CVE-2024-12712
📋 TL;DR
This vulnerability allows unauthenticated attackers to modify order statuses in WordPress sites using the Shopping Cart & eCommerce Store plugin. Attackers can change order statuses without any authentication, potentially marking orders as completed, cancelled, or other statuses. All WordPress sites using vulnerable versions of this plugin are affected.
💻 Affected Systems
- Shopping Cart & eCommerce Store plugin for WordPress
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Attackers could mark fraudulent orders as completed, causing financial loss through unauthorized shipments or payments. They could also disrupt business operations by mass-cancelling legitimate orders.
Likely Case
Attackers will modify order statuses to cause confusion, disrupt e-commerce operations, or test for other vulnerabilities. This could lead to customer service issues and operational inefficiencies.
If Mitigated
With proper monitoring and quick response, impact is limited to temporary order status confusion that can be corrected manually.
🎯 Exploit Status
The vulnerability is simple to exploit as it requires no authentication and involves sending crafted webhook requests. Attack tools may quickly incorporate this.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 5.7.9 or later
Vendor Advisory: https://plugins.trac.wordpress.org/changeset/3211285/wp-easycart/trunk/wpeasycart.php
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins. 3. Find 'Shopping Cart & eCommerce Store' plugin. 4. Click 'Update Now' if update is available. 5. Alternatively, download version 5.7.9+ from WordPress plugin repository and manually update.
🔧 Temporary Workarounds
Disable vulnerable webhook endpoint
allTemporarily disable the vulnerable webhook function by modifying plugin code
Edit wp-content/plugins/wp-easycart/wpeasycart.php and comment out or remove the vulnerable webhook function
Web Application Firewall rule
allBlock requests to the vulnerable webhook endpoint
Add WAF rule to block POST requests containing 'webhook' or specific vulnerable endpoint patterns
🧯 If You Can't Patch
- Disable the Shopping Cart & eCommerce Store plugin entirely until patched
- Implement strict network controls to limit access to the WordPress admin and plugin endpoints
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin panel > Plugins > Shopping Cart & eCommerce Store. If version is 5.7.8 or lower, you are vulnerable.Check Version:
wp plugin list --name='Shopping Cart & eCommerce Store' --field=versionVerify Fix Applied:
After updating, verify plugin version shows 5.7.9 or higher in WordPress plugins page.📡 Detection & Monitoring
Log Indicators:
- Unusual POST requests to webhook endpoints
- Multiple order status changes from single IP
- Order status modifications without corresponding user authentication
Network Indicators:
- HTTP POST requests to /wp-content/plugins/wp-easycart/ containing webhook parameters
- Requests with order status modification parameters from unauthenticated sources
SIEM Query:
source="wordpress.log" AND ("webhook" OR "order_status") AND response_code=200 AND NOT user_agent="WordPress"