CVE-2024-9756
📋 TL;DR
The Order Attachments for WooCommerce WordPress plugin versions 2.0 to 2.4.1 has a missing capability check on the wcoa_add_attachment AJAX action, allowing authenticated attackers with subscriber-level access or higher to upload limited file types. This vulnerability affects WordPress sites using the vulnerable plugin version.
💻 Affected Systems
- Order Attachments for WooCommerce WordPress plugin
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Attackers could upload malicious files within allowed types (like HTML with JavaScript) to execute client-side attacks, deface sites, or distribute malware to users.
Likely Case
Limited file uploads could lead to stored XSS attacks, phishing pages, or content injection within the site's upload directory.
If Mitigated
With proper file type restrictions and server-side validation, impact is limited to non-executable file uploads.
🎯 Exploit Status
Exploitation requires authenticated access but is straightforward via AJAX requests. Limited file types reduce severity.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2.4.2 or later
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins > Installed Plugins. 3. Find 'Order Attachments for WooCommerce'. 4. Click 'Update Now' if available, or manually update to version 2.4.2+. 5. Verify plugin version after update.
🔧 Temporary Workarounds
Disable vulnerable AJAX endpoint
allRemove or restrict access to the wcoa_add_attachment AJAX action via .htaccess or WordPress hooks.
Add to .htaccess: RewriteRule ^wp-admin/admin-ajax\.php\?action=wcoa_add_attachment - [F]
Restrict subscriber uploads
allUse WordPress capabilities to prevent subscriber-level users from accessing file upload functionality.
Add to theme functions.php: remove_cap('upload_files', 'subscriber');
🧯 If You Can't Patch
- Temporarily deactivate the Order Attachments for WooCommerce plugin until patched.
- Implement web application firewall (WAF) rules to block requests to wcoa_add_attachment AJAX action from non-admin users.
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin > Plugins > Installed Plugins for 'Order Attachments for WooCommerce' version between 2.0 and 2.4.1.Check Version:
wp plugin list --name='order-attachments-for-woocommerce' --field=version (if WP-CLI installed)Verify Fix Applied:
Confirm plugin version is 2.4.2 or higher in WordPress admin panel.📡 Detection & Monitoring
Log Indicators:
- Multiple POST requests to /wp-admin/admin-ajax.php with action=wcoa_add_attachment from non-admin users.
- File uploads to wp-content/uploads/wcoa_attachments/ from low-privilege user accounts.
Network Indicators:
- Unusual AJAX requests to admin-ajax.php with file upload parameters from unexpected IPs.
SIEM Query:
source="wordpress.log" AND "admin-ajax.php" AND "wcoa_add_attachment" AND user_role="subscriber"🔗 References
- https://plugins.trac.wordpress.org/browser/order-attachments-for-woocommerce/tags/2.4.0/src/WCOA/Attachments/Attachment.php
- https://plugins.trac.wordpress.org/browser/order-attachments-for-woocommerce/tags/2.4.0/src/WCOA/Utils/Ajax.php
- https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3167136%40order-attachments-for-woocommerce&new=3167136%40order-attachments-for-woocommerce&sfp_email=&sfph_mail=
- https://www.wordfence.com/threat-intel/vulnerabilities/id/0dfc8957-78b8-4c55-ba95-52d95b086341?source=cve
