NextMove Lite WooCommerce Plugin Missing Authorization Vulnerability for Deactivation Reason Submission

A vulnerability exists in the NextMove Lite - Thank You Page for WooCommerce plugin for WordPress, in versions through 2.19.0. The issue arises from a lack of proper capability checks in the '_submit_uninstall_reason_action()' function. This flaw allows authenticated attackers with Subscriber-level access and above to submit deactivation reasons on behalf of a site, potentially leading to unauthorized changes in plugin management or user experience.

Impact

Exploitation of this vulnerability allows for unauthorized submission of deactivation reasons, which could be used to manipulate plugin behavior or user notifications.

Reproduction

To reproduce this vulnerability, an authenticated user with Subscriber-level access or higher can send a request to the WordPress site that includes a deactivation reason. This can be done through the WordPress admin interface, where the NextMove Lite WooCommerce plugin is managed. The absence of a required capability check allows the submission to be processed, even though the user may not have the appropriate permissions to make such a change.

Remediation

Users are advised to update the NextMove Lite - Thank You Page for WooCommerce plugin to version 2.20.0 or later, where this vulnerability has been patched.