Executive Summary

The Whatsiplus Scheduled Notification for Woocommerce plugin for WordPress is vulnerable to Cross-Site Request Forgery (CSRF) in all versions up to and including 1.0.1. This vulnerability exists because the plugin's AJAX action 'wsnfw_save_users_settings' lacks nonce validation, which is a security measure to verify the authenticity of requests.

As a result, an unauthenticated attacker can craft a forged request that tricks a site administrator into performing an action, such as clicking a malicious link, which then modifies the plugin's configuration settings without the administrator's consent.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability allows an attacker to modify the configuration settings of the Whatsiplus Scheduled Notification plugin without proper authorization. Since the attacker can trick an administrator into executing a forged request, they can potentially change how notifications are scheduled or sent.

While the vulnerability does not directly compromise data confidentiality or availability, it can lead to unauthorized changes in plugin behavior, which might disrupt notification services or cause unexpected plugin actions.

The CVSS score of 4.3 (Medium severity) reflects that the impact is limited to integrity (I:L) with no impact on confidentiality or availability.

Useful 0 Not Useful 0

Compliance Impact

I don't know

Useful 0 Not Useful 0

Detection Guidance

[{'type': 'paragraph', 'content': "This vulnerability can be detected by monitoring for unauthorized or suspicious AJAX POST requests to the 'wsnfw_save_users_settings' action endpoint in the Whatsiplus Scheduled Notification for WooCommerce plugin."}, {'type': 'paragraph', 'content': "Specifically, you can look for HTTP POST requests targeting the AJAX action parameter 'action=wsnfw_save_users_settings' without proper nonce validation."}, {'type': 'paragraph', 'content': 'On the server or network level, commands such as the following can help detect such attempts:'}, {'type': 'list_item', 'content': "Using grep on web server logs to find suspicious POST requests: grep 'action=wsnfw_save_users_settings' /var/log/apache2/access.log"}, {'type': 'list_item', 'content': "Using tcpdump or tshark to capture HTTP POST requests containing 'wsnfw_save_users_settings': sudo tcpdump -A -s 0 'tcp port 80 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)' | grep 'wsnfw_save_users_settings'"}, {'type': 'list_item', 'content': "Using curl to test if the AJAX action is accessible without nonce validation (for authorized testing only): curl -X POST -d 'action=wsnfw_save_users_settings&wsnfw_active_digits=test&wsnfw_custom_phone_meta_keys=test' https://yourwordpresssite.com/wp-admin/admin-ajax.php"}] [1]

Useful 0 Not Useful 0

Mitigation Strategies

To mitigate this vulnerability, immediately update the Whatsiplus Scheduled Notification for WooCommerce plugin to a version that includes nonce validation on the 'wsnfw_save_users_settings' AJAX action.

If an update is not yet available, temporarily disable or restrict access to the AJAX action 'wsnfw_save_users_settings' to prevent unauthorized configuration changes.

Additionally, educate site administrators to avoid clicking on suspicious links that could trigger forged requests.

Implementing Web Application Firewall (WAF) rules to block or monitor requests to this AJAX action can also help reduce risk.

Useful 0 Not Useful 0