analysis of the vulnerability in Discount Rules for WooCommerce

Introduction

Good afternoon, dear subscribers! Today we will look at one old vulnerability in the Discount Rules for WooCommerce < 2.2.0 plugin for WordPress.

WooCommerce is a plugin for creating an online store using the WordPress engine, and WooCommerce Discout Rules is an add-on for WooCommerce for providing and managing discounts on products.

The essence of the vulnerability is the ability to use some plugin methods through admin-ajax.php, which allow you to list products, users, and most importantly, make the product free by adding a discount rule.

This article is presented for educational purposes only. Red Team community “GISCYBERTEAM” is not responsible for any consequences of its use by third parties.

Stand

The following were used for the stand:

Vulnerability overview

All methods available to an unauthenticated user can be found in the plugin source code in the file wp-content/plugins/woo-discount-rules/v2/App/Controllers/Admin/WDRAjax.php, but we will only pay attention to one that will allow us to add discount on goods.

But first of all, we need to make sure that the current codebase matches what is needed. The fact is that this plugin has all versions of the code – v1 and v2. We are interested in the second version. In order to check, you can send the following request to display all registered users.

If we see such a response, then we need to change the database to the second version by sending a GET request to any destination with the parameter awdr_switch_plugin_to=v2.

After this, everything should work for us.

Let's go back to the wdr_ajax_save_rule function from the WDRAjax.php file (first screenshot). We see that when a rule is saved, an object of the Rule class is created. Let's see what properties it contains.

Let's look at only the most necessary:

  • title – the name of the discount rule.

  • enabled – the rule is enabled/disabled.

  • discount_type – discount type (wdr_simple_discount – the discount on the product is displayed on the main page, wdr_cart_discount – the discount is displayed in the cart, wdr_bulk_discount – a discount with more flexible settings, where you can select the minimum and maximum cost of the product). These types of discounts can also be seen in the admin when adding.

  • filters – filter for products for which a discount will be added.

  • cart_adjustments – type of discount (fixed or percentage) and its value.

Now, knowing the necessary parameters, we can send a request to create a discount.

After this, the created discount should appear in the admin panel.

Now, if we go to the main page, we will see the following picture:

Conclusion

In this article, we looked at a vulnerability in the Discount Rules for WooCommerce plugin, which allows any unauthenticated user to manage discounts in the store, allowing them to purchase products for free.

Subscribe to our Telegram channel https://t.me/giscyberteam

Similar Posts

Leave a Reply

Your email address will not be published. Required fields are marked *