The vulnerabilities can be exploited to execute arbitrary PHP code, disclose sensitive data, improper access control, and to perform Cross-Site Scripting attacks against users.
To exploit the local PHP File Inclusion vulnerability, an attacker needs to have administrator privileges on WordPress installation. PHP does not properly verify the URL before being used in ‘include()’ function , and can be abused to include arbitrary local files via directory traversal sequences.
HTTP POST parameters are supplied by many users during the checkout process. These parameters are not being sanitized before being stored in the local database. Which can be easily exploited by a non-authenticated attacker, they may inject malicious HTML and JS code that will be stored in the application database, and made available to any non-authenticated user on the following URL:
http://wordpress/wp-admin/admin-ajax.php?order_id=[order_id]&action=tcp_print_or der
Due to broken authentication mechanism any non-authenticated user may browse orders of other users. They easily predict the order ID, enables them to steal all currently-existing orders.
The vulnerability can be reproduced by opening the following URL:
http://wordpress/shopping-cart/checkout/?tcp_checkout=ok&order_id=[order_id]
And full details of the orders can be viewed by opening the following URL
http://wordpress/wp-admin/admin-ajax.php?order_id=[order_id]&action=tcp_print_or der
Inputs can be passed via the "search_by", "address_id", "address_name", "firstname", "lastname", "street", "city", "postcode", "email", "post_id" and "rel_type", and "post_type" GET parameter. These are not properly verified before being returned to the user. An attacker can logged-in as administrator to open a link, and execute arbitrary HTML and script code in browser in context of the vulnerable website.