Vulnerability Details: Order Duplication Vulnerability in WC Duplicate Order
This post provides the details of a vulnerability in the WordPress plugin WC Duplicate Order not discovered by us, where the discoverer hadn't provided the details needed for us to confirm the vulnerability while we were adding it to the data set for our service, so its contents are limited to subscribers of our service.
If you were using our service, you would have already been warned about this vulnerability if your website is vulnerable due to it. You can try out our service for free and then see the details of the vulnerability.
For existing customers, please log in to your account to view the contents of the post.
Can you confirm if that affects v1.2? This is the last one working with WooCommerce v2.x.
I’ve been unable to reproduce your proof of concept but i might be missing something here.
I visited /wp-admin/edit.php?post_type=shop_order&order_id=XXXXX&duplicate=init (so no _wpnonce on the URL) and was redirected to the admin login page.
To be viewing the proof of concept you would need to be a customer of the service, so you can see all the impacted versions on the page for the service in WordPress.
The reason the what you did didn’t work is that you are taking a step not in the proof of concept, which is causing it to not work. Since you are a customer the best thing would be to contact us, we can explain the issue with what you are doing in trying to test this and also discuss with you what the options are to deal with the vulnerability in the situation you are in.
This has now been patched and confirmed by PV.