Amazon Products to WooCommerce Missing Authorization Vulnerability Allowing Unauthenticated Product Creation
Vulnerability
A vulnerability exists in the Amazon Products to WooCommerce plugin for WordPress, in all versions through 1.2.7. The issue arises from a lack of proper capability checks in the 'wcta2w_get_amazon_product_callback()' function, allowing unauthenticated users to create new products on the WooCommerce site.
Impact
Exploitation of this vulnerability allows for unauthorized product creation in WooCommerce, which could lead to various issues such as inventory manipulation or fraudulent product listings.
Reproduction
To reproduce this vulnerability, send a POST request to the WordPress admin-ajax.php endpoint with the 'action' parameter set to 'wcta2w_f711_get_amazon_product' and the 'url' parameter containing the Amazon product URL. This request can be made without authentication, bypassing any user capability checks.
Remediation
No known patch is available. It is recommended to review the vulnerability details and consider uninstalling the affected plugin.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.