WordPress Plugin Vulnerability Report – Razorpay for WooCommerce – Missing Authorization and Cross-Site Request Forgery

Plugin Name: Razorpay for WooCommerce

Key Information:

  • Software Type: Plugin
  • Software Slug: woo-razorpay
  • Software Status: Active
  • Software Author: NA
  • Software Downloads: 1,366,539
  • Active Installs: 60,000
  • Last Updated: November 28, 2023
  • Patched Versions: 4.5.7
  • Affected Versions: <= 4.5.6

Vulnerability 1 Details:

  • Name: Razorpay for WooCommerce <= 4.5.6 - Missing Authorization
  • Title: Missing Authorization
  • Type: Missing Authorization
  • CVSS Score: 4.3 (Medium)
  • Publicly Published: November 28, 2023
  • Description: The Razorpay for WooCommerce plugin for WordPress is vulnerable to unauthorized modification due to a missing capability check on several functions hooked via admin_post in all versions up to, and including, 4.5.6. This makes it possible for authenticated attackers, with subscriber-level access and above, to update, direct, create, and reverse transfers through the plugin.

Vulnerability 2 Details:

  • Name: Razorpay for WooCommerce <= 4.5.6 - Cross-Site Request Forgery
  • Title: Cross-Site Request Forgery
  • Type: Cross-Site Request Forgery (CSRF)
  • CVSS Score: 4.3 (Medium)
  • Publicly Published: November 28, 2023
  • Description: The Razorpay for WooCommerce plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 4.5.6. This is due to missing nonce validation on several functions hooked via admin_post. This makes it possible for unauthenticated attackers to update, direct, create, and reverse transfers through the plugin via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

Summary:

The Razorpay for WooCommerce for WordPress has vulnerabilities in versions up to and including 4.5.6 that enable missing authorization and cross-site request forgery attacks. These vulnerabilities have been patched in version 4.5.7.

Detailed Overview:

The Razorpay for WooCommerce plugin has two vulnerabilities that were publicly disclosed on November 28, 2023. The first is a missing authorization vulnerability that allows authenticated users with subscriber access or higher to perform sensitive actions they should not have access to. This is due to a lack of proper capability checking in the code.

The second is a cross-site request forgery vulnerability that could allow an attacker to trick an administrator into clicking a link that performs unwanted actions through the plugin. This is enabled by the lack of proper nonce validation on sensitive functions.

Together, these vulnerabilities allow for unauthorized actions and access through the plugin for authenticated users and under specific conditions, unauthenticated users as well. Users should update to version 4.5.7 or higher as soon as possible to mitigate these vulnerabilities.

Advice for Users:

  1. Immediate Action: Update to version 4.5.7 or higher of the Razorpay for WooCommerce plugin.
  2. Check for Signs of Vulnerability: Review logs and account activity during the period these vulnerabilities were announced for unauthorized actions performed through the plugin.
  3. Alternate Plugins: Consider alternative payment gateway plugins as a precaution, even with the patched version of Razorpay for WooCommerce.
  4. Stay Updated: Enable auto-updates for plugins whenever available or manually update frequently.

Conclusion:

These vulnerabilities found in the Razorpay for WooCommerce plugin serve as an important reminder to apply patches and stay updated. Users should update to version 4.5.7 immediately to close these vulnerabilities. Enabling auto-updates and testing patches before applying them to production sites is strongly advised.

References:

https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/woo-razorpay

https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/woo-razorpay/razorpay-for-woocommerce-456-missing-authorization

https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/woo-razorpay/razorpay-for-woocommerce-456-cross-site-request-forgery

Detailed Report:

Keeping your WordPress site updated is one of the most important things you can do to maintain security, yet it’s something many site owners fail to stay on top of. Unfortunately, that can leave your site exposed to vulnerabilities in outdated plugins and themes - like the recently disclosed flaws in the Razorpay for WooCommerce payment plugin.

The popular Razorpay for WooCommerce plugin, with over 1.3 million downloads, lets WordPress sites integrate Razorpay payment processing. But versions up to and including 4.5.6 contain vulnerabilities enabling both missing authorization issues and cross-site request forgery attacks.

Specifically, these vulnerabilities stem from problems with capability checking and nonce validation in the plugin code. Together, they allow authenticated users and in some cases unauthenticated attackers to perform sensitive actions through the plugin that they should not have normal access to.

This means an attacker could potentially take actions like reversing payments or changing payment details without permission. And they could trick administrators into unwittingly enabling these actions.

To remediate this issue, Razorpay for WooCommerce users should update to version 4.5.7 or higher, which contains fixes for the vulnerabilities. Checking site logs from the vulnerable period for unauthorized actions is also advised. And using an alternate payment gateway, at least temporarily, is worth considering even once updated.

This is not the first vulnerability found in Razorpay integrations, with previous CSRF and data exposure flaws uncovered. And unfortunately, new vulnerabilities in WordPress plugins and themes are disclosed almost daily. This demonstrates precisely why keeping your site and all plugins/themes updated is so critical.

Every outdated plugin or theme can potentially open up security holes allowing threats from data compromise to outright site takeover. If you can’t stay on top of updates yourself, using a managed WordPress host that handles updates automatically is strongly advised. We also offer managed WordPress hosting with auto-updates, ongoing security hardening, and site monitoring - essential for small business owners without ample time for the daily admin work of running a secure site.

Security vulnerabilities like this one demonstrate the importance of having WordPress experts regularly monitor, maintain and update your site. At Your WP Guy, we offer ongoing management to handle updates, security monitoring, backups, uptime and support so you can stop worrying and get back to growing your business.

Let us fully audit your site to check for any signs of this vulnerability or other issues. We'll immediately update any out-of-date plugins and harden your site's security. Chat with us anytime during business hours, schedule a call or call 678-995-5169 to lock down your online presence.

WordPress Plugin Vulnerability Report – Razorpay for WooCommerce – Missing Authorization and Cross-Site Request Forgery FAQs

Leave a Comment