CVE-2024-9189
📋 TL;DR
This vulnerability allows unauthenticated attackers to modify VAT status for any WooCommerce order via the EU/UK VAT Manager plugin. All WordPress sites using this plugin up to version 2.12.12 are affected. Attackers can bypass authentication requirements due to missing capability checks in the plugin's AJAX handler.
💻 Affected Systems
- EU/UK VAT Manager for WooCommerce WordPress plugin
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Attackers could systematically modify VAT status for all orders, causing financial discrepancies, tax reporting errors, and potential regulatory compliance violations.
Likely Case
Attackers modify VAT status for random orders, creating accounting inconsistencies and requiring manual reconciliation efforts.
If Mitigated
With proper web application firewalls and access controls, exploitation attempts are blocked before reaching vulnerable code.
🎯 Exploit Status
Simple HTTP POST request to vulnerable endpoint with minimal technical knowledge required.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2.12.13 or later
Vendor Advisory: https://plugins.trac.wordpress.org/changeset/3158296/
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find 'EU/UK VAT Manager for WooCommerce'. 4. Click 'Update Now' if available. 5. Alternatively, download version 2.12.13+ from WordPress.org and manually update.
🔧 Temporary Workarounds
Web Application Firewall Rule
allBlock access to the vulnerable AJAX endpoint
Add rule to block requests to: /wp-admin/admin-ajax.php?action=alg_wc_eu_vat_exempt_vat_from_admin
Plugin Deactivation
linuxTemporarily disable the vulnerable plugin
wp plugin deactivate eu-vat-for-woocommerce
🧯 If You Can't Patch
- Implement strict network access controls to limit who can reach the WordPress admin-ajax.php endpoint
- Enable detailed logging for all admin-ajax.php requests and monitor for suspicious VAT modification attempts
🔍 How to Verify
Check if Vulnerable:
Check plugin version in WordPress admin under Plugins → Installed Plugins. If version is 2.12.12 or lower, you are vulnerable.Check Version:
wp plugin list --name='EU/UK VAT Manager for WooCommerce' --field=versionVerify Fix Applied:
Confirm plugin version is 2.12.13 or higher. Test that unauthenticated POST requests to the vulnerable endpoint no longer modify VAT status.📡 Detection & Monitoring
Log Indicators:
- POST requests to /wp-admin/admin-ajax.php with action=alg_wc_eu_vat_exempt_vat_from_admin from unauthenticated users
- Unexpected VAT status changes in WooCommerce order logs
Network Indicators:
- HTTP POST requests to admin-ajax.php endpoint with VAT modification parameters from external IPs
SIEM Query:
source="web_access_logs" AND uri="/wp-admin/admin-ajax.php" AND query_string="*action=alg_wc_eu_vat_exempt_vat_from_admin*" AND NOT user_agent="*WordPress*"