CVE-2021-34646
published 2021-08-30CVE-2021-34646: Versions up to, and including, 5.4.3, of the Booster for WooCommerce WordPress plugin are vulnerable to authentication bypass via the…
PriorityP279critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
50.87%
98.8th percentile
Versions up to, and including, 5.4.3, of the Booster for WooCommerce WordPress plugin are vulnerable to authentication bypass via the process_email_verification function due to a random token generation weakness in the reset_and_mail_activation_link function found in the ~/includes/class-wcj-emails-verification.php file. This allows attackers to impersonate users and trigger an email address verification for arbitrary accounts, including administrative accounts, and automatically be logged in as that user, including any site administrators. This requires the Email Verification module to be active in the plugin and the Login User After Successful Verification setting to be enabled, which it is by default.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| booster | booster_for_woocommerce | <= 5.4.3 | — |
| pluggabl_llc | booster_for_woocommcerce | 5.4.3 – 5.4.3 | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect GET requests containing the 'wcj_user_id' query parameter, which is used to trigger the verification email and leak the server timestamp for token forging. ↗
- →Detect GET requests to '/my-account/' containing the 'wcj_verify_email' query parameter with a base64-encoded JSON payload (pattern: eyJpZCI6), indicating an authentication bypass attempt. ↗
- →The exploit sends multiple (3) requests in rapid succession to '/my-account/?wcj_verify_email=' with slightly different MD5 hashes derived from unix timestamps (unix, unix-1, unix-2) to account for timing delays. Burst detection on this endpoint is effective. ↗
- ·The vulnerability is only exploitable if the Email Verification module is active in the Booster for WooCommerce plugin AND the 'Login User After Successful Verification' setting is enabled. The latter is ON by default, so most installations with the module active are vulnerable. ↗
- ·All versions up to and including 5.4.3 of Booster for WooCommerce are affected. Versions 5.4.4 and above contain the patch. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
No writeups or analysis indexed.
https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=2581212%40woocommerce-jetpack&new=2581212%40woocommerce-jetpack&sfp_email=&sfph_mail=https://www.wordfence.com/blog/2021/08/critical-authentication-bypass-vulnerability-patched-in-booster-for-woocommerce/https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=2581212%40woocommerce-jetpack&new=2581212%40woocommerce-jetpack&sfp_email=&sfph_mail=https://www.wordfence.com/blog/2021/08/critical-authentication-bypass-vulnerability-patched-in-booster-for-woocommerce/
2021-08-30
Published