Subscriptions for WooCommerce Missing Authorization Vulnerability Allowing Unauthenticated Subscription Cancellations

A vulnerability exists in the Subscriptions for WooCommerce plugin for WordPress, in versions through 1.9.2. The issue arises from a missing capability check in the 'wps_sfw_admin_cancel_susbcription()' function, which is hooked to the 'init' action. This function lacks proper authentication or authorization checks, only performing a superficial non-empty check on the nonce parameter without validating it using 'wp_verify_nonce()'. As a result, unauthenticated attackers can cancel any active WooCommerce subscription by sending a crafted GET request with an arbitrary nonce value via the 'wps_subscription_id' parameter.

Impact

Exploitation of this vulnerability allows for unauthorized cancellation of active WooCommerce subscriptions, potentially disrupting subscription-based services or revenue.

Reproduction

To reproduce this vulnerability, send a GET request to the WordPress site with the 'wps_subscription_id' parameter set to the ID of an active subscription. Include an arbitrary value for the nonce parameter, bypassing the lack of proper validation. This can be done using tools like Postman or through a simple script that sends the crafted request.

Remediation

Users are advised to update the Subscriptions for WooCommerce plugin to version 1.9.3 or later, where this vulnerability has been patched.