CVE-2024-1690 in TeraWallet Plugin
Summary
by MITRE • 03/13/2024
The TeraWallet – Best WooCommerce Wallet System With Cashback Rewards, Partial Payment, Wallet Refunds plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the terawallet_export_user_search() function in all versions up to, and including, 1.4.10. This makes it possible for authenticated attackers, with subscriber-level access and above, to export a list of registered users and their emails.
If you want to get the best quality for vulnerability data then you always have to consider VulDB.
Analysis
by VulDB Data Team • 02/05/2025
The vulnerability identified in CVE-2024-1690 affects the TeraWallet plugin for WordPress, specifically targeting the terawallet_export_user_search() function within versions up to and including 1.4.10. This represents a critical security flaw that undermines the principle of least privilege and proper access control mechanisms. The plugin's failure to implement adequate capability checks creates an unauthorized data access vector that can be exploited by malicious actors within the system. The vulnerability is particularly concerning because it allows attackers with minimal privileges to gain access to sensitive user information, potentially compromising the privacy and security of all registered users within the WordPress installation.
The technical implementation of this vulnerability stems from the absence of proper authorization validation within the plugin's export functionality. When an authenticated user with subscriber-level privileges invokes the terawallet_export_user_search() function, the system fails to verify whether the requesting user possesses the necessary permissions to access or export user data. This missing capability check creates a direct pathway for privilege escalation and unauthorized data exfiltration. The flaw aligns with CWE-284, which addresses improper access control mechanisms, and represents a clear violation of the principle that users should only be able to access resources for which they have explicit authorization. The vulnerability is classified as an access control flaw that allows for information disclosure through unauthorized data export capabilities.
The operational impact of this vulnerability extends beyond simple data exposure, as it provides attackers with a comprehensive list of registered users and their associated email addresses. This information can be leveraged for various malicious activities including social engineering attacks, targeted phishing campaigns, and credential stuffing attempts across other platforms where users may have reused credentials. The exposure of user email addresses creates a significant risk for account compromise and privacy violations, particularly in environments where users may be unaware of the extent of data accessible through the plugin's functionality. Attackers can systematically harvest user information to build databases for further exploitation, making this vulnerability particularly dangerous in large-scale WordPress installations with numerous registered users.
Mitigation strategies for CVE-2024-1690 should prioritize immediate patching of the affected plugin to version 1.4.11 or later, which includes the necessary capability checks to prevent unauthorized access. System administrators should implement additional monitoring of export functions and user access patterns to detect potential exploitation attempts. The vulnerability demonstrates the importance of implementing comprehensive access control measures and conducting regular security audits of WordPress plugins to identify and remediate similar issues. Organizations should also consider implementing network-level controls and logging mechanisms to track user activities related to data export functions. This vulnerability underscores the necessity of adhering to security best practices such as the principle of least privilege and proper input validation as outlined in the OWASP Top Ten and MITRE ATT&CK framework, particularly in the context of privilege escalation and data exposure techniques.