Link Invoice Payment for WooCommerce Missing Authorization Vulnerability Allowing Unauthenticated Partial Payment Manipulation

A vulnerability exists in the Link Invoice Payment for WooCommerce plugin for WordPress, in all versions through 2.8.0. The issue arises from a lack of proper capability checks in the 'createPartialPayment' and 'cancelPartialPayment' functions. This flaw enables unauthenticated attackers to arbitrarily create partial payments on any order or cancel existing partial payments by enumerating IDs.

Impact

Exploitation of this vulnerability allows for unauthorized creation and cancellation of partial payments on WooCommerce orders, potentially leading to financial discrepancies and unauthorized order modifications.

Reproduction

To reproduce this vulnerability, send a POST request to the '/create_partial_payment' endpoint without authentication. Include the 'orderId' parameter to specify the order, and the 'partialAmount' parameter to indicate the payment amount. To cancel a partial payment, send a POST request to the '/cancel_partial_payment' endpoint with the 'partialOrderId' parameter specifying the ID of the partial order to be canceled.

Remediation

Users are advised to update the Link Invoice Payment for WooCommerce plugin to version 2.8.1 or later.