CVE-2023-6979 – The Customer Reviews for WooCommerce WordPress ... (How to Fix)

Q: What is the severity of CVE-2023-6979?

CVE-2023-6979 has a CVSS score of 9.8 (CRITICAL). The Customer Reviews for WooCommerce WordPress plugin has a critical vulnerability that allows authenticated attackers with author-level access or higher to upload arbitrary files due to missing file type validation. This can lead to remote code execution on affected WordPress sites. All sites using this plugin up to version 5.38.9 are vulnerable.

📋 TL;DR

The Customer Reviews for WooCommerce WordPress plugin has a critical vulnerability that allows authenticated attackers with author-level access or higher to upload arbitrary files due to missing file type validation. This can lead to remote code execution on affected WordPress sites. All sites using this plugin up to version 5.38.9 are vulnerable.

💻 Affected Systems

Products:

Customer Reviews for WooCommerce WordPress plugin

Versions: All versions up to and including 5.38.9

Operating Systems: Any OS running WordPress

Default Config Vulnerable: ⚠️ Yes

Notes: Requires WordPress with WooCommerce and the vulnerable plugin installed. Attackers need author-level WordPress user accounts or higher.

📦 What is this software?

Customer Reviews For Woocommerce by Cusrev

View all CVEs affecting Customer Reviews For Woocommerce →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full server compromise through remote code execution, allowing attackers to install backdoors, steal data, deface websites, or pivot to other systems.

🟠

Likely Case

Attackers upload web shells or malicious scripts to gain persistent access, install cryptocurrency miners, or steal sensitive customer and order data.

🟢

If Mitigated

Attackers can only upload files but cannot execute them due to proper file permissions or security controls, limiting impact to disk space consumption.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires authenticated access but is straightforward once credentials are obtained. Public exploit details are available in security advisories.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 5.39.0

Vendor Advisory: https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3018507%40customer-reviews-woocommerce&new=3018507%40customer-reviews-woocommerce&sfp_email=&sfph_mail=

Restart Required: No

Instructions:

1. Log into WordPress admin panel. 2. Navigate to Plugins > Installed Plugins. 3. Find 'Customer Reviews for WooCommerce' and click 'Update Now'. 4. Verify version is 5.39.0 or higher.

🔧 Temporary Workarounds

Disable vulnerable AJAX endpoint

all

Remove or restrict access to the ivole_import_upload_csv AJAX action

Add to theme's functions.php or custom plugin: remove_action('wp_ajax_ivole_import_upload_csv', 'cr_reviews_importer_ajax');

Restrict file uploads via .htaccess

linux

Block execution of uploaded files in WordPress uploads directory

Add to wp-content/uploads/.htaccess: <FilesMatch "\.(php|php5|phtml|pl|py|jsp|asp|sh|cgi)$">
  Order Allow,Deny
  Deny from all
</FilesMatch>

🧯 If You Can't Patch

Immediately disable the Customer Reviews for WooCommerce plugin
Implement strict access controls and monitor for suspicious author-level account activity

🔍 How to Verify

Check if Vulnerable:

Check WordPress admin panel > Plugins > Customer Reviews for WooCommerce. If version is 5.38.9 or lower, you are vulnerable.

Check Version:

wp plugin get customer-reviews-woocommerce --field=version

Verify Fix Applied:

Verify plugin version is 5.39.0 or higher in WordPress admin panel. Check that file upload functionality in reviews import works only with CSV files.

📡 Detection & Monitoring

Log Indicators:

Unusual file uploads to /wp-admin/admin-ajax.php with action=ivole_import_upload_csv
PHP or executable files in wp-content/uploads directory from author-level users
Multiple failed login attempts followed by successful author-level login

Network Indicators:

POST requests to /wp-admin/admin-ajax.php with multipart/form-data containing non-CSV files
Unusual outbound connections from WordPress server after file uploads

SIEM Query:

source="wordpress.log" AND (uri_path="/wp-admin/admin-ajax.php" AND parameters.action="ivole_import_upload_csv" AND NOT uploaded_file_name LIKE "%.csv")

📊 Metadata

CVE ID: CVE-2023-6979

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-434

Published: January 11, 2024

Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-6979, you might also want to check these: