CVE-2024-30470
📋 TL;DR
This CVE describes a Missing Authorization vulnerability in YITH WooCommerce Account Funds Premium plugin for WordPress. It allows attackers to bypass access controls and arbitrarily add funds to user accounts without proper authorization. All WordPress sites using affected versions of this premium plugin are vulnerable.
💻 Affected Systems
- YITH WooCommerce Account Funds Premium
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Attackers could add unlimited funds to any user account, enabling fraudulent purchases, financial loss to the store owner, and potential e-commerce fraud at scale.
Likely Case
Attackers exploit the vulnerability to add funds to their own accounts or others' accounts to make fraudulent purchases, potentially causing financial loss and inventory depletion.
If Mitigated
With proper authorization checks and input validation, only authenticated users with appropriate permissions can modify account funds, preventing unauthorized fund manipulation.
🎯 Exploit Status
Exploitation requires some understanding of WordPress/WooCommerce APIs but is straightforward once identified. The vulnerability is in authorization logic, not complex code.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.34.0 or later
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find 'YITH WooCommerce Account Funds Premium'. 4. Click 'Update Now' if update is available. 5. Alternatively, download version 1.34.0+ from YITH website and manually update.
🔧 Temporary Workarounds
Disable Plugin
allTemporarily disable the vulnerable plugin until patched
wp plugin deactivate yith-woocommerce-account-funds-premium
Restrict Access
allUse web application firewall rules to block suspicious requests to plugin endpoints
🧯 If You Can't Patch
- Implement additional authorization checks at application level or via security plugin
- Monitor account fund transactions for suspicious activity and implement purchase limits
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin panel → Plugins → YITH WooCommerce Account Funds Premium → Version. If version is 1.33.0 or lower, you are vulnerable.Check Version:
wp plugin get yith-woocommerce-account-funds-premium --field=versionVerify Fix Applied:
After updating, verify plugin version shows 1.34.0 or higher in WordPress admin panel.📡 Detection & Monitoring
Log Indicators:
- Unusual fund additions to user accounts
- Multiple fund modification requests from single IP
- Fund modifications by non-admin users
Network Indicators:
- POST requests to /wp-admin/admin-ajax.php with action parameters related to fund management
- Unusual API calls to WooCommerce account funds endpoints
SIEM Query:
source="wordpress.log" AND ("action=add_funds" OR "yith_account_funds") AND user_role!="administrator"🔗 References
- https://patchstack.com/database/vulnerability/yith-woocommerce-account-funds-premium/wordpress-yith-woocommerce-account-funds-premium-plugin-1-32-0-broken-access-control-leading-to-arbitrary-funds-adding-vulnerability?_s_id=cve
- https://patchstack.com/database/vulnerability/yith-woocommerce-account-funds-premium/wordpress-yith-woocommerce-account-funds-premium-plugin-1-32-0-broken-access-control-leading-to-arbitrary-funds-adding-vulnerability?_s_id=cve
