CVE-2020-11497

Payment system bypass in NAB Transact WooCommerce Plugin by Tyson Armstrong | The Missing Link

Discovered by Jack Misiura on behalf of The Missing Link Security

Vulnerability Details

The plugin failed to validate payment process responses as coming from NAB, allowing attackers to mark orders as fully paid and introduce arbitrary transaction numbers into the payment records by issuing a GET request to the affected endpoint, such as:

https://example-site.com/?wc-api=WC_Gateway_Nab_Direct_Post&order=XXXX&key= wc_order_YYYYY&is_crn=0&txnid=ZZZZZ&refid=WooCommerceXXXX&rescode=00&restext=Approved

Where XXXX is the order number and YYYY is the order code which were presented to end-users during the order workflow. ZZZZ is an arbitrary transaction number.
Successful exploitation of this issue may allow an attacker to mark any orders as fully paid and submit arbitrary transaction numbers.

Affected Versions

Discovered in: 2.1.0

Fixed Versions

Fixed in: 2.1.2

The Missing Link recommends immediate update to the latest version of the plugin.

Latest News