BigBuy Dropshipping Connector for WooCommerce IP Address Spoofing Vulnerability

A vulnerability allowing IP address spoofing has been identified in the BigBuy Dropshipping Connector for WooCommerce plugin, affecting all versions through 2.0.5. The issue arises from inadequate validation of IP addresses and the reliance on user-supplied HTTP headers for IP retrieval. This vulnerability enables unauthenticated attackers to access the output of phpinfo(), which can expose sensitive information about the server environment.

Impact

Exploitation of this vulnerability could lead to unauthorized access to sensitive information via the phpinfo() output, which includes details about the server configuration, loaded extensions, and other environment variables.

Reproduction

To reproduce this vulnerability, send a request to the WordPress site with the 'X-Forwarded-For' header set to an IP address that is not included in the plugin's whitelist. The request should also include the 'messageType' and 'operationType' parameters, as these are required for the plugin's API endpoint. Once the request is processed, the phpinfo() output will be returned, demonstrating the successful exploitation of the IP spoofing vulnerability.