CVE-2024-9109 – The WooCommerce UPS Shipping plugin for WordPre... (How to Fix)

📋 TL;DR

The WooCommerce UPS Shipping plugin for WordPress has a missing capability check that allows authenticated users with Subscriber-level access or higher to delete the plugin's API key. This vulnerability affects all versions up to and including 2.3.11. Attackers can disrupt shipping functionality by removing the UPS API credentials.

💻 Affected Systems

Products:

WooCommerce UPS Shipping – Live Rates and Access Points

Versions: All versions up to and including 2.3.11

Operating Systems: Any OS running WordPress

Default Config Vulnerable: ⚠️ Yes

Notes: Requires WordPress with the vulnerable plugin installed and at least one user with Subscriber role or higher.

📦 What is this software?

Woocommerce Ups Shipping by Octolize

View all CVEs affecting Woocommerce Ups Shipping →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Shipping operations are completely disrupted when UPS API keys are deleted, preventing order fulfillment and causing business downtime until credentials are restored.

🟠

Likely Case

Malicious users delete API keys, temporarily disrupting shipping rate calculations and access point lookups until administrators reconfigure the plugin.

🟢

If Mitigated

With proper user role management and monitoring, impact is limited to minor service disruption that can be quickly remediated.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires authenticated access but is trivial once authenticated. The vulnerability is publicly documented with code references.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 3.0.0

Vendor Advisory: https://plugins.trac.wordpress.org/changeset/3173845

Restart Required: No

Instructions:

1. Log into WordPress admin panel
2. Navigate to Plugins → Installed Plugins
3. Find 'WooCommerce UPS Shipping – Live Rates and Access Points'
4. Click 'Update Now' if available
5. If manual update needed, download version 3.0.0+ from WordPress.org
6. Deactivate old plugin, upload new version, activate

🔧 Temporary Workarounds

Restrict User Roles

all

Temporarily remove Subscriber and other low-privilege roles from accessing the WordPress site

Disable Plugin

linux

Deactivate the vulnerable plugin until patched

wp plugin deactivate flexible-shipping-ups

🧯 If You Can't Patch

Implement strict user role management with minimal necessary privileges
Monitor plugin logs and WordPress user activity for suspicious API key deletion attempts

🔍 How to Verify

Check if Vulnerable:

Check WordPress admin → Plugins → Installed Plugins for 'WooCommerce UPS Shipping' version 2.3.11 or lower

Check Version:

wp plugin get flexible-shipping-ups --field=version

Verify Fix Applied:

Confirm plugin version is 3.0.0 or higher in WordPress admin panel

📡 Detection & Monitoring

Log Indicators:

WordPress audit logs showing low-privilege users accessing plugin admin functions
Plugin-specific logs showing API key deletion events

Network Indicators:

HTTP POST requests to /wp-admin/admin-ajax.php with action=delete_oauth_data

SIEM Query:

source="wordpress" action="delete_oauth_data" OR (user.role="subscriber" AND plugin.action="admin")

📊 Metadata

CVE ID: CVE-2024-9109

CVSS v3 Score: 4.3 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

CWE: CWE-862

Published: October 25, 2024

Last Updated: November 6, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-9109, you might also want to check these: