Vulnerability reported by Patchstack

[anjtha-21]

Prerequisites

• I have carried out troubleshooting steps and I believe I have found a bug.
• I have searched for similar bugs in both open and closed issues and cannot find a duplicate.

Describe the bug

Patchstack has reported potential security vulnerabilities in the Print Invoice & Delivery Notes.

https://vdp.patchstack.com/database/report-preview/dc97acb6-eb17-468f-93b6-da7809d96dab/preview

Unauthenticated attacker can modify several option values via "admin_init" hook due to missing authorization and nonce check in it's callback function "update".

Steps to reproduce

1. Install and activate current plugin & pre-requisite "Woocommerce"
2. Run the python POC script attached below as TXT file without any authentication.
3. Verify it worked successfully manually in the backend using SQL Query:

select * FROM wp_options WHERE option_name like '%wcdn_%';

Note: Server response and status code does not matter, need to verify manually.

Expected behavior

We need to review this vulnerability and apply the necessary patch to secure the plugin.

WordPress Environment

Isolating the problem

• I have deactivated other plugins and confirmed this bug occurs when only our plugin is active.
• This bug happens with a default WordPress theme active, or Storefront.
• I can reproduce this bug consistently using the steps above.

Additional field

https://support.tychesoftwares.com/conversation/13766?folder_id=63