Executive Summary

The Frisbii Pay plugin for WordPress is vulnerable to unauthorized modification of data due to missing capability checks on the 'upload_csv' and 'process_batch' functions. This vulnerability affects all versions up to, and including, 1.8.9 and allows authenticated attackers with Subscriber-level access and above to upload arbitrary CSV data.

Technical Analysis

The vulnerability class is an issue of missing capability checks, which allows for unauthorized modification of data. The attack vector involves an authenticated attacker with Subscriber-level access and above uploading arbitrary CSV data, which can overwrite WooCommerce payment tokens, postmeta, and order meta records. The root cause is the lack of proper access control checks in the 'upload_csv' and 'process_batch' functions.

How It Gets Exploited

An attacker with Subscriber-level access to a WordPress site using the Frisbii Pay plugin can exploit this vulnerability by uploading a crafted CSV file using the 'upload_csv' function. This action triggers the vulnerability because the plugin fails to properly check the attacker's capabilities before allowing the upload. As a result, the attacker can overwrite sensitive data such as WooCommerce payment tokens, postmeta, and order meta records, potentially leading to financial and data integrity issues.

Impact Assessment

The vulnerability affects all versions of the Frisbii Pay plugin up to, and including, 1.8.9. The CVSS score for this vulnerability is 6.5, indicating a medium severity level. An attacker can achieve high integrity impact, allowing them to modify sensitive data. The blast radius is significant as it allows for the modification of WooCommerce payment tokens, postmeta, and order meta records.

Recommended Actions

To mitigate this vulnerability, it is recommended to update the Frisbii Pay plugin to a version later than 1.8.9. Additionally, monitoring for suspicious CSV uploads and implementing restrictive access controls can help detect and prevent exploitation attempts.

Sources

  • National Vulnerability Database (NVD)