SMS Alert Order Notifications for WooCommerce Missing Authorization Vulnerability Privilege Escalation

A vulnerability in the SMS Alert Order Notifications – WooCommerce plugin for WordPress, in versions through 3.7.6, allows for unauthorized data modification that could lead to privilege escalation. This issue arises from a lack of proper capability checks in the updateWcWarrantySettings() function. As a result, authenticated attackers with subscriber-level access or higher can manipulate arbitrary options on the WordPress site. This vulnerability can be exploited to change the default user role for new registrations to administrator, effectively granting admin access to the attacker. The issue requires the WooCommerce Warranty plugin to be present on the site.

Impact

Exploitation of this vulnerability could allow an authenticated user with subscriber-level access to escalate privileges by changing the default role of new users to administrator, thereby gaining administrative access on the WordPress site.

Reproduction

To reproduce this vulnerability, an authenticated user with subscriber-level access can send a request to the WordPress site with the appropriate nonce to bypass the missing capability check. This request can include data to update WordPress options, such as changing user roles to administrator. After successfully updating the options, the attacker can register a new user or use an existing account to gain administrative access.

Remediation

Users are advised to update the SMS Alert Order Notifications – WooCommerce plugin to version 3.7.7 or later.