WPshop E-Commerce Plugin Insecure Direct Object Reference Vulnerability Allowing Arbitrary API Key Generation

A vulnerability allowing Insecure Direct Object Reference (IDOR) has been identified in the WPshop 2 – E-Commerce plugin for WordPress, affecting versions 2.0.0 through 2.6.0. The issue arises in the callback_generate_api_key() function, where there is a lack of proper validation on a user-controlled key. This vulnerability enables authenticated attackers with Subscriber-level access and above to generate valid API keys for other users.

Impact

Exploitation of this vulnerability allows authenticated users to create API keys for other users, potentially leading to unauthorized access or actions on behalf of those users.

Reproduction

To reproduce this vulnerability, an authenticated user with Subscriber-level access or higher can send a request to the 'wp_ajax_generate_api_key' action. The request must include the 'id' parameter, specifying the user ID for whom the API key should be generated. The absence of validation on the 'id' parameter allows the attacker to manipulate which user's API key is created.

Remediation

No known patch is available. Users are advised to review the vulnerability details and consider uninstalling the affected plugin.