So, reading that article, an unpatched outdated version of WooCommerce with an already compromised Shop Manager user login, combined with the new recovery feature, then allows another user to have privilege escalated to admin? It really does seem a bit of a rare stretch, and don’t see how it is a PoC of anything.
I mean, I haven’t had the chance to delve into the actual recovery code, but from a casual read of what it does, doesn’t it send an email to an admin, that then only disables a plugin for that admin user when logged in with recovery mode on? How would that allow another user to escalate anything by triggering a fatal error? They still wouldn’t have admin access, thus no recovery mode access, thus no plugin would be disabled for them to get around meta cap filters. Am I missing something here?
Anyhow, I feel this is going a bit off topic. It’s guess it’s fine if it points to an improvement in the current recovery process - ie. how could it be done better in ClassicPress…? As I said I have been working on my own conflict / error recovery plugin, so actually a bit more interested that question than the current WP implementation, but there is certainly some overlap. Thoughts?