CVE-2024-12004

Vulnerability

Overview The WPC Order Notes for WooCommerce plugin for WordPress is vulnerable to Cross-Site Request Forgery (CSRF) in all versions up to and including 1.5.2 [1]. The root cause is missing or incorrect nonce validation on the ajax_update_order_note() function. This CSRF flaw allows an unauthenticated attacker to perform unauthorized actions on behalf of a logged-in site administrator, such as injecting malicious web scripts into order notes.

Attack

Vector and Prerequisites The vulnerability can be exploited remotely without authentication [1]. The attacker must craft a forged request—for example, a form submission or a link—that triggers the vulnerable Ajax function. The attacker then needs to trick a site administrator with the capability to manage WooCommerce order notes into performing the action, such as clicking on a malicious link. No further privileges on the target site are required for the initial forged request.

Impact

Successful exploitation allows an attacker to inject arbitrary web scripts (stored XSS) into order notes [1]. These injected scripts can be executed in the browser of any administrator who subsequently views the order notes. This can lead to session hijacking, credential theft, or defacement of the admin interface, depending on the attacker's payload.

Mitigation

The vendor has released version 1.5.3 of the WPC Order Notes for WooCommerce plugin to address the CSRF vulnerability [1]. Administrators of affected sites should update to version 1.5.3 or later immediately. As a general security measure, all plugins should be kept updated to the latest version to protect against known vulnerabilities.