# Exploit Title: card/pay/…/amount in the WooCommerce Instamojo Payment Gateway plugin 1.0.7 for WordPress allows Parameter Tampering in the sign parameter, as demonstrated by purchasing an item for lower than the intended price. # Date: 09.08.2019 # Product Title : WooCommerce Instamojo Payment Gateway Plugin # Vendor Homepage: # Software Link : # Category: Web Applications Plugin (WordPress) # Version: 1.0.7 # Active installations: 10,000+ # Exploit Author: Vikas Chaudhary # Contact: # Web: # Tested on: Windows 10 -Firefox . # CVE-2019-14977. ***************************************************** ## VENDOR SUMMARY :- This is a Instamojo Payment Gateway Plugin for WooCommerce. Instamojo allows you to securely sell your products and subscriptions online using In-Context Checkout to help you meet security requirements without causing your theme to suffer. In-Context Checkout uses a modal window, hosted on instamojo servers, that overlays the checkout form and provides a secure means for your customers to enter their account information. ## Vulnerability Description => The Web Parameter Tampering attack is based on the manipulation of parameters exchanged between client and server in order to modify application data, such as user credentials and permissions, price and quantity of products, etc. Usually, this information is stored in cookies, hidden form fields, or URL Query Strings, and is used to increase application functionality and control. This attack can be performed by a malicious user who wants to exploit the application for their own benefit, or an attacker who wishes to attack a third-person using a Man-in-the-middle attack. In both cases, tools likes Webscarab and Paros proxy are mostly used. ***************************************************** Proof Of Concept:- PoC 1- Install Woocommerce Instamojo Payment gateway plugin (1.0.7) in your Remote site. 2- Now fix the price of some products and configure it with this plugin. 3- Do checkout the high cost product through Instamojo and capture the data in burp. 4- Here you will find post based request with sign= parameter- 5- Copy the Sign Value 6- Now again checkout any low price Product through Instamojo and then capture the data. 7- Again copy the value of sign= parameter of low cost product 8- Now replace the High cost product’s sign value to low cost product’s sign value. 9- Here you will see your high cost product’s value is totally changed into low cost . 10- Now you can purchase that product in other’s low cost product value. ********************************************************** ————- Post REQUEST of Amount-221:- ———– Post RESPONSE of Amount-221:- ———- Post REQUEST of Amount-49 :- ———- *************************************************************************************** Sign value of Amount-221 => sign=bd2409adba0b1d2255f164f91ea5acf297aabdc9 Sign value of Amount-49 => sign=17598539ced102e302acad7f85438ff408e4e6fb *************************************************************************************** # Now Replace each other in post Request , Your amount will be manuplated .
Article Name=>
Instamojo Payment Gateway plugin Vulnerability-CVE-2019-14977
WooCommerce Instamojo Payment Gateway plugin 1.0.7 for WordPress allows Parameter Tampering in an amount parameter-CVE-2019-14977
Publisher Name=>

2 thoughts on “WooCommerce Instamojo Payment Gateway plugin 1.0.7 for WordPress allows Parameter Tampering in an amount parameter-CVE-2019-14977

  1. Sai Prasad says:

    Hi Vikas,

    We at Instamojo take security seriously. We did an analysis of the reported issue & were not able to reproduce it. We’re considering this as a false positive report, most probably because of an oversight on your end.

    We’ve posted a detailed notes on what all we tried at in case you want to take a look at it.

    We’ve an active bug bounty program as well so we’d greatly appreciate if you can loop us in to confirm the issue before posting it in public domain. This would help us fix things as fast as possible as well for our users.

    You can reach back to us at regarding this issue as well as any future issues you want to bring our attention to.

Leave a Reply

You may also like

%d bloggers like this: