internal threats remain.
🎯 Exploit Status
Exploitation requires only knowledge of existing WooCommerce order IDs, which could be obtained through other means or brute-forced. No authentication required.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 6.0.2 or later
Vendor Advisory: https://plugins.trac.wordpress.org/browser/soisy-pagamento-rateale/trunk/public/class-soisy-pagamento-rateale-public.php#L465
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find 'Soisy Pagamento Rateale' and click 'Update Now'. 4. Verify version is 6.0.2 or higher.
🔧 Temporary Workarounds
Disable Plugin
allTemporarily disable the vulnerable plugin until patched
wp plugin deactivate soisy-pagamento-rateale
Web Application Firewall Rule
allBlock access to the vulnerable endpoint
Add WAF rule to block requests to /wp-admin/admin-ajax.php with action=soisy_parse_remote_request
🧯 If You Can't Patch
- Implement network-level restrictions to limit access to WordPress admin-ajax.php endpoint
- Enable WordPress security plugins that monitor for suspicious data access patterns
🔍 How to Verify
Check if Vulnerable:
Check plugin version in WordPress admin panel under Plugins → Installed Plugins. If Soisy Pagamento Rateale version is 6.0.1 or lower, you are vulnerable.Check Version:
wp plugin get soisy-pagamento-rateale --field=versionVerify Fix Applied:
Confirm plugin version is 6.0.2 or higher. Test that unauthenticated requests to admin-ajax.php with action=soisy_parse_remote_request no longer return order data.📡 Detection & Monitoring
Log Indicators:
- Multiple POST requests to /wp-admin/admin-ajax.php with action=soisy_parse_remote_request from unauthenticated users
- Unusual access patterns to WooCommerce order data from non-admin users
Network Indicators:
- HTTP POST requests containing 'action=soisy_parse_remote_request' parameter without authentication cookies
SIEM Query:
source="wordpress.log" AND uri_path="/wp-admin/admin-ajax.php" AND http_method="POST" AND params.action="soisy_parse_remote_request" AND NOT user_id EXISTS🔗 References
- https://plugins.trac.wordpress.org/browser/soisy-pagamento-rateale/trunk/public/class-soisy-pagamento-rateale-public.php#L465
- https://www.wordfence.com/threat-intel/vulnerabilities/id/d3c997cd-37b4-4b9c-b99e-397be484aa36?source=cve
- https://plugins.trac.wordpress.org/browser/soisy-pagamento-rateale/trunk/public/class-soisy-pagamento-rateale-public.php#L465
- https://www.wordfence.com/threat-intel/vulnerabilities/id/d3c997cd-37b4-4b9c-b99e-397be484aa36?source=cve
