Responsive Plus WordPress Plugin Unauthenticated Arbitrary Shortcode Execution Vulnerability

A vulnerability exists in the Responsive Plus WordPress plugin in versions prior to 3.4.3, allowing unauthenticated users to execute arbitrary shortcodes. This issue arises because the plugin's update_responsive_woo_free_shipping_left_shortcode AJAX action fails to properly validate the content_rech_data parameter before processing it as a shortcode.

Impact

Exploitation of this vulnerability allows for arbitrary shortcode execution, which could be used to inject and execute malicious code or actions within the WordPress site.

Reproduction

To reproduce this vulnerability, first install and activate the WooCommerce plugin. As a superadmin, set up a shipping zone and add a 'Free Shipping' method, ensuring that the WooCommerce store has at least one product. Once the store is launched, capture the Cookie header from an unauthenticated GET request to the WooCommerce cart. This Cookie header can then be used in a POST request to the admin-ajax.php file, targeting the vulnerable AJAX action. Include a crafted content_rech_data parameter that contains the shortcode to be executed. After sending the request, the injected shortcode will be executed and rendered in the response.

Remediation

Users are advised to update the Responsive Plus WordPress plugin to version 3.4.3 or later.