Biteship WooCommerce Shipping Plugin Insecure Direct Object Reference Vulnerability

A vulnerability allowing Insecure Direct Object Reference (IDOR) has been identified in the Biteship plugin for WooCommerce, specifically in versions through 3.2.0. The issue arises in the 'get_order_detail()' function, where there is a lack of proper validation on a user-controlled key. This vulnerability enables authenticated attackers with Subscriber-level access or higher to access and view orders belonging to other users.

Impact

Exploitation of this vulnerability allows authenticated users to view orders of other users, potentially including sensitive information such as order details and tracking information.

Reproduction

To reproduce this vulnerability, an authenticated user with Subscriber-level access or higher can send a request to the 'get_order_detail()' function without the necessary validation on the key. This can be done by manipulating the request to include a key that references another user's order.

Remediation

No known patch is available for this vulnerability. It is recommended to review the vulnerability details and consider uninstalling the affected plugin.