Fortis for WooCommerce Authorization Bypass Vulnerability Allowing Unauthenticated Order Status Updates
Vulnerability
A vulnerability exists in the Fortis for WooCommerce WordPress plugin, all versions through 1.2.0, allowing authorization bypass. This flaw arises from an inverted nonce check in the 'check_fortis_notify_response' function. As a result, unauthenticated attackers can manipulate WooCommerce order statuses, marking them as paid, processing, or completed, without actual payment.
Impact
Exploitation of this vulnerability allows for unauthorized updates of WooCommerce order statuses to paid, processing, or completed, potentially leading to financial loss and order management issues.
Reproduction
To reproduce this vulnerability, send a request to the 'WC_Gateway_Fortis_Notify' endpoint without proper authentication. Include a 'fortis_order_id' in the request to specify which order status to update. The absence of a valid nonce will bypass the authorization check, allowing the order status to be changed to paid or completed.
Remediation
No known patch is available. It is recommended to uninstall the affected plugin and find a replacement.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.