Discovered by Jack Misiura on behalf of The Missing Link Security
The plugin failed to validate payment process responses as coming from NAB, allowing attackers to mark orders as fully paid and introduce arbitrary transaction numbers into the payment records by issuing a GET request to the affected endpoint, such as:
https://example-site.com/?wc-api=WC_Gateway_Nab_Direct_Post&order=XXXX&key= wc_order_YYYYY&is_crn=0&txnid=ZZZZZ&refid=WooCommerceXXXX&rescode=00&restext=Approved
Where XXXX is the order number and YYYY is the order code which were presented to end-users during the order workflow. ZZZZ is an arbitrary transaction number.
Successful exploitation of this issue may allow an attacker to mark any orders as fully paid and submit arbitrary transaction numbers.
Discovered in: 2.1.0
Fixed in: 2.1.2
The Missing Link recommends immediate update to the latest version of the plugin.