CVE-2023-28121 : An issue in WooCommerce Payments plugin for WordPress (versions 5.6.1 and lower)

An issue in WooCommerce Payments plugin for WordPress (versions 5.6.1 and lower) allows an unauthenticated attacker to send requests on behalf of an elevated user, like administrator. This allows a remote, unauthenticated attacker to gain admin access on a site that has the affected version of the plugin activated.

Published 2023-04-12 21:15:28

Updated 2023-12-18 15:22:20

Source HackerOne

View at NVD, CVE.org

Vulnerability category: BypassGain privilege

Products affected by CVE-2023-28121

Automattic » Woocommerce Payments » For Wordpress
Versions from including (>=) 5.2.0 and before (<) 5.2.2
cpe:2.3:a:automattic:woocommerce_payments:*:*:*:*:*:wordpress:*:*
Matching versions
Automattic » Woocommerce Payments » For Wordpress
Versions from including (>=) 5.1.0 and before (<) 5.1.3
cpe:2.3:a:automattic:woocommerce_payments:*:*:*:*:*:wordpress:*:*
Matching versions
Automattic » Woocommerce Payments » For Wordpress
Versions from including (>=) 5.0.0 and before (<) 5.0.4
cpe:2.3:a:automattic:woocommerce_payments:*:*:*:*:*:wordpress:*:*
Matching versions
Automattic » Woocommerce Payments » For Wordpress
Versions from including (>=) 5.5.0 and before (<) 5.5.2
cpe:2.3:a:automattic:woocommerce_payments:*:*:*:*:*:wordpress:*:*
Matching versions
Automattic » Woocommerce Payments » For Wordpress
Versions from including (>=) 4.8.0 and before (<) 4.8.2
cpe:2.3:a:automattic:woocommerce_payments:*:*:*:*:*:wordpress:*:*
Matching versions
Automattic » Woopayments » For Wordpress
Versions from including (>=) 5.6.0 and before (<) 5.6.2
cpe:2.3:a:automattic:woopayments:*:*:*:*:*:wordpress:*:*
Matching versions
Automattic » Woopayments » Version: 4.9.0 For Wordpress
cpe:2.3:a:automattic:woopayments:4.9.0:*:*:*:*:wordpress:*:*
Matching versions
Automattic » Woopayments » Version: 5.3.0 For Wordpress
cpe:2.3:a:automattic:woopayments:5.3.0:*:*:*:*:wordpress:*:*
Matching versions
Automattic » Woopayments » Version: 5.4.0 For Wordpress
cpe:2.3:a:automattic:woopayments:5.4.0:*:*:*:*:wordpress:*:*
Matching versions

Exploit prediction scoring system (EPSS) score for CVE-2023-28121

EPSS FAQ

93.46%

Probability of exploitation activity in the next 30 days EPSS Score History

~ 100 %

Percentile, the proportion of vulnerabilities that are scored at or less

Metasploit modules for CVE-2023-28121

Wordpress Plugin WooCommerce Payments Unauthenticated Admin Creation

Disclosure Date: 2023-03-22

First seen: 2023-09-11

auxiliary/scanner/http/wp_woocommerce_payments_add_user

WooCommerce-Payments plugin for Wordpress versions 4.8', '4.8.2, 4.9', '4.9.1, 5.0', '5.0.4, 5.1', '5.1.3, 5.2', '5.2.2, 5.3', '5.3.1, 5.4', '5.4.1, 5.5', '5.5.2, and 5.6', '5.6.2 contain an authentication bypass by specifying a valid user ID number within th

More information

CVSS scores for CVE-2023-28121

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source	First Seen
9.8	CRITICAL	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H	3.9	5.9	NIST
Attack Vector: Network Attack Complexity: Low Privileges Required: None User Interaction: None Scope: Unchanged Confidentiality: High Integrity: High Availability: High

CWE ids for CVE-2023-28121

CWE-287 Improper Authentication

When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.
Assigned by:
- nvd@nist.gov (Primary)
- support@hackerone.com (Secondary)

References for CVE-2023-28121

https://developer.woocommerce.com/2023/03/23/critical-vulnerability-detected-in-woocommerce-payments-what-you-need-to-know/

Critical Vulnerability Patched in WooCommerce Payments – What You Need to Know – Develop with WooCommerce
Vendor Advisory
https://www.rcesecurity.com/2023/07/patch-diffing-cve-2023-28121-to-compromise-a-woocommerce/

Patch Diffing CVE-2023-28121 to Compromise a WooCommerce – RCE Security

Jump to