Executive Summary

The Fortis for WooCommerce plugin for WordPress has a vulnerability due to an inverted nonce check in the 'check_fortis_notify_response' function in all versions up to and including 1.2.0.

This flaw allows unauthenticated attackers to bypass authorization and update arbitrary WooCommerce order statuses to paid, processing, or completed without actually making a payment.

Essentially, attackers can mark orders as paid without paying, exploiting the incorrect security check.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can allow attackers to fraudulently mark orders as paid or completed in a WooCommerce store using the Fortis payment gateway plugin.

As a result, attackers could receive goods or services without paying, leading to financial loss for the store owner.

It undermines the integrity of the payment process and order management, potentially causing revenue loss and operational disruption.

Useful 0 Not Useful 0

Compliance Impact

I don't know

Useful 0 Not Useful 0

Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability involves an authorization bypass in the Fortis for WooCommerce plugin allowing unauthenticated attackers to update WooCommerce order statuses to paid without payment.'}, {'type': 'paragraph', 'content': 'Detection can focus on monitoring WooCommerce order status changes to paid/processing/completed that occur without corresponding legitimate payment transactions.'}, {'type': 'paragraph', 'content': "Since the vulnerability is due to an inverted nonce check in the 'check_fortis_notify_response' function, inspecting HTTP POST requests to the payment notification endpoint for missing or invalid nonce verification could help detect exploitation attempts."}, {'type': 'paragraph', 'content': 'Suggested commands or methods include:'}, {'type': 'list_item', 'content': 'Review web server access logs for POST requests to the Fortis payment notification URLs that lack valid nonce parameters.'}, {'type': 'list_item', 'content': 'Use WooCommerce or WordPress database queries to identify orders whose status changed to paid/processing/completed without a matching payment transaction or with suspicious timestamps.'}, {'type': 'list_item', 'content': 'Enable and review WooCommerce logging if the Fortis plugin logging is enabled, as it logs redirect POST data and transaction details.'}, {'type': 'list_item', 'content': 'Example WP-CLI command to list recent orders with status changes: `wp wc order list --status=processing,completed,paid --orderby=date --order=desc` and then cross-check payment metadata.'}, {'type': 'list_item', 'content': 'Use network monitoring tools to capture and analyze HTTP POST requests to the Fortis payment endpoints for anomalies or missing nonce parameters.'}] [1, 3]

Useful 0 Not Useful 0

Mitigation Strategies

Immediate mitigation steps include:

• Update the Fortis for WooCommerce plugin to a version later than 1.2.0 where the inverted nonce check vulnerability is fixed.
• If an update is not immediately available, temporarily disable the Fortis payment gateway in WooCommerce settings to prevent exploitation.
• Review and audit recent WooCommerce orders for unauthorized status changes and manually verify payments.
• Enable detailed logging in the Fortis plugin to monitor suspicious payment notifications.
• Implement additional access controls or firewall rules to restrict access to the payment notification endpoints.
• Consider applying custom patches or nonce verification fixes if you have development resources, based on the plugin source code.

Useful 0 Not Useful 0