Unauthorized Access Vulnerability in InPost PL and WooCommerce Plugin (CVE-2024-6500)

Posted by Author Hitesh Kadu on Posted on

The InPost for WooCommerce and InPost PL WordPress plugins are tools designed to integrate InPost’s parcel locker delivery services with WooCommerce and WordPress websites. The InPost for WooCommerce plugin allows customers to choose InPost parcel lockers as a delivery option during checkout, streamlining shipping processes.

The critical vulnerability CVE-2024-6500 has been identified in the InPost PL and InPost for WooCommerce WordPress plugins. This flaw exposes over 10,000 websites to potential complete takeover. The vulnerability, rated as a CVSS 10 out of 10, is an Arbitrary File Read and Delete vulnerability that allows attackers to read and delete sensitive files, including the essential wp-config.php file, which could lead to a full compromise of the affected websites.

Customers can launch a Qualys Web Application Scan to check if their application is vulnerable to QID 152114, addressing CVE-2024-6500.

About CVE-2024-6500

Severity 5
CVSS 3.x Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:H
CVSS 3.x Score 10
Affected Versions InPost for WooCommerce Plugin versions up to, and including 1.4.0

InPost PL Plugin versions up to, and including 1.4.4

The InPost for WooCommerce plugin and the InPost PL plugin for WordPress are vulnerable to unauthorized access and data deletion due to a missing capability check on the ‘parse_request’ function in all versions up to and including 1.4.0 (for InPost for WooCommerce) and 1.4.4 (for InPost PL). This flaw allows unauthenticated attackers to read and delete arbitrary files on Windows servers. On Linux servers, only files within the WordPress installation can be deleted, but all files can still be read.

Impact

Successful exploitation of this vulnerability could allow unauthenticated attackers to read and delete arbitrary files on Windows servers. On Linux servers, only files within the WordPress installation can be deleted, but all files can be read.

Mitigation

Customers are advised to upgrade to InPost PL Plugin 1.4.5 later version to remediate this vulnerability.

References

https://securityonline.info/10000-wordpress-sites-at-risk-critical-file-deletion-flaw-found-in-inpost-plugins/

https://www.wordfence.com/threat-intel/vulnerabilities/detail/inpost-for-woocommerce-140-and-inpost-pl-144-missing-authorization-to-unauthenticated-arbitrary-file-read-and-delete

https://github.com/advisories/GHSA-wpg2-hxqm-pjvr

Leave a Reply

Your email address will not be published. Required fields are marked *