CVE-2024-13925
📋 TL;DR
The Klarna Checkout for WooCommerce WordPress plugin before version 2.13.5 exposes an unauthenticated WooCommerce Ajax endpoint that allows attackers to flood log files with data. This can rapidly consume disk space, potentially filling the entire disk and causing service disruption. WordPress sites using vulnerable versions of this plugin are affected.
💻 Affected Systems
- Klarna Checkout for WooCommerce WordPress plugin
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete disk exhaustion leading to service unavailability, data loss, and potential denial of service affecting all site functionality.
Likely Case
Rapid disk space consumption causing performance degradation, log rotation failures, and potential service interruptions.
If Mitigated
Minimal impact with proper disk monitoring, log rotation, and file size limits in place.
🎯 Exploit Status
Exploitation requires only HTTP POST requests to the vulnerable endpoint with large payloads.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2.13.5
Vendor Advisory: https://wpscan.com/vulnerability/6aebb52f-d74a-4043-86c4-c24579f24ef4/
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find 'Klarna Checkout for WooCommerce'. 4. Click 'Update Now' if update is available. 5. Alternatively, download version 2.13.5+ from WordPress.org and upload manually.
🔧 Temporary Workarounds
Restrict access to WooCommerce Ajax endpoint
allBlock unauthenticated access to the vulnerable WooCommerce Ajax endpoint using web server rules or WAF.
# Apache .htaccess example
RewriteCond %{REQUEST_URI} ^/wp-admin/admin-ajax\.php [NC]
RewriteCond %{QUERY_STRING} action=wc_klarna_checkout [NC]
RewriteCond %{HTTP_COOKIE} !wordpress_logged_in [NC]
RewriteRule ^ - [F,L]
Implement rate limiting
linuxApply rate limiting to WooCommerce Ajax endpoints to prevent flooding attacks.
# Using fail2ban example
# Create filter in /etc/fail2ban/filter.d/woocommerce-ajax.conf
[Definition]
failregex = ^<HOST> -.*POST.*/wp-admin/admin-ajax.php.*action=wc_klarna_checkout
# Add to jail.local
[woocommerce-ajax]
enabled = true
port = http,https
filter = woocommerce-ajax
maxretry = 10
findtime = 60
bantime = 3600
🧯 If You Can't Patch
- Disable the Klarna Checkout plugin temporarily until patching is possible.
- Implement strict disk usage monitoring with alerts for rapid consumption patterns.
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin → Plugins → Installed Plugins for Klarna Checkout for WooCommerce version. If version is below 2.13.5, system is vulnerable.Check Version:
wp plugin list --name='Klarna Checkout for WooCommerce' --field=versionVerify Fix Applied:
Confirm plugin version is 2.13.5 or higher in WordPress admin panel. Test that unauthenticated POST requests to /wp-admin/admin-ajax.php?action=wc_klarna_checkout no longer accept large payloads.📡 Detection & Monitoring
Log Indicators:
- Rapid growth of WordPress debug.log or WooCommerce log files
- Multiple large POST requests to /wp-admin/admin-ajax.php with action=wc_klarna_checkout
- Disk space alerts showing rapid consumption
Network Indicators:
- High volume of POST requests to WooCommerce Ajax endpoints from single IPs
- Unusually large request payloads to WordPress admin-ajax.php
SIEM Query:
source="web_server_logs" AND uri_path="/wp-admin/admin-ajax.php" AND query_string="*action=wc_klarna_checkout*" AND request_size>1000000 | stats count by src_ip